JavaScript Embedded in Homepage Links in Firefox
So after the last post I was messing around a bit with the way the homepage functionality works in Firefox and I noticed something before that I had meant to go back and play with quite a while ago. Funny how the mind works. Anyway, it turns out that if you include a pipe in a URL with JavaScript after it and you somehow get someone to bookmark that page you can get JavaScript to fire on about:blank. I’m not exactly sure how that would be helpful, but it’s certainly unsafe behavior to use a pipe as a delimiter since pipes can exist as valid characters in URL structures. If you want to see it in action click hold and drag the following demo link onto the homepage button in Firefox:
Set your homepage by dragging this link onto your homepage button at the top and then click through the button that asks for confirmation. For some reason this didn’t work on my main browser, but when I used safe mode it worked fine. I suspect that’s NoScript’s doing, so you may have to disable it to get the demo functional. Again, I’m not super clear on how this would be useful, but it’s certainly unintended behavior. Happy bookmarking!
January 27th, 2010 at 10:25 am
works for me with Firefox 3.6, without safe mode
nice
January 27th, 2010 at 10:34 am
No worky in Chrome …drat.
January 27th, 2010 at 10:57 am
If to take into consideration that pipe is the way firefox team has chosen to separate multiple pages when bookmarking them, then it is not unusual behavior. But what about safety. Anyone can use several ways how to make to execute javascript:[code].
PS: yes, NoScript is blocking that.
January 27th, 2010 at 12:58 pm
works in FF 3.5.7 without safe mode and noscript disabled
tried various ways to drop down a new line in ie7 to pull off the same thing, but no luck
and maybe get this script to run by itself and hope people just click ok?
January 27th, 2010 at 3:30 pm
This is because you can set multiple webpages as “home page” in Firefox (so that when you open it, all of these are opened each in its own tab), and when you do they’re stored internally as a list of URLs separated by pipe characters.
That’s also why the XSS alert box shows up in its own tab in this example.
January 27th, 2010 at 5:28 pm
@ams,
If FF *is* using pipes as delimiters in its bookmark file (Note: I haven’t checked/don’t show an interest to look :), and you can insert pipes in a bookmark, you may be able to inject other bookmarks by appending them to the end of your url. I remember seeing some old voting poll exploits circa 1999 doing this with a flat file DB that was pipe delimited.
January 27th, 2010 at 6:19 pm
Yeh, it splits the pages with a pipe… and well, pipes get urlencoded if present in a random URL. I don’t see any problems with this.
I already tried something like: document.location site.com; sleep X seconds then alert document.cookie
- if the alert comes first (empty), site.com then opens under it
- if site.com opens first, it wipes out the alert and the cookie never pops up.
I don’t see any other stuff you could pull off from this…
January 27th, 2010 at 9:03 pm
Works for me in FF… But what are the security implications of this??
Thanks,
Nilesh
January 28th, 2010 at 2:55 am
interesting find, sounds like it be possible to insert multiple bookmarks, aside from javascript?
February 13th, 2010 at 10:28 am
I remember seeing similar issue on IE
http://wasjournal.blogspot.com/2007/09/ie-home-page-url-resulting-in-xss.html
Does not reproduce anymore.
April 16th, 2010 at 2:52 pm
http://127.0.1.1/asd.php?asd=a|file:///nastyscriptontheirharddrive
But don’t ask me how you’d plant the html on their drive. If only this quirk existed in chrome…