JavaScript Embedded in Homepage Links in Firefox
So after the last post I was messing around a bit with the way the homepage functionality works in Firefox and I noticed something before that I had meant to go back and play with quite a while ago. Funny how the mind works. Anyway, it turns out that if you include a pipe in a URL with JavaScript after it and you somehow get someone to bookmark that page you can get JavaScript to fire on about:blank. I’m not exactly sure how that would be helpful, but it’s certainly unsafe behavior to use a pipe as a delimiter since pipes can exist as valid characters in URL structures. If you want to see it in action click hold and drag the following demo link onto the homepage button in Firefox:
Set your homepage by dragging this link onto your homepage button at the top and then click through the button that asks for confirmation. For some reason this didn’t work on my main browser, but when I used safe mode it worked fine. I suspect that’s NoScript’s doing, so you may have to disable it to get the demo functional. Again, I’m not super clear on how this would be useful, but it’s certainly unintended behavior. Happy bookmarking!
View full post on ha.ckers.org web application security lab
9 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Some Content may originate from third party websites(i.e. Amazon, Yahoo Answers, Youtube)Internet SecuritT Group LLC is not responsible or liable for the content of any third party affiliate
All third party content is property of the respective owners.
works for me with Firefox 3.6, without safe mode
nice
No worky in Chrome …drat.
If to take into consideration that pipe is the way firefox team has chosen to separate multiple pages when bookmarking them, then it is not unusual behavior. But what about safety. Anyone can use several ways how to make to execute javascript:[code].
PS: yes, NoScript is blocking that.
works in FF 3.5.7 without safe mode and noscript disabled
tried various ways to drop down a new line in ie7 to pull off the same thing, but no luck
and maybe get this script to run by itself and hope people just click ok?
This is because you can set multiple webpages as “home page” in Firefox (so that when you open it, all of these are opened each in its own tab), and when you do they’re stored internally as a list of URLs separated by pipe characters.
That’s also why the XSS alert box shows up in its own tab in this example.
@ams,
If FF *is* using pipes as delimiters in its bookmark file (Note: I haven’t checked/don’t show an interest to look
, and you can insert pipes in a bookmark, you may be able to inject other bookmarks by appending them to the end of your url. I remember seeing some old voting poll exploits circa 1999 doing this with a flat file DB that was pipe delimited.
Yeh, it splits the pages with a pipe… and well, pipes get urlencoded if present in a random URL. I don’t see any problems with this.
I already tried something like: document.location site.com; sleep X seconds then alert document.cookie
- if the alert comes first (empty), site.com then opens under it
- if site.com opens first, it wipes out the alert and the cookie never pops up.
I don’t see any other stuff you could pull off from this…
Works for me in FF… But what are the security implications of this??
Thanks,
Nilesh
interesting find, sounds like it be possible to insert multiple bookmarks, aside from javascript?