[WEB SECURITY] Cross-Site Scripting attacks via redirectors

MustLive mustlive at websecurity.com.ua
Tue Aug 18 16:56:11 EDT 2009

Hello Arshan!

Thanks for your reminding about Google's Browser Security Handbook. I know
about it and after release of this handbook in December 2008, I wrote about
my opinion about it
It was better for you (and also for Google, if they didn't yet) first read
my post in the list, before referencing to this book.

The key phrase of that my post is the next: first fix your holes, than write
your book. And while that will not be done, this lame book (in context of
security) by lame Google (in context of security) will stay forever lame
book (again in context of security, Google can be nice in other contexts,
but we're talking about security).

> this information is already well-documented in Google's Browser Security
> Handbook

First, not so well. My article covers much more on this subject, than this
part of Google's book.

In my article I covered 4 cases of conduction of XSS attacks via
redirectors. And the 4th case - redirecting to javascript: URI via
location-header redirectors - is not covered in Google's handbook (there was
said that it's not permitted in all browsers). There is no information about
this attack in Google's handbook and anywhere else, because I found this
case first and first wrote about it (so it's new case).

In handbook there was mentioned that Refresh redirection to javascript: URI
is not permitted in IE6, but as I wrote in my article and corresponding
advisory at my site, IE6 is vulnerable. Also in handbook there was mentioned
the same about FF3. But as I wrote in my article and corresponding advisory
at my site, that Firefox <= 3.0.8 is vulnerable (only all FF 3.5.x versions
are not vulnerable). So in all these cases Google's handbook has incorrect

And taking into account all these incorrectnesses in this handbook you
called it "well-documented"? It's very far from well-documented state. And
Michal and Google need to work hard on it.

Besides not all browsers which I checked were checked and mentioned in
Google's handbook (only most popular ones + Google's products Chrome and
Android). But this amount of browsers is enough. Though in my article there
is additional information about affected browsers (and also about different
version of FF3, which is not covered at all in this handbook).

Second, in this handbook is mentioned, that Chrome permits Refresh
redirection to javascript: URI (i.e. it's vulnerable). So Google knows that
there is such hole in their browser, but didn't fix it not last year, nor
this year. Which is not serious. And it was quite not serious from Michal to
answered me in Bugtraq, when I wrote there about this hole in Chrome (and
other browsers), after I also wrote to Google, but they just ignored my
letter, that this already documented in Google's handbook. Such answer looks
like they are proud of this hole in their browser and don't want to fix it,
just referencing to their handbook.

Third, there is another hole in Google Chrome, which I wrote about at my
site in June (http://websecurity.com.ua/3243/), which I found in September
2008 in Chrome, and Chrome is still vulnerable (as
must all other Chrome 1.x and 2.x versions). And as I know after I looked
through Google Handbook in December, this hole was mentioned as "known hole"
in this handbook. And in the same time all versions of Google Chrome are
vulnerable to it.

> If I were you

You are not me, so we are different people and have different approaches.
And we read different books ;-). I recommend for you and for everyone to
read only quality books, and taking into account all above-mentioned about
this handbook, it's not so quality one.

And you better recommend to read this book to Google itself. Because, as I
mentioned above, there are at least two holes which I found in Chrome, which
is documented in this book. Google's browser developers better to read their
own book, to know all well-known holes and to fix them. And not to write
about holes instead of fixing them :-).

Best wishes & regards,
Administrator of Websecurity web site

----- Original Message ----- 
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
To: "MustLive" <mustlive at websecurity.com.ua>; <websecurity at webappsec.org>
Sent: Wednesday, August 05, 2009 12:33 AM
Subject: RE: [WEB SECURITY] Cross-Site Scripting attacks via redirectors

> While we all greatly appreciate your intent you should know that this
> information is already well-documented in Google's Browser Security
> Handbook:
> http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
> <http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions>
> If I were you I would become very familiar with that body of work before
> further research into similar areas.
> Cheers,
> Arshan
> ________________________________
> From: MustLive [mailto:mustlive at websecurity.com.ua]
> Sent: Tue 8/4/2009 4:31 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Cross-Site Scripting attacks via redirectors
> Hello participants of Mailing List.
> At the end of July I published my article Cross-Site Scripting attacks via
> redirectors (http://websecurity.com.ua/3376/). And today I published
> English
> version of my article (http://websecurity.com.ua/3386/).
> In this article I wrote about using of redirectors in different browsers
> for
> conducting of Cross-Site Scripting attacks.
> In the article I wrote about XSS attacks in location-header and
> refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
> Firefox, Internet Explorer (IE6), Opera and Google Chrome. I'm also
> waiting
> for information from one man, who are checking all mentioned in article
> vulnerabilities in other browsers, so when there will be new information
> (about other affected browsers), I'll add it to my article.
> You can read the article Cross-Site Scripting attacks via redirectors at
> my
> site: http://websecurity.com.ua/3386/
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua <http://websecurity.com.ua/>

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list