[Dillinja]

(posted on behalf of H4xorHunt3r )


Cheesy IE URL Obfuscation

Zapthedingbat came out with a nifty way of hiding a URL from IE in the address bar, sometime in Dec 2003.Using the h**p://user@domain nomenclature an attacker can hide the real location of the page by including a non printing character (%01) before the "@". Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.

www.spoofed.com%01@www.target.com - displays www.spoofed.com in the address bar

While working on a modified demo of this for some folks, our AV software dat was updated, and it popped on my demo, shutting it down. The AV called it a trojan and my web admin folks got real pissy, even though it is not a trojan. Anyways, my demo did not work anymore, and I needed it for a presentation. We went old school on it and found a couple of ways to continue using this flaw. Both of which the AV can not see.

www.spoofed.com&#01@www.target.com - Uses the unicode decimal notation for '01'
www.spoofed.com&#x01@www.target.com - Uses the unicode hex representation for '01'

These two variations seem to work fine, and the AV does not see it.

We tried:
www.spoofed.com%25%01@www.target.com - '%25' = '%' and '%01' = '01'
While this loaded properly, the AV saw it. We tried a bunch of different methods over the course of only 2 hours, then got bored and moved on.

Help this helps some of you folks out on what to keep on eye out on.

Security Focus has an article releated to this:
h**p://www.securityfocus.com/news/7807

Cheers,
H4xorHunt3r

[Nick W]

Another link. Possibly a better method by including %00 first. I thought about submitting this to NTBugtraq, but there's already been plenty of discussion on this and the issue has been beat to death.

http://www.citibank.com

The above URL looks like citibank in the status bar at the bottom of IE (and other browsers). If you right-click and go to properties it looks like it, and up in the address bar after you've clicked it indicates you are at citibank.

Only, you aren't. You're at wellsfargo. :) The URL in the source code looks like the following:

<a href="http://www.citibank.com%00&#x01@www.wellsfargo.com/">http://www.citibank.com</A>

[zero-maitimax]

isn't it posted before?

[Jeeve5]

One of the many reasons why I use Opera ;)

[saetji]

see i was gonna use opera too but i found out it had hidden spyware so ive decided to monitor that iituation b4 i install that

[boshcash]

nice yorn i dont think the other links appear right in status bar ..

[AdmiralB]

syntax error

[extreme]

Now when this has been pathced.. Is there any other way of hiding
"Opening..Real_site.com" from status bar????