Categorized | News

Domain Masquerading: msie Exploit

Posted on 10 December 2003 by Demian Turner

Check out the html source of this page that explains a new exploit discovered for msie.  I can see a lot of people getting pulled by this one, what percentage of web users even know how to ‘view source’, and even if you do you’re not going to check every page you go to.

Exploit
By opening a window using the
http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the “@” character.

Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.

Reminds me, I still have to get the anti-string cut stuff working in Seagull.

Thanks to Simon’s weblog for the alert.

Bookmark and Share

Leave a Reply

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook