paste this into address bar and it does what you would expect:
data:text/html,HELLO<script>alert(5)</script>, WORLD!
via this announcement of a MAJOR phishing scam:
https://bgr.com/2017/01/17/gmail-phishing-attack-attachment-address-bar/
Not new per se but the Data URI scheme can be abused to hell and back thanks to URL shorteners, people who blindly click links but mostly more browsers implementing the feature and not considering the implications (as it bypasses traditional XSS checks)
This feature allows you to embed multiple binary contents directly via a single HTTP request, something that hasn't really been practical until recently
From the Wikipedia article:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />
The Internet: Good Ideas Done Badly
Thanks again for this link and example btw I've passed it on to our security team :)
Quote from: Mr. Analog on January 18, 2017, 10:00:55 AM
Not new per se but the Data URI scheme can be abused to hell and back thanks to URL shorteners, people who blindly click links but mostly more browsers implementing the feature and not considering the implications (as it bypasses traditional XSS checks)
This feature allows you to embed multiple binary contents directly via a single HTTP request, something that hasn't really been practical until recently
From the Wikipedia article:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />
The Internet: Good Ideas Done Badly
Yeah I know about using the data: protocol for images (esp. handy in CSS for icons etc.) never thought of using text/html as the data TYPE and thus serving out a complete HTML page in the URL... Realize now some out of the box uses could also include dodging URL blockers at school/work etc...