lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Jan 2010 17:59:49 -0500
From: Peter Watkins <peterw@....org>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: Aditya K Sood <0kn0ck@...niche.org>, websecurity@...appsec.org,
	bugtraq@...urityfocus.com
Subject: Re: Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw

On Tue, Jan 05, 2010 at 10:49:07AM -0800, Michal Zalewski wrote:

> > Video: http://www.secniche.org/videos/google_chrome_link_inj.html
> 
> You might find it informative to review the section of BSH on URL parsing:
> http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators

Also, a considerable part of Aditya's concern seems to be the disconnect 
between what the user sees in the Status Bar and the actual link target. 
It's easy to conceal the link's URL on a page in which the attacker can embed 
Javascript (e.g., on an attacker's Web site, but not in a well-designed 
webmail system) with code like the following:

<a href="http://google.com/" 
   onClick="this.href='http://evil.example.com/';">Google</a>

99% of users would see google.com in the status bar, and even "visited" 
link CSS treatment suggesting the link pointed to a page they've already
seen, making the link appear more trustworthy. This simple technique seems 
to circumvent any browser settings regarding changing or hiding the status 
bar text.

(Forgive my not digging up a reference for this approach -- surely someone 
else has written about this technique already.)

-Peter

http://www.tux.org/~peterw/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ