Hello participants of Mailing List.
In September 2012 I've updated one my old article and wrote one new article.
I'll tell you briefly about my articles concerning Cross-Site Scripting
attacks via redirectors. First one it's my 2009 article, about which I've
wrote in the list that time and I've update it last month. And second one
it's my article about redirectors with 301 and 303 statuses - it's
continuation of previous article. These topics should be interesting for you
(especially for those, who haven't read them before).
- Cross-Site Scripting attacks via redirectors
http://websecurity.com.ua/3386/
In this article (on English) I've told about Cross-Site Scripting attacks
via different redirectors (refresh and location based and with different
URIs). After releasing this article at 04.08.2009 I've updated it several
times (history is in the bottom of the article). Last month I've added new
important information. Added data concerning attacks to which Firefox
3.5.19, 3.6.28, 10.0.7, 15.0.1 are vulnerable. And also added information
that Firefox 10.0.7 and Firefox 15.0.1 are not vulnerable to attacks #4,6,
because these vulnerabilities were hiddenly fixed by Mozilla in Firefox 9.0
(i.e. after my informing in July 2009 by e-mail and in bugzilla the Mozilla
ignored and then lamerly and hiddenly fixed these issues in December 2011).
- Cross-Site Scripting via redirectors with 301 and 303 in different
browsers
http://websecurity.com.ua/6067/
In this article I've told about similar XSS attacks via redirectors, but
this time via redirectors with other statutes. In my 2009's article I've
researched only refresh-redirectors and 302 location-redirectors (and 301
redirectors only in attack #3 via data: URI), then this time I've expand
this research with new information. Besides 302, only via redirectors with
301 and 303 statuses it's possible to conduct attacks, other 30x statuses
are not affected. Attacks are possible via javascript: and data: URIs in
different browsers.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Hello participants of Mailing List.
In September 2012 I've updated one my old article and wrote one new article.
I'll tell you briefly about my articles concerning Cross-Site Scripting
attacks via redirectors. First one it's my 2009 article, about which I've
wrote in the list that time and I've update it last month. And second one
it's my article about redirectors with 301 and 303 statuses - it's
continuation of previous article. These topics should be interesting for you
(especially for those, who haven't read them before).
1. Cross-Site Scripting attacks via redirectors
http://websecurity.com.ua/3386/
In this article (on English) I've told about Cross-Site Scripting attacks
via different redirectors (refresh and location based and with different
URIs). After releasing this article at 04.08.2009 I've updated it several
times (history is in the bottom of the article). Last month I've added new
important information. Added data concerning attacks to which Firefox
3.5.19, 3.6.28, 10.0.7, 15.0.1 are vulnerable. And also added information
that Firefox 10.0.7 and Firefox 15.0.1 are not vulnerable to attacks #4,6,
because these vulnerabilities were hiddenly fixed by Mozilla in Firefox 9.0
(i.e. after my informing in July 2009 by e-mail and in bugzilla the Mozilla
ignored and then lamerly and hiddenly fixed these issues in December 2011).
2. Cross-Site Scripting via redirectors with 301 and 303 in different
browsers
http://websecurity.com.ua/6067/
In this article I've told about similar XSS attacks via redirectors, but
this time via redirectors with other statutes. In my 2009's article I've
researched only refresh-redirectors and 302 location-redirectors (and 301
redirectors only in attack #3 via data: URI), then this time I've expand
this research with new information. Besides 302, only via redirectors with
301 and 303 statuses it's possible to conduct attacks, other 30x statuses
are not affected. Attacks are possible via javascript: and data: URIs in
different browsers.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
