IDN URL Exploit Filters
|
Mar. 05, 2005, 01:51 PM
Post: #1
|
|||
|
|||
The discussion about this spoofing vulnerability and possible solutions with Proxomitron started at Y!G prox-list. I'm cross-posting here. See Secunia News or The Shmoo Group for testcase and explanation. Only Gecko browsers and Opera are affected, Internet Explorer doesn't have a Punycode handler.
Mozilla.org released a Firefox update that - among other things - always displays the real Punycode URL by default -- See here. In my opinion this is the best way to handle that issue, since it doesn't involve any page modifications (or blocks, Punycode URLs are widely used in East-Asia and usually perfectly legit) on the part of Prox. While you can "emulate" that new Firefox behavior with a filter for older Gecko browsers, Opera refuses to explicitely display *any* URL starting with "xn--" (try e.g. xn--foobar.com). Consequently, you'd need to mask that "xn--" in some way: Code: [HTTP headers] Notes: Because the browser is seeing a different domain ("xn__" instead of "xn--") now, you may need to bypass the filters if you want to accept cookies from an "xn--" site. Any URL command applied to the URL before the $JUMP isn't in effect afterwards. The $JUMP needs to wait for an initial response to avoid being executed for HTTPS URLs, if "Use SSLeay..." is deactivated in the Prox settings. The stand-alone version can't check if the current user-agent really needs that procedure. The version for my set is here. sidki |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
[] - sidki3003 - Mar. 05, 2005 01:51 PM
[] - JakBeNymble - Mar. 05, 2005, 05:27 PM
|