A+ R A-

Web Application Security

I recently downloaded Internet Explorer 8 RC1 and was playing with the InPrivate Filtering feature. I think that this feature could be used as an Ad Blocker. I converted the adblock plus filters into xml format understood by IE and imported them in the InPrivate Filtering settings. Many websites worked fine while some (e.g. yahoo mail) appeared to be broken. I am sure that with a little tweaking of the rules it will be possible to get better results.

You can get the xml file I generated here....

I recently downloaded Internet Explorer 8 RC1 and was playing with the InPrivate Filtering feature. I think that this feature could be used as an Ad Blocker. I converted the adblock plus filters into xml format understood by IE and imported them in the InPrivate Filtering settings. Many websites worked fine while some (e.g. yahoo mail) appeared to be broken. I am sure that with a little tweaking of the rules it will be possible to get better results.

You can get the xml file I generated here...

I am not able to phrase the title of this entry correctly, but this is what I have found....

Copy the following link location and set it as your homepage in IE 7.

COPY THIS LINK

When you open a new window in IE, it echoes your home page url in the window which results into something similar to XSS.

I am trying to find a way to exploit this (like automatically setting homepage and adding some javascript), but if you already have an idea, please let me know.

I am not able to phrase the title of this entry correctly, but this is what I have found....

Copy the following link location and set it as your homepage in IE 7.

COPY THIS LINK

When you open a new window in IE, it echoes your home page url in the window which results into something similar to XSS.

I am trying to find a way to exploit this (like automatically setting homepage and adding some javascript), but if you already have an idea, please let me know.

DEMO

While doing experiments with IE I observed another weird behavior. When I created an anchor tag with href="a:crap" like this, in the progress bar at the bottom IE showed "file:///a:crap". Now this is interesting. How could IE even try to guess the protocol unnecessarily?
I went ahead with a new experiment: created iframes with src = a:crap. This time a 'page could not be displayed' error message.

Accidentally, I tried c:crap, and this time I saw a blank frame. Now I realized that something...

DEMO

While doing experiments with IE I observed another weird behavior. When I created an anchor tag with href="a:crap" like this, in the progress bar at the bottom IE showed "file:///a:crap". Now this is interesting. How could IE even try to guess the protocol unnecessarily?
I went ahead with a new experiment: created iframes with src = a:crap. This time a 'page could not be displayed' error message.

Accidentally, I tried c:crap, and this time I saw a blank frame. Now I realized that someth...


This is w.r.t. http://onetimeurls.databasement.net/index.php

As always, the developers think their code is bullet proof and actually it contains basic flaws. (No offence meant, I'm just being philosophical).

Here is the POC on how to break it.

Paste the following into the textarea on the above page,

<script>
url_randomizer.go("http://wasjournal.blogspot.com/2007/03/one-time-urls-first-implementation.html");
</script>

And it will break the protection.

As you would have correctly guessed, the code is ...


This is w.r.t. http://onetimeurls.databasement.net/index.php

As always, the developers think their code is bullet proof and actually it contains basic flaws. (No offence meant, I'm just being philosophical).

Here is the POC on how to break it.

Paste the following into the textarea on the above page,

<script>
url_randomizer.go("http://wasjournal.blogspot.com/2007/03/one-time-urls-first-implementation.html");
</script>

And it will break the protection.

As you would have correctly guessed, the...

I was searching for history of XSS and CSRF attacks. I was mostly interested in knowing when each of these was discovered. I found following posts which tried to point out an approximate year of discoveries of these two vulnerabilities.

http://seclists.org/webappsec/2005/q4/0125.html
http://www.webappsec.org/lists/websecurity/archive/2005-05/msg00003.html

According to the first link, ("If I remember correctly, the term "Cross-Site Scripting" (or CSS at
the time) did originate around 1996-ish...

I was searching for history of XSS and CSRF attacks. I was mostly interested in knowing when each of these was discovered. I found following posts which tried to point out an approximate year of discoveries of these two vulnerabilities.

http://seclists.org/webappsec/2005/q4/0125.html
http://www.webappsec.org/lists/websecurity/archive/2005-05/msg00003.html

According to the first link, ("If I remember correctly, the term "Cross-Site Scripting" (or CSS at
the time) did originate around 1996-ish...

Page 1 of 2

Get email updates