Sunday, September 09, 2007

IE home page URL resulting in XSS?

I am not able to phrase the title of this entry correctly, but this is what I have found....

Copy the following link location and set it as your homepage in IE 7.

COPY THIS LINK

When you open a new window in IE, it echoes your home page url in the window which results into something similar to XSS.

I am trying to find a way to exploit this (like automatically setting homepage and adding some javascript), but if you already have an idea, please let me know.

4 comments:

.mario said...

Hi Kishor

Very interesting find - in which scope can the javascript be executed then?

Greetings,
.mario

Gareth said...

Have you tried using an iframe instead? If it is possible to inject javascript like this then I can see IE open to Cross domain exploits.

Kishor said...

@.mario:

I am not sure what domain it executes in. When I tried displaying document.domain property, I got an exception.

@Gareth:

I tried following cases:
1. Open an iframe with location as about:blank?SCRIPT.... But IE does not load this url.

2. Change src attribute dynamically and see if anything happens.. Not much success..

It looks like IE sanitizes input coming via address bar but fails to sanitize one coming from the textbox where you can set the homepage.

Another question to ask is why IE is echoing the url in the document body?

Rosario Valotta said...

I think this could be the explanation of this behaviour:
res://ieframe.dll/httpErrorPagesScripts.js