The Un-Official Proxomitron Forum / Proxomitron Filters / Privacy/Security/Spam / IDN URL Exploit Filters


Post Reply 
IDN URL Exploit Filters
Mar. 05, 2005, 01:51 PM
Post: #1
sidki3003 Offline
Administrator
*******
 		Posts: 1,458
Joined: Mar 2004
 
The discussion about this spoofing vulnerability and possible solutions with Proxomitron started at Y!G prox-list. I'm cross-posting here. See Secunia News or The Shmoo Group for testcase and explanation. Only Gecko browsers and Opera are affected, Internet Explorer doesn't have a Punycode handler.

Mozilla.org released a Firefox update that - among other things - always displays the real Punycode URL by default -- See here.

In my opinion this is the best way to handle that issue, since it doesn't involve any page modifications (or blocks, Punycode URLs are widely used in East-Asia and usually perfectly legit) on the part of Prox. While you can "emulate" that new Firefox behavior with a filter for older Gecko browsers, Opera refuses to explicitely display *any* URL starting with "xn--" (try e.g. xn--foobar.com).

Consequently, you'd need to mask that "xn--" in some way:
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "! : Redir: IDN Exploit - Show real URL I [sd] (In)"
URL = "([^/]++.|)\2xn--\3&$URL(\1://)$JUMP(\1://\2xn__\3)"

In = FALSE
Out = TRUE
Key = "! : Redir: IDN Exploit - Show real URL II [sd] (Out)"
URL = "([^/]++.|)\2xn__\3&$URL(\1://)$RDIR(\1://\2xn--\3)$LOG(RGET $DTM(c) : IDN Address re-requested)"

Notes:
Because the browser is seeing a different domain ("xn__" instead of "xn--") now, you may need to bypass the filters if you want to accept cookies from an "xn--" site.

Any URL command applied to the URL before the $JUMP isn't in effect afterwards.

The $JUMP needs to wait for an initial response to avoid being executed for HTTPS URLs, if "Use SSLeay..." is deactivated in the Prox settings.

The stand-alone version can't check if the current user-agent really needs that procedure.

The version for my set is here.


sidki
Add Thank You Quote this message in a reply
Mar. 05, 2005, 05:27 PM
Post: #2
JakBeNymble Offline
Administrator
*******
 		Posts: 284
Joined: Mar 2004
 
Hey "sidki3003",
Great work!!! got'em, installed'em, working link a charm! Cheers
~"JaK"~ [smoke]
Add Thank You Quote this message in a reply
Mar. 05, 2005, 09:52 PM
Post: #3
sidki3003 Offline
Administrator
*******
 		Posts: 1,458
Joined: Mar 2004
 
Cool! Big Teeth
Add Thank You Quote this message in a reply
Mar. 05, 2005, 10:55 PM
Post: #4
Kye-U Offline
Administrator
*******
 		Posts: 1,629
Joined: Mar 2004
 
I'm including these two filters in my next KBSP update Eyes Closed Smile

Very nice work Sidki! [thumbs]
Visit this user's website
Add Thank You Quote this message in a reply
Mar. 05, 2005, 11:33 PM
Post: #5
sidki3003 Offline
Administrator
*******
 		Posts: 1,458
Joined: Mar 2004
 
Good to hear that these filters actually work for you (lots of little obstacles while writing/testing)! *lol*
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump:


Contact Us | The Un-Official Proxomitron Site | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication