Cenzic 232 Patent
Paid Advertising
web application security lab

Malformed URL in Image Tag Fingerprints Internet Explorer

This may seem very trivial but for some reason I think there is more here. In some tests I did this morning I realized that IE doesn’t handle URL encoded strings very well if they aren’t encoded properly. A normal URL encoding for a quote (") might look like %22. If you substitute the numbers with non-numbers IE freaks out and doesn’t even attempt to load the page in question.

Instead it responds with an error message saying something like “Windows cannot find ‘http://ha.ckers.org/%--’. Please check the spelling and try again.” Okay, error messages are interesting but noisy. How can we suppress them? We’ll get to that in a sec. Before we get there, let’s create a URL to a valid image on my server: http://ha.ckers.org/%--/../images/kcpimp.jpg and throw that into IE’s URI field. Weird, it works, even though it doesn’t work if you use the smaller string: http://ha.ckers.org/%--

Okay, but let’s try throwing that string into an image tag: <IMG SRC="http://ha.ckers.org/%--/../images/kcpimp.jpg">

Hmm… it doesn’t render, and doesn’t pop up an alert. Let’s check burp proxy. Nope, nothing there either. IE isn’t even trying to pull the image down. Firefox and Opera do though. Looks like we’ve found a fingerprint. IE won’t try to pull an image URL that is malformed, allowing us to detect if the user is spoofing IE or not in their User-Agent (and all without using JavaScript). Voila. Fingerprinting without the use of JavaScript is an interesting concept when you are trying to keep the Internet noise level to a minimum.

6 Responses to “Malformed URL in Image Tag Fingerprints Internet Explorer”

  1. Kyran Says:

    Very interesting. I hope to see more techniques that mimic Javascript, without actually using any active content.

  2. Ilia Alshanetsky Says:

    Could you not use conditional IE comments to the same effect, even more that approach allows you to differentiate between the different versions of IE the user maybe using.
    There are some docs available of this mechanism here:
    http://www.quirksmode.org/css/condcom.html

  3. RSnake Says:

    Oh there are tons of options, yes, but I’m not satisfied with what I’ve got, I’m always looking for new ways to do the same thing. One of the benefits of my method though is that it only requires one fairly innocent looking image tag that can be injected anywhere (bulletin boards, etc…).

  4. Mephisto Says:

    The image tag () actually rendered properly for me (IE build 6.0.2800.1106).

  5. RSnake Says:

    Hm… odd… doesn’t work in IE7.0, but I just tested in IE6.0 and you’re right. It seems to be a problem only with IE7.0.

  6. yawnmoth Says:

    IE7 also seems to drop GET parameters for frames when UTF-7 is used, as evidenced by this:

    http://www.frostjedi.com/terra/scripts/demo/frameBug.html