Paid Advertising
web application security lab

Opera Weirdness Might Be a Good Idea For XSS Prevention

There’s a thread on the forums where Kyran describes an error message that Opera popped up when he attempted to put HTML into the URI field. I was amazed because I hadn’t seen any browser even start to deal that that issue. From an XSS prevention standpoint it seems like a very forward thinking idea. However, alas, it was just some weirdness.

When the url http://<BR> is entered Opera responds with the following text:

The URL http://<BR> contains characters that are not valid in the location they are found.
The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.

So anyway, it’s just some weirdness, and it doesn’t apply to you entering HTML as a query string (something that actually IS a security risk), but it’s still an interesting concept. One thing is sure, despite all the best tools, developers just don’t understand the problem yet. Why not take it out of their hands and put the onus on the browser community to fix the problem on their behalf? Of course this would break a ton of applications in the same way that it did when Internet Explorer turned off support for basic authentication in the URL field to slow down Phishing schemes. But is it worth it?

Of course there will always be ways to circumvent those issues and there will always be other encodings, and don’t get me started on DOM based where I am possibly just entering a small peice of JavaScript and no HTML at all, but the point isn’t to solve the issue necessarily, but to make it significantly more difficult, or to limit the issue.

6 Responses to “Opera Weirdness Might Be a Good Idea For XSS Prevention”

  1. cea Says:

    Opera is just trying to validate the URL. the <BR> in the example coincides with the ‘host’ part of the URL for which only IP addresses and domain names (which only allows alphanumeric and ‘-’) are valid. That is,
    ‘<’ and ‘>’ are not legal domain name characters.

  2. Other browsers expanding on Opera weirdness « Says:

    […] Other browsers expanding on Opera weirdness […]

  3. RSnake Says:

    cea, yes, you’re right - just some weirdness. But it could be more if you used the same idea and expanded it beyond error messages for malformed domain names.

  4. Edward Z. Yang Says:

    Well, the thing is, most phishing URLs are valid. So you can’t overload the page with a big error message like you can with a totally invalid URL. You can have another application parse the URL and look for tricky behavior… oh wait, that’s an antiphishing toolbar.

  5. RSnake Says:

    Well you _CAN_ put a big page there… that’s actually something IE7.0 does with their anti-phishing stuff for instance. There’s no reason that same tool couldn’t be expanded to include this sort of detection.

  6. Client-Side protection from XSS « Says:

    […] ┬áSo, perhaps at the browser level? Nope. Not there. The only one even close is Opera. It detects invalid domain characters in the address bar. But they seem to have no interest in expanding the ‘feature’ to hinder XSS. I suggested it to the MozillaZine community, even with help from RSnake and they didn’t exactly jump onto the idea either. […]