Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: XSS?

from [Matt Fisher] Network Security [Permanent Link]
Subject: RE: XSS?
Date: Tue, 29 Nov 2005 20:14:54 -0500 
[ Bit late, way behind on mail  ] 

The standard thing I've seen done, particularly on .gov's is to have a
"redirection message" that says "You are now being redirected to .....
Please note that this site is not affiliated with xyz.  You will be
redirected in 3 seconds". 

Seems that would fix the issue of people confusing the final site as
being google.  I don't consider this a vuln either, and not even much of
a phishing 'enabler'.  Google doesn't frame the site, they 302 to it.
You can only hold hands for so long ... at some point people have to
realize the url has completely changed and they're not on google



 


-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen@gmail.com] 
Sent: Wednesday, November 16, 2005 10:32 PM
To: Aman Raheja
Cc: webappsec@securityfocus.com
Subject: Re: XSS?

URL will change which would make it obvious.

Then again some will buy into it so yeah...

I am kind of on a fence with this one. You did sway my 
opinion though; hence on the fence. I used to be on the other side :)

Don't think Google can do much about though and keep same 
functionality.

   Serg


On 17/11/05, Aman Raheja <araheja@techquotes.com> wrote:

Why would it not be a problem if someone sends an email 

with the link 

http://www.google.com/url?q=http://www.xyz.com and prompt 

user to sign 

up for some new google service or even sign in to personalize the 
google homepage?
The user will get redirected to the xyz site which would 

show google 

logo and same look and feel and collect the user 

information - which 

could potentially be misused. They are probably not going away the 
credit card or bank information but it is phishing and 

collecting user 

information by misleading.
AR

Serg B. wrote:


I really dont see a problem here?

Vulnerability? What are you on about? Simple, expected 

redirect (key

word: expected).

Here is a more in context example.

Lets say you have some sort of managment system (lets say a CRM of 
some
sort) and you search for user with name 'A'. Returned result set 
contains 20 matches. You are presented with a list and you choose 
which one you want to look at in details. However if result set 
returned is a single, exact match then there is absolutely 

no point 

showing a list of matches since we already know that there 

is only a 

single match. Hence, go directly to data, saving time and effort.

  Serg

On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:



This is not XSS but indeed a vulnerability since they are not 
validating the URL and it's irresponsible of google not 

to take care 

of this kind of vulnerability which would aid phishing.

Aman Raheja
http://www.techquotes.com

On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan 

<quickt@gmail.com> wrote :





I tried 

http://www.google.com/url?q=http://www.microsoft.com and it 

got directed. it seems that I received one such phishing 

email that 

makes use of this to obfuscate the actual URL lately.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ODBC Injection, Lepore, Brian
Next by Date:  RE: ODBC Injection, Brett Moore
Previous by Thread:  Re: XSS?, Pilon Mntry
Next by Thread:  Blind SQL Injection / Stored procedures, Andres Molinetti
Indexes:  [Date] [Thread] [Top] [All Lists]