Location based XSS attacks

There is always something new to learn… Didn’t know this little trick. A very simple example:

A website has a reflected XSS vulnerability (echoes the parameter abc in this example), but escapes " to ". We use the property that web browser do not send the fragment part of an URI (everything after the hash character #) to the web server:

http://example.com/index.php?abc=<script>eval(location.hash.slice(1))</script>#alert(“XSS!!!”);

See the page above for more advanced examples. This technique solves the escaping problem and the server logs never show the Javascript attack code.

Rick Roll’d (Google auto redirect)

Ever been Rick Roll’d by Google? How does this link look like?

http://www.google.ch

Credit goes to Marshall Whittaker, see http://seclists.org/fulldisclosure/2010/Jul/188.

The technique behind it is quite simple:
1. Find a Google query that shows your desired page on top. With query modifiers like intitle: inurl: site: it’s quite easy
2. Construct a Google URL to send a “I’m Feeling Lucky” query
3. Percent encode your Google query from 1 and the button name (“‘I’m Feeling Lucky”) to obfuscate
4. Prepend your Google query with a lot of %20 to fool the browser URL preview in the footer. Hovering over the link will not show the percent decoded URL!

Update: The Google query was additionally appended with %20, so it looks the same in Firefox 5