is data:text/html the "new" way of doing about:blank document.write(...)?

Started by Darren Dirt, January 18, 2017, 09:43:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Darren Dirt

January 18, 2017, 09:43:37 AM
paste this into address bar and it does what you would expect:

data:text/html,HELLO<script>alert(5)</script>, WORLD!

via this announcement of a MAJOR phishing scam:
https://bgr.com/2017/01/17/gmail-phishing-attack-attachment-address-bar/
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

#1
January 18, 2017, 10:00:55 AM
Not new per se but the Data URI scheme can be abused to hell and back thanks to URL shorteners, people who blindly click links but mostly more browsers implementing the feature and not considering the implications (as it bypasses traditional XSS checks)

This feature allows you to embed multiple binary contents directly via a single HTTP request, something that hasn't really been practical until recently

From the Wikipedia article:
Code Select
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />

The Internet: Good Ideas Done Badly
By Grabthar's Hammer

Mr. Analog

#2
January 18, 2017, 10:15:54 AM
Thanks again for this link and example btw I've passed it on to our security team :)
By Grabthar's Hammer

Darren Dirt

#3
January 18, 2017, 12:59:41 PM
Quote from: Mr. Analog on January 18, 2017, 10:00:55 AM
Not new per se but the Data URI scheme can be abused to hell and back thanks to URL shorteners, people who blindly click links but mostly more browsers implementing the feature and not considering the implications (as it bypasses traditional XSS checks)

This feature allows you to embed multiple binary contents directly via a single HTTP request, something that hasn't really been practical until recently

From the Wikipedia article:
Code Select
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />

The Internet: Good Ideas Done Badly

Yeah I know about using the data: protocol for images (esp. handy in CSS for icons etc.) never thought of using text/html as the data TYPE and thus serving out a complete HTML page in the URL... Realize now some out of the box uses could also include dodging URL blockers at school/work etc...
_____________________

Strive for progress. Not perfection.
_____________________
Print
Go Up Pages1
User actions