Paid Advertising
web application security lab
« Analysis of Firefox’s Password Manager Fix
My Lunch With Samy »

Firefox Header Redirection JavaScript Execution

This sounds a lot sexier than it actually is, although it was interesting to find that only Firefox was vulnerable to this (tried IE and Opera with no results). However, if you perform a timed redirection from within the HTTP headers and instead of redirecting to a URL you redirect to a JavaScript function you can execute JavaScript. The only upside to this technique is if you must do response splitting and you are limited in what you can do, or if you want to obfuscate where and how the JavaScript is firing that performs the malicious activity.

Click here for an example (only works in Firefox). Like I said, this isn’t that particularly interesting, but it could be somewhat useful in some obscure circumstances. Nothing to see here, move along….

This entry was posted on Friday, March 9th, 2007 at 5:06 pm and is filed under XSS, Webappsec. You can leave a response as well.

12 Responses to “Firefox Header Redirection JavaScript Execution”

  1. comcor Says:
    March 9th, 2007 at 6:28 pm

    Interesting note.. this seems to work fine on a clean (no extensions) version of Firefox for me, but not on instances of firefox with a bunch of testing tools like WebDeveloper, TamperData, Firebug, Greasemonkey, etc…

  2. RSnake Says:
    March 9th, 2007 at 8:22 pm

    Did you turn off meta refreshes in WebDeveloper? That would stop this from working.

  3. Torsten Says:
    March 10th, 2007 at 12:18 am

    Also works in latest Safari, in case anybody is interested.

  4. kuza55 Says:
    March 10th, 2007 at 5:25 am

    Mmmm, I found this a while ago as well: http://kuza55.blogspot.com/2006/11/not-all-redirection-scripts-are-created.html

    And as I said in that post, it has other implications too because some link anonymisers use the refresh header to redirect people (and lose the referer header), so you can attack them. I of course forgot to test what browsers this worked in.

  5. dusoft Says:
    March 10th, 2007 at 6:07 am

    works for me with firebug, webdeveloper etc. installed, so i guess comcor got meta refresh turned off

  6. Andrew Says:
    March 10th, 2007 at 6:10 am

    Works for me in Safari 2.0.4!

  7. RSnake Says:
    March 10th, 2007 at 9:52 am

    Kuza55, I should probably read your site closer, I think I remember seeing that post, but I didn’t see the JavaScript part of it. Thanks for pointing it out.

  8. Spider Says:
    March 10th, 2007 at 1:23 pm

    Forgive me, if I this has been discussed elsewhere, but why can’t all web vulnerabilities be cataloged in a single place. So when you think you’ve found a new one you can check to see if anyone has encountered it before. OWASP is supposed to be that place. Is there a reason why it isn’t used much?

  9. digi7al64 Says:
    March 10th, 2007 at 8:33 pm

    Stupidly, I spent 10 minutes working with WhiteAcid’s header spoofer before realizing the header was supposed to be returned via the response not the request :(

  10. Sid Says:
    March 11th, 2007 at 7:01 am

    HAHA. I had the exact same idea, then I remembered that I could only ever get it working in IE and even there it’s getting fixed now.

  11. someone Says:
    January 18th, 2008 at 2:54 am

    Nice.
    am I able to change someone’s HTTP header using Flash object?

  12. anonymous Says:
    July 3rd, 2008 at 4:40 pm

    not really a big deal because i dont think there is a wide range of malicious javascript you can fire through the redirect

Respond here or Discuss On the Forums