Cenzic 232 Patent
Paid Advertising
web application security lab

JavaScript Embedded in Homepage Links in Firefox

So after the last post I was messing around a bit with the way the homepage functionality works in Firefox and I noticed something before that I had meant to go back and play with quite a while ago. Funny how the mind works. Anyway, it turns out that if you include a pipe in a URL with JavaScript after it and you somehow get someone to bookmark that page you can get JavaScript to fire on about:blank. I’m not exactly sure how that would be helpful, but it’s certainly unsafe behavior to use a pipe as a delimiter since pipes can exist as valid characters in URL structures. If you want to see it in action click hold and drag the following demo link onto the homepage button in Firefox:

Set your homepage by dragging this link onto your homepage button at the top and then click through the button that asks for confirmation. For some reason this didn’t work on my main browser, but when I used safe mode it worked fine. I suspect that’s NoScript’s doing, so you may have to disable it to get the demo functional. Again, I’m not super clear on how this would be useful, but it’s certainly unintended behavior. Happy bookmarking!

11 Responses to “JavaScript Embedded in Homepage Links in Firefox”

  1. martani_net Says:

    works for me with Firefox 3.6, without safe mode :D nice

  2. Rafal Los Says:

    No worky in Chrome …drat.

  3. Ams Says:

    If to take into consideration that pipe is the way firefox team has chosen to separate multiple pages when bookmarking them, then it is not unusual behavior. But what about safety. Anyone can use several ways how to make to execute javascript:[code].
    PS: yes, NoScript is blocking that.

  4. PaPPy Says:

    works in FF 3.5.7 without safe mode and noscript disabled

    tried various ways to drop down a new line in ie7 to pull off the same thing, but no luck
    and maybe get this script to run by itself and hope people just click ok?

  5. ~ Says:

    This is because you can set multiple webpages as “home page” in Firefox (so that when you open it, all of these are opened each in its own tab), and when you do they’re stored internally as a list of URLs separated by pipe characters.
    That’s also why the XSS alert box shows up in its own tab in this example.

  6. Robert A. Says:

    @ams,

    If FF *is* using pipes as delimiters in its bookmark file (Note: I haven’t checked/don’t show an interest to look :), and you can insert pipes in a bookmark, you may be able to inject other bookmarks by appending them to the end of your url. I remember seeing some old voting poll exploits circa 1999 doing this with a flat file DB that was pipe delimited.

  7. Picci Says:

    Yeh, it splits the pages with a pipe… and well, pipes get urlencoded if present in a random URL. I don’t see any problems with this.
    I already tried something like: document.location site.com; sleep X seconds then alert document.cookie
    - if the alert comes first (empty), site.com then opens under it
    - if site.com opens first, it wipes out the alert and the cookie never pops up.
    I don’t see any other stuff you could pull off from this…

  8. Nilesh Kumar Says:

    Works for me in FF… But what are the security implications of this??

    Thanks,
    Nilesh

  9. Nos Says:

    interesting find, sounds like it be possible to insert multiple bookmarks, aside from javascript?

  10. Kishor Says:

    I remember seeing similar issue on IE

    http://wasjournal.blogspot.com/2007/09/ie-home-page-url-resulting-in-xss.html

    Does not reproduce anymore.

  11. albino Says:

    http://127.0.1.1/asd.php?asd=a|file:///nastyscriptontheirharddrive

    But don’t ask me how you’d plant the html on their drive. If only this quirk existed in chrome…