Well, :) I cannot see how you can force someone to type / at least twice. Even if the targeted user writes a blog entry it is very unlikely that he/she will use / . I guess this vector works well on wikies and other systems that allow you to specify the text format through meta-characters. The cool think about stealing the address bar focus is that a confused user will try to repeat typing the url again and that may give you enough slashes and other characters to steal /etc/shadow or /etc/passwd for example, which means that this attack vector can work virtually every where. For example: Joe visits eveil.com. He is not interested in the site but evil.com is interested in his files. Joe types http://[what ever]. evil.com hijacks the address bar focus. This is how they get the first /. Joe will probably repeat to type stuff in the address bar again. The rest of the characters are not obtained. Now of course Joe will realise that he is not typing in the address bar but he will probably think that either the browser is screwed up or that he forgot to select the address bar first (it happens all the time). So, this is why I think that combination of both issues can create one hell of a good attack. Here is another idea. Joe visits Betty's MySpace private page. The page contains XSS. On the page there is an input box and a captcha. The user is asked to enter the text in the captcha in order to access the page. The captcha is: pde/t/aswsc Joe enters the text but the he receives a complain that his input is incorrect. The attacker repeats the process until all required characters are entered into the FILE INPUT box. simple. On 2/11/07, Michal Zalewski <lcamtuf@xxxxxxxxxxxx> wrote:
On Sun, 11 Feb 2007, pdp (architect) wrote: > here is an idea... we can combine both techniques into a single > attack... the hardest part of your hack is to force the user to type > :// plus several other / Actually, MSIE doesn't require drive specification in the filename, and will probably accept relative paths as well (so you might not need \ either when picking files from the desktop or 'my documents' or whatnot). Firefox won't settle for a path without drive specification (but it will accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is easier than C:\whatever. The problem with intercepting address bar input is that you can't echo the entered text back there without unloading the current document and its scripts; in my examples, I tried to make sure that it's hard for the user to notice that his input is not going where it should (in MSIE example, this includes simulation of a blinking cursor). /mz
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org