[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[Fwd: MSIE7 entrapment again (+ FF tidbit)]
The last bit of this email might be useful to someone trying to track
users data across circuit sessions. Yet another reason to cull cookies
-------- Original Message --------
Subject: MSIE7 entrapment again (+ FF tidbit)
Date: Sat, 14 Jul 2007 00:20:54 +0200 (CEST)
From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Microsoft Internet Explorer seems to have a soft spot for browser
entrapment vulnerabilities. Just to recap, in these attacks, the user is
made believe he had left a webpage (and the URL bar or SSL state data
reinforce him in this belief) - but in reality, is prevented from doing
so, and his browser continues to display assorted content originating from
This is a close, but somewhat more sinister relative of vanilla URL bar
spoofing. I reported a few of each kind in the recent months.
Well, here's another one, this time based on document.open() calls. In
essence, repeatedly calling this function after a new URL is entered by
the user, before onBeforeUnload is invoked, inhibits page transition - but
target URL bar state is retained. This is remarkably silly.
A live demo is available here:
That is all.
PS. The promised tidbit - since I'm leaving for a while and won't have
'domainless' cookies by specifying 'domain=.' - for example:
Fortunately/unfortunately, these cookies do not get sent to all sites - no
session fixation - though can be retrieved by other null-domain
periods will be trimmed. Path can be set arbitrarily, with certain
exceptions. Null-domain cookies load properly when stored in cookies.txt.
Q: can this be used in a manner more sinister than merely facilitating
exchange of "markers" between various user-tracking sites?