IE9 Self-XSS Blackbox Protection bypass
August 13, 2012 1 Comment
There is a defense-in-depth technique in IE9 that protects users against self XSS attacks which are growing very fast among social networking users (http://nakedsecurity.sophos.com/2010/02/02/anatomy-free-starbucks-gift-card-scam/ & https://www.facebook.com/video/video.php?v=956977232793).
However, IE9 still allows any other URL to be copied into the address bar.
1- Add a letter before file protocol (e.g. “Xfile:”), or maximum three letters after the “file” protocol (e.g. “fileXXX:”), or add one letter before and after the file protocol (e.g. “XfileX:” )
2- Now, add one or more space characters (or any other control characters) after the colon character (you can use URL-encoded values) (e.g. “XfileX:%20%0A%1F”)
4- Open IE9, and go to facebook.com
6- You should be able to see your cookies.
Finally, two simple examples are:
I have also noticed that the file system can be browsed by the following vector (in different versions of IE):
It is almost the same as using “file:c:/” which is not a security issue on its own. However, this new vector can lead to file system access in kiosk devices that use IE and have blacklist filter on the address bar.
Ctrl+Shif+L (Go to copied address) in IE9 – Can be used in Self-XSS:
There is an interesting feature in IE9 that can be used to make the exploitation of this issue even easier by using social engineering techniques. An attacker needs to deceive the user to copy something into his/her clipboard and then encourage him to press “Ctrl+Shift+L”! This attack is feasible when you are able to control an IFrame inside the target website such as Facebook.
Note 1: This issue has already been reported to MS as a low issue (msrc #12866).
Note 2: This issue is not detectable by Shazzer.