tag:blogger.com,1999:blog-7122745763234660283.post6061035612727610677..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: Abusing Referrer on Explorer for Referrer based DOM XssMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-7122745763234660283.post-61035537900371393192011-05-18T23:42:50.376-07:002011-05-18T23:42:50.376-07:00@mx Yes IE allows referrer based Xss, but the '...@mx Yes IE allows referrer based Xss, but the 'news' here is that special characters are allowed in the subdomain name. Like<br /><br />'"><iframe%20onload=eval(name)>.attacker.in/somepageStefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-68426703831504815502011-05-18T23:41:25.704-07:002011-05-18T23:41:25.704-07:00This comment has been removed by the author.Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-62626197484837185692011-05-01T19:42:09.024-07:002011-05-01T19:42:09.024-07:00IE allows referrer-based XSS. I created P0c some m...IE allows referrer-based XSS. I created P0c some months ago. http://attacker.in/_generic/referer-xss/mxhttp://yehg.net/noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-73174623544378656282011-03-28T11:19:33.282-07:002011-03-28T11:19:33.282-07:00Thanks to Ferruh Mavituna I for pointing out that ...Thanks to Ferruh Mavituna I for pointing out that example was wrong. <br />The wrong assumption is about considering that hostnames cannot contain special characters.<br />the (referrer.split("/")[2]) will just return the hostname.<br />IE allows special character also in subdomains.Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-30825746779735386552011-03-28T07:53:44.746-07:002011-03-28T07:53:44.746-07:00@Eric, definitely!
Assuming something isn't g...@Eric, definitely! <br />Assuming something isn't going to happen is a wrong assumption. <br />Applying data validation and output encoding by context *usually* saves application from unexpected behaviors.Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-60451123247036176632011-03-28T07:35:30.943-07:002011-03-28T07:35:30.943-07:00Just goes to show the best-practice "Don'...Just goes to show the best-practice "Don't reflect attackers-supplied input" still applies, everywhere.Erichttp://blogs.msdn.com/b/ieinternals/noreply@blogger.com