Categorized | News

Domain Masquerading: msie Exploit

Posted on 10 December 2003 by Demian Turner

Check out the html source of this page that explains a new exploit discovered for msie.  I can see a lot of people getting pulled by this one, what percentage of web users even know how to ‘view source’, and even if you do you’re not going to check every page you go to.

Exploit
By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0×01 character after the “@” character.

Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.

Reminds me, I still have to get the anti-string cut stuff working in Seagull.

Thanks to Simon’s weblog for the alert.

Bookmark and Share

Leave a Reply

Advertise Here
Advertise Here

Subscribe by email

Enter your email address:

Delivered by FeedBurner

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Affiliates

PHPkitchen recommends you also check out the following sites :

Accounting for Small Businesses

FreeAgent sign-up