MSIE7 entrapment again (+ FF tidbit)

Risk: Low
Local: Yes
Remote: Yes

Hello again, Microsoft Internet Explorer seems to have a soft spot for browser entrapment vulnerabilities. Just to recap, in these attacks, the user is made believe he had left a webpage (and the URL bar or SSL state data reinforce him in this belief) - but in reality, is prevented from doing so, and his browser continues to display assorted content originating from the attacker. This is a close, but somewhat more sinister relative of vanilla URL bar spoofing. I reported a few of each kind in the recent months. Well, here's another one, this time based on calls. In essence, repeatedly calling this function after a new URL is entered by the user, before onBeforeUnload is invoked, inhibits page transition - but target URL bar state is retained. This is remarkably silly. A live demo is available here: That is all. ... PS. The promised tidbit - since I'm leaving for a while and won't have time to research this - in Firefox, javascript: windows can set 'domainless' cookies by specifying 'domain=.' - for example: open("javascript:document.cookie='foo=bar;domain=.'","_blank"); Fortunately/unfortunately, these cookies do not get sent to all sites - no session fixation - though can be retrieved by other null-domain javascript: / data: pages. Specifying other domains won't work. Multiple periods will be trimmed. Path can be set arbitrarily, with certain exceptions. Null-domain cookies load properly when stored in cookies.txt. Q: can this be used in a manner more sinister than merely facilitating exchange of "markers" between various user-tracking sites? /mz

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top