| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jan 2010 17:59:49 -0500 From: Peter Watkins <peterw@....org> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: Aditya K Sood <0kn0ck@...niche.org>, websecurity@...appsec.org, bugtraq@...urityfocus.com Subject: Re: Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw On Tue, Jan 05, 2010 at 10:49:07AM -0800, Michal Zalewski wrote: > > Video: http://www.secniche.org/videos/google_chrome_link_inj.html > > You might find it informative to review the section of BSH on URL parsing: > http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators Also, a considerable part of Aditya's concern seems to be the disconnect between what the user sees in the Status Bar and the actual link target. It's easy to conceal the link's URL on a page in which the attacker can embed Javascript (e.g., on an attacker's Web site, but not in a well-designed webmail system) with code like the following: <a href="http://google.com/" onClick="this.href='http://evil.example.com/';">Google</a> 99% of users would see google.com in the status bar, and even "visited" link CSS treatment suggesting the link pointed to a page they've already seen, making the link appear more trustworthy. This simple technique seems to circumvent any browser settings regarding changing or hiding the status bar text. (Forgive my not digging up a reference for this approach -- surely someone else has written about this technique already.) -Peter http://www.tux.org/~peterw/
Powered by blists - more mailing lists