[Dshield] MSFT Internet Explorer, %01 URL spoofing

Johannes B. Ullrich jullrich at sans.org
Wed Dec 17 14:06:20 GMT 2003

> # Exploit ##########
> By opening a window using the http://user@domain nomenclature an
> attacker can hide the real location of the page by including a 0x01
> character after the "@" character.
>           ^^^^^
> The html source of the original POC, and Johannes' web page, all
> correctly have the 0x01 (or whatever..) *before* the ampersand.

Just to illustrate, I included the version with 0x01 *after* the
ampersand. On Mozilla 1.4 under Linux, it attempts to goto 
"fakebank.com", which does not exist (so you get a 'page not found')

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031217/49b17052/attachment.bin

More information about the list mailing list