republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > Universal XSS in Opera

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies


therube

join:2004-11-11
Randallstown, MD

reply to Blackbird

Re: Universal XSS in Opera

> when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page

Not exactly.
I'm not sure exactly where you were "taken".
It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.

And for clarity, my "therube" page is the same as what was discussed in this thread, »Firefox, Opera allow crooks to hide an entire phish site.
to forum · permalink · 2012-10-05 22:48:47 ·


Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
kudos:7

XSS on any s···SOP).zip 2,380 bytes
Therube, Translated to english with Chrome then pasted in an .rtf and zipped attached.
to forum · permalink · 2012-10-05 22:52:57 ·


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

reply to therube

said by therube:

... It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.
...

Your first sentence is correct. The red Opera badge does appear to the left of the Wikipedia "page" address (indicating it was not a webpage accessed in a normal browser manner). Frankly, I paid little attention to the Wiki "page" itself or any badging initially, in my eagerness to get your text entered correctly into the address box after it appeared, and because I was instead looking for some kind of Javascript alert box to appear - which it did, when I entered the text. Needless to say, I was looking for the wrong thing. (Not the first time... and probably not the last )

So... whatever you set up at tinyurl does create the appearance of a Wiki "page" in Opera, although Opera badges it as an internal-created browser display (the data URI behavior). In playing around to see what the Wiki "page" would do if I tried to log in, it immediately coughed up more of the JavaScript alert boxes no matter what I attempted to enter. Also, clicking on any links on the "page" resulted in an Opera error message about "unsupported address type."
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775
to forum · permalink · 2012-10-05 23:05:11 ·
Forums > Broadband Tech > Security > Security

Monday, 20-May 03:39:12 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics