dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6
share rss forum feed


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 edit
reply to therube

Re: Universal XSS in Opera

said by therube:

>... if I'm understanding, the difference here, with Opera, is what I noted above, "This means that the javascript executes within the domain of tinyurl.com".

If that is the case, could someone with Opera open my tinyurl, »tinyurl.com/therube, then type "javascript:alert(document.domain)" (sans the quotes) into the address bar & tell us what it returns. (In Mozilla's case, nothing.)

When I did that, I got a small javascript alert box on the center of my screen...
quote:
JavaScript
(about:blank)
tinyurl.com
[ ] Stop executing scripts on this page [OK]
Opera's address box does indicate the red Opera badge, as expected, for the text entered as you suggested, and the rest of the original displayed page darkens moderately when the box appears.

(This is with Opera 11.52, JavaScript enabled)
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

quote:
JavaScript
(about:blank)
tinyurl.com
[ ] Stop executing scripts on this page [OK]

I really wasn't expecting that.
I was expecting that it might say wikimedia.com or even wikipedia.com.

So it appears that it can only "swipe the cookies" from the URL shortening service you happened to use, so like who cares.
If that is the extent of it, then to me it is a non-issue.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by therube:

...I really wasn't expecting that.
I was expecting that it might say wikimedia.com or even wikipedia.com.

So it appears that it can only "swipe the cookies" from the URL shortening service you happened to use, so like who cares.
If that is the extent of it, then to me it is a non-issue.

In the interests of clarity, I did fail to earlier include that when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page, then entering your suggested address box text resulted in the alert box I've described (along with the page darkening).
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

did you see the guy banging his head in the dark ?



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by Name Game:

did you see the guy banging his head in the dark ?

Uhmm... other than me banging my head? When I click on the "proceed to this site" link on that page, all I get is a similar JavaScript alert box to what I described above, only this box lists:
quote:
JavaScript
(tinyurl.com)
tinyurl.com
[ ]Stop executing scripts on this page [OK]
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

reply to Blackbird

> when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page

Not exactly.
I'm not sure exactly where you were "taken".
It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.

And for clarity, my "therube" page is the same as what was discussed in this thread, »Firefox, Opera allow crooks to hide an entire phish site.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Therube, Translated to english with Chrome then pasted in an .rtf and zipped attached.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to therube

said by therube:

... It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.
...

Your first sentence is correct. The red Opera badge does appear to the left of the Wikipedia "page" address (indicating it was not a webpage accessed in a normal browser manner). Frankly, I paid little attention to the Wiki "page" itself or any badging initially, in my eagerness to get your text entered correctly into the address box after it appeared, and because I was instead looking for some kind of Javascript alert box to appear - which it did, when I entered the text. Needless to say, I was looking for the wrong thing. (Not the first time... and probably not the last )

So... whatever you set up at tinyurl does create the appearance of a Wiki "page" in Opera, although Opera badges it as an internal-created browser display (the data URI behavior). In playing around to see what the Wiki "page" would do if I tried to log in, it immediately coughed up more of the JavaScript alert boxes no matter what I attempted to enter. Also, clicking on any links on the "page" resulted in an Opera error message about "unsupported address type."
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775
Expand your moderator at work