Government Security
Network Security Resources

Jump to content

Photo

Uri Scheme

javascript
  • Please log in to reply
2 replies to this topic

#1 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 17 October 2010 - 10:14 AM

In this post i will cover one of the coolest features that modern browser support nowadays which is URI schemes. There is a lot of schemes out there, browser custom schemes (about:something), protocol schemes (mailto:something@something.com?subject=Hello&body=Hello), and of course data schemes.

In this post i only will talk about data schemes.

Data schemes are organized like this:

data:{type of the data};{encode},{data}


In the type of data you can various types of data such as:
text/html
application/javascript (text/javascript was depreced)
image/png
etc.

This types are defined in internet media types.

It's time to make some magic.
Put this in your browser:

data:image/gif;base64,R0lGODlhLQAwAPAAAAAAAFVVVSH5BAAHAAAALAAAAAAtADAAAAJxTGB4yesKW3y0ziszxVbzb3hiR2JgOYLnmmotCpsvG9c2Pec1zbf9PdL9VMLixjhsIJeLJPD4dCqY0ijVip1ml1Vr13n1hntf47hYBqZ/Z3Wbtda9c/HdHHaH50V13Fb8R7ZHMkgUSFfocui2qNf4UgAAOw==

You should se a image now!
Ok this is the thing, simple fact that you can store data in only a web page.

Now, the question is how we can make this feature useful for us?! Javascript/Html injections!

So let's test something, put this on your browser:

data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%55%52%49%20%73%63%68%65%6D%65%73%21%22%29%3C%2F%73%63%72%69%70%74%3E

Boom!

Now let's make this even more fun! Let's encode javascript to make this less
perceptible.

Javascript Encoded + base64

data:text/html;base64,PHNjcmlwdD52YXIgXzB4NGMxOT1bIlx4NTVceDcyXHg2OVx4MjBceDUzXHg2M1x4NjhceDY1XHg2RFx4NjVceDczXHgyMFx4MkZceDIwXHg0NVx4NkVceDYzXHg2Rlx4NjRceDY1XHg2NCJdO2Z1bmN0aW9uIE1zZ0JveChfMHg4OTExeDIpe2FsZXJ0KF8weDg5MTF4Mik7fSA7TXNnQm94KF8weDRjMTlbMF0pOzwvc2NyaXB0Pg==

Works!
This things can be done all content-types available, so be creative.

Hope you have lear something!.

These sites could be useful for you for further research:

Base64 online encoder - /http://www.motobit.com/util/base64-decoder-encoder.asp
XSS - /http://ha.ckers.org/xss.html
Internet media types - /http://en.wikipedia.org/wiki/Internet_media_type
Data URI Scheme - /http://en.wikipedia.org/wiki/Data:_URI_scheme
URI Scheme - /http://en.wikipedia.org/wiki/URI_scheme
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#2 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 17 October 2010 - 11:12 AM

This is actually pretty cool B)

Reminds me of a cross protocol scripting talk I saw recently. These two could be combined in some ways I think.
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#3 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 19 October 2010 - 01:31 PM

interesting stuff.

talking of "about:" URL protocol... Programs that hosts the IE control to parse contents contains an issue within this protocol. a kind of HTML injection :

<iframe src="about:<html><script>alert(1)</script></html>"></iframe>

IExplore.exe itself is not vulnerable to this.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!





Also tagged with one or more of these keywords: javascript