[WEB SECURITY] Cross-Site Scripting attacks via redirectors

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Aug 18 22:11:55 EDT 2009

I don't like being negative but I don't know if I've ever seen work that useful dismissed so arrogantly. Aside from all the technical things you got wrong, it's probably not smart to take shots at legends like lcamtuf in case you ever want to work for someone born before 1987.
First of all, what you're talking about is not "XSS" or "holes in the browser." You're talking about certain browser behavior that is subject to risk assessment; your findings can't objectively or even accurately be called those things. If you wanted to call your work "browser behavior in niche cases in header injection", you'd be using terminology that's reasonable, and won't make the folks at MITRE puke up their pad thai and then kill themselves. 
Second, you appear to be plainly wrong about the fact that the handbook doesn't cover redirects to JavaScript URIs in Location headers. That's covered here in row 2:
Next, you say that his test cases are wrong. This could be true for all I know, since I'm not going to verify them unless I have to in order to assess the risk of a finding. Hell, I wouldn't feel safe loading IE6 inside 4 nested VMs, so I'm happy to take his word for it. 
Anyway, if you did find an inaccuracy, the right thing to do would be to email someone at Google and have them add your information to their body of work. This is more useful to everyone than repeatedly congratulating yourself while at the same time loudly admonishing the free work they gave to the community.
Lastly, and this is just pure speculation (and maybe hope), but I would guess that factual errors in the BSH are probably rare, since (I assume) the data is generated by automated test cases; think Acid3 meets DOMChecker meets crontab. My chief complaint is the lack of regular testing, though, since there doesn't appear to be any set schedule for updates:
Can't we virtualize+cloudize this process and get down to up-to-date, revision-level granularity? =)

From: MustLive [mailto:mustlive at websecurity.com.ua]
Sent: Tue 8/18/2009 4:56 PM
To: Arshan Dabirsiaghi
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Cross-Site Scripting attacks via redirectors

Hello Arshan!

Thanks for your reminding about Google's Browser Security Handbook. I know
about it and after release of this handbook in December 2008, I wrote about
my opinion about it
It was better for you (and also for Google, if they didn't yet) first read
my post in the list, before referencing to this book.

The key phrase of that my post is the next: first fix your holes, than write
your book. And while that will not be done, this lame book (in context of
security) by lame Google (in context of security) will stay forever lame
book (again in context of security, Google can be nice in other contexts,
but we're talking about security).

> this information is already well-documented in Google's Browser Security
> Handbook

First, not so well. My article covers much more on this subject, than this
part of Google's book.

In my article I covered 4 cases of conduction of XSS attacks via
redirectors. And the 4th case - redirecting to javascript: URI via
location-header redirectors - is not covered in Google's handbook (there was
said that it's not permitted in all browsers). There is no information about
this attack in Google's handbook and anywhere else, because I found this
case first and first wrote about it (so it's new case).

In handbook there was mentioned that Refresh redirection to javascript: URI
is not permitted in IE6, but as I wrote in my article and corresponding
advisory at my site, IE6 is vulnerable. Also in handbook there was mentioned
the same about FF3. But as I wrote in my article and corresponding advisory
at my site, that Firefox <= 3.0.8 is vulnerable (only all FF 3.5.x versions
are not vulnerable). So in all these cases Google's handbook has incorrect

And taking into account all these incorrectnesses in this handbook you
called it "well-documented"? It's very far from well-documented state. And
Michal and Google need to work hard on it.

Besides not all browsers which I checked were checked and mentioned in
Google's handbook (only most popular ones + Google's products Chrome and
Android). But this amount of browsers is enough. Though in my article there
is additional information about affected browsers (and also about different
version of FF3, which is not covered at all in this handbook).

Second, in this handbook is mentioned, that Chrome permits Refresh
redirection to javascript: URI (i.e. it's vulnerable). So Google knows that
there is such hole in their browser, but didn't fix it not last year, nor
this year. Which is not serious. And it was quite not serious from Michal to
answered me in Bugtraq, when I wrote there about this hole in Chrome (and
other browsers), after I also wrote to Google, but they just ignored my
letter, that this already documented in Google's handbook. Such answer looks
like they are proud of this hole in their browser and don't want to fix it,
just referencing to their handbook.

Third, there is another hole in Google Chrome, which I wrote about at my
site in June (http://websecurity.com.ua/3243/), which I found in September
2008 in Chrome, and Chrome is still vulnerable (as
must all other Chrome 1.x and 2.x versions). And as I know after I looked
through Google Handbook in December, this hole was mentioned as "known hole"
in this handbook. And in the same time all versions of Google Chrome are
vulnerable to it.

> If I were you

You are not me, so we are different people and have different approaches.
And we read different books ;-). I recommend for you and for everyone to
read only quality books, and taking into account all above-mentioned about
this handbook, it's not so quality one.

And you better recommend to read this book to Google itself. Because, as I
mentioned above, there are at least two holes which I found in Chrome, which
is documented in this book. Google's browser developers better to read their
own book, to know all well-known holes and to fix them. And not to write
about holes instead of fixing them :-).

Best wishes & regards,
Administrator of Websecurity web site
http://websecurity.com.ua <http://websecurity.com.ua/> 

----- Original Message -----
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
To: "MustLive" <mustlive at websecurity.com.ua>; <websecurity at webappsec.org>
Sent: Wednesday, August 05, 2009 12:33 AM
Subject: RE: [WEB SECURITY] Cross-Site Scripting attacks via redirectors

> While we all greatly appreciate your intent you should know that this
> information is already well-documented in Google's Browser Security
> Handbook:
> http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions
> <http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions>
> If I were you I would become very familiar with that body of work before
> further research into similar areas.
> Cheers,
> Arshan
> ________________________________
> From: MustLive [mailto:mustlive at websecurity.com.ua]
> Sent: Tue 8/4/2009 4:31 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Cross-Site Scripting attacks via redirectors
> Hello participants of Mailing List.
> At the end of July I published my article Cross-Site Scripting attacks via
> redirectors (http://websecurity.com.ua/3376/). And today I published
> English
> version of my article (http://websecurity.com.ua/3386/).
> In this article I wrote about using of redirectors in different browsers
> for
> conducting of Cross-Site Scripting attacks.
> In the article I wrote about XSS attacks in location-header and
> refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
> Firefox, Internet Explorer (IE6), Opera and Google Chrome. I'm also
> waiting
> for information from one man, who are checking all mentioned in article
> vulnerabilities in other browsers, so when there will be new information
> (about other affected browsers), I'll add it to my article.
> You can read the article Cross-Site Scripting attacks via redirectors at
> my
> site: http://websecurity.com.ua/3386/
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua <http://websecurity.com.ua/>  <http://websecurity.com.ua/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090818/7f62dca8/attachment.html>

More information about the websecurity mailing list