IDN URL Exploit Filters
|
Mar. 05, 2005, 01:51 PM
Post: #1
|
|||
|
|||
The discussion about this spoofing vulnerability and possible solutions with Proxomitron started at Y!G prox-list. I'm cross-posting here. See Secunia News or The Shmoo Group for testcase and explanation. Only Gecko browsers and Opera are affected, Internet Explorer doesn't have a Punycode handler.
Mozilla.org released a Firefox update that - among other things - always displays the real Punycode URL by default -- See here. In my opinion this is the best way to handle that issue, since it doesn't involve any page modifications (or blocks, Punycode URLs are widely used in East-Asia and usually perfectly legit) on the part of Prox. While you can "emulate" that new Firefox behavior with a filter for older Gecko browsers, Opera refuses to explicitely display *any* URL starting with "xn--" (try e.g. xn--foobar.com). Consequently, you'd need to mask that "xn--" in some way: Code: [HTTP headers] Notes: Because the browser is seeing a different domain ("xn__" instead of "xn--") now, you may need to bypass the filters if you want to accept cookies from an "xn--" site. Any URL command applied to the URL before the $JUMP isn't in effect afterwards. The $JUMP needs to wait for an initial response to avoid being executed for HTTPS URLs, if "Use SSLeay..." is deactivated in the Prox settings. The stand-alone version can't check if the current user-agent really needs that procedure. The version for my set is here. sidki |
|||
Mar. 05, 2005, 05:27 PM
Post: #2
|
|||
|
|||
Hey "sidki3003",
Great work!!! got'em, installed'em, working link a charm! ~"JaK"~ [smoke] |
|||
Mar. 05, 2005, 09:52 PM
Post: #3
|
|||
|
|||
Cool!
|
|||
Mar. 05, 2005, 10:55 PM
Post: #4
|
|||
|
|||
I'm including these two filters in my next KBSP update
Very nice work Sidki! [thumbs] |
|||
Mar. 05, 2005, 11:33 PM
Post: #5
|
|||
|
|||
Good to hear that these filters actually work for you (lots of little obstacles while writing/testing)! *lol*
|
|||
« Next Oldest | Next Newest »
|