Firefox Header Redirection JavaScript Execution
This sounds a lot sexier than it actually is, although it was interesting to find that only Firefox was vulnerable to this (tried IE and Opera with no results). However, if you perform a timed redirection from within the HTTP headers and instead of redirecting to a URL you redirect to a JavaScript function you can execute JavaScript. The only upside to this technique is if you must do response splitting and you are limited in what you can do, or if you want to obfuscate where and how the JavaScript is firing that performs the malicious activity.
Click here for an example (only works in Firefox). Like I said, this isn’t that particularly interesting, but it could be somewhat useful in some obscure circumstances. Nothing to see here, move along….



March 9th, 2007 at 6:28 pm
Interesting note.. this seems to work fine on a clean (no extensions) version of Firefox for me, but not on instances of firefox with a bunch of testing tools like WebDeveloper, TamperData, Firebug, Greasemonkey, etc…
March 9th, 2007 at 8:22 pm
Did you turn off meta refreshes in WebDeveloper? That would stop this from working.
March 10th, 2007 at 12:18 am
Also works in latest Safari, in case anybody is interested.
March 10th, 2007 at 5:25 am
Mmmm, I found this a while ago as well: http://kuza55.blogspot.com/2006/11/not-all-redirection-scripts-are-created.html
And as I said in that post, it has other implications too because some link anonymisers use the refresh header to redirect people (and lose the referer header), so you can attack them. I of course forgot to test what browsers this worked in.
March 10th, 2007 at 6:07 am
works for me with firebug, webdeveloper etc. installed, so i guess comcor got meta refresh turned off
March 10th, 2007 at 6:10 am
Works for me in Safari 2.0.4!
March 10th, 2007 at 9:52 am
Kuza55, I should probably read your site closer, I think I remember seeing that post, but I didn’t see the JavaScript part of it. Thanks for pointing it out.
March 10th, 2007 at 1:23 pm
Forgive me, if I this has been discussed elsewhere, but why can’t all web vulnerabilities be cataloged in a single place. So when you think you’ve found a new one you can check to see if anyone has encountered it before. OWASP is supposed to be that place. Is there a reason why it isn’t used much?
March 10th, 2007 at 8:33 pm
Stupidly, I spent 10 minutes working with WhiteAcid’s header spoofer before realizing the header was supposed to be returned via the response not the request
March 11th, 2007 at 7:01 am
HAHA. I had the exact same idea, then I remembered that I could only ever get it working in IE and even there it’s getting fixed now.
January 18th, 2008 at 2:54 am
Nice.
am I able to change someone’s HTTP header using Flash object?
July 3rd, 2008 at 4:40 pm
not really a big deal because i dont think there is a wide range of malicious javascript you can fire through the redirect