Fun with XSS (Kinda)



  • I was using a site that used Vebra when I stumbled across an error page. Then I noticed I could do this:

    http://www.vebra.com/home/other/error.asp?desc=<script language="Javascript">alert('Moose!');</script>

    I know you can't do that much with the above, but It's still fun for 5 seconds :)



  •  You can steal cookies.  This looks like a commerce-oriented site so that's pretty damn bad.



  •  ObRugrats: THAT'S not a Moose!



  •  Dont click this link.



  • @dtech said:

     Dont click this link.

    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.



  • @XIU said:

    @dtech said:

     Dont click this link.

    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.

    And IE won't run the script at all, by default.



  •  @davedavenotdavemaybedave said:

    @XIU said:
    @dtech said:

     Dont click this link.

    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.

    And IE won't run the script at all, by default.
    I'm using Lynx and what is this



  • Firefox is the only one that doesn't provide this protection out of the box.

    Score 1 for the rest!



  • @XIU said:

    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.
    Opera's had "stop executing scripts on this page" checkbox in javascript alerts for a few versions, but since 10.50, the dialogs are only modal to the web page - you can still switch to another tab, or close the current tab.



  • @dhromed said:

    Firefox is the only one that doesn't provide this protection out of the box.

     

    that's TRWTF ... The bug ticket for this issue is almost 10 years old !



  • @vic said:

    that's TRWTF ... The bug ticket for this issue is almost 10 years old !
     

    I guess Firefox beats that other dude's thread.



  • No, TRWTF is that you can forcibly close down Firefox and when you open it again it tries to restore your tabs, and thus ends up in exactly the same infinite loop. It's not until you've done it a few times that it'll give the "Well this is embarassing" dialog and let you either dump all tabs or no tabs. 

    At least they are working on making alert boxes model to the tab, so you'll be able to click else where. 

     



  •  @Mole said:

    No, TRWTF is that you can forcibly close down Firefox and when you open it again it tries to restore your tabs, and thus ends up in exactly the same infinite loop.


    +1

    But, on XP and Vista, I use Taskbarshuffle, which supports middle-click on a taskbar button to close it. This is awesome enough in and of itself, but also means you don't have to kill FFX to break an alert loop.

    Unless you have turned on automatic session save.



  • @ender said:

    @XIU said:
    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.
    Opera's had "stop executing scripts on this page" checkbox in javascript alerts for a few versions, but since 10.50, the dialogs are only modal to the web page - you can still switch to another tab, or close the current tab.

    Same in Chrome, which is also very easy if you have a login prompt because it doesn't block the whole browser.



  • @XIU said:

    @ender said:
    @XIU said:
    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.
    Opera's had "stop executing scripts on this page" checkbox in javascript alerts for a few versions, but since 10.50, the dialogs are only modal to the web page - you can still switch to another tab, or close the current tab.

    Same in Chrome, which is also very easy if you have a login prompt because it doesn't block the whole browser.

    For me, it's just a matter of telling the stonecutter not to chisel the dialogue box onto the next slab.



  • @davedavenotdavemaybedave said:

    @XIU said:
    @ender said:
    @XIU said:
    With the second message Chrome will give you the option to stop running javascript on that page, and IIRC Opera does the same.
    Opera's had "stop executing scripts on this page" checkbox in javascript alerts for a few versions, but since 10.50, the dialogs are only modal to the web page - you can still switch to another tab, or close the current tab.

    Same in Chrome, which is also very easy if you have a login prompt because it doesn't block the whole browser.

    For me, it's just a matter of telling the stonecutter not to chisel the dialogue box onto the next slab.
     

    I just ask the flying spaghetti monster to make the loop stop



  • @dhromed said:

    Firefox is the only one that doesn't provide this protection out of the box.

    Score 1 for the rest!

    Wow, NoScript just detects this as a XSS attempt and refuses to run.  Clever.

     

    IIRC (and it's been awhile since I needed to do this) you can just switch to a different window and go to your FF prefs and disable JS, then switch back to the offending window and click through the dialog a couple of times until it goes away for good.  Not very elegant, but hardly the PITA of restarting your whole browser.

     

    Of course, if you used NoScript you'd be home by now.



  • @morbiuswilters said:



    @dhromed said:


    Firefox is the only one that doesn't provide this protection out of the box.

    Score 1 for the rest!



    Wow, NoScript just detects this as a XSS attempt and refuses to run.  Clever.


    Leaving the poor bewildered user to wonder whether or not that's something he would want to happen when he clicks on a link marked "Don't click this link".
    @morbiuswilters said:
    IIRC (and it's been awhile since I needed to do this) you can just switch to a different window and go to your FF prefs and disable JS, then switch back to the offending window and click through the dialog a couple of times until it goes away for good.  Not very elegant, but hardly the PITA of restarting your whole browser.


    No, 'fraid not. Once a script has started, Firefox will stick with it until it dies. If you don't fancy restarting Firefox, you can always start a new window (from within the program, or from the start menu, or wherever) and forget about the one with the script. A technique which works just as well in IE 6.



  • @morbiuswilters said:

    Wow, NoScript just detects this as a XSS attempt and refuses to run.  Clever.

    That's the same thing IE8's doing.



  •  Knowing Microsoft, they probably implemented the juicy bits of NoScript into IE8 and then submitted a patent request for it so when it gets approved in a year (as does anything more technical than sliced bread) they can attempt to sue NoScript authors. 



  • @Mole said:

     Knowing Microsoft, they probably implemented the juicy bits of NoScript into IE8 and then submitted a patent request for it so when it gets approved in a year (as does anything more technical than sliced bread) they can attempt to sue NoScript authors. 

    Yeah, let's all go to Slashdot and discuss how Ballmer is eating puppies!



  • @blakeyrat said:

    @Mole said:

     Knowing Microsoft, they probably implemented the juicy bits of NoScript into IE8 and then submitted a patent request for it so when it gets approved in a year (as does anything more technical than sliced bread) they can attempt to sue NoScript authors. 

    I'm sorry, but your (you jest, I'm sure) Microsoft joke is kind of a trope and I don't find it funny in that relevant way.
     

    FTFY



  • @blakeyrat said:

    @Mole said:

     Knowing Microsoft, they probably implemented the juicy bits of NoScript into IE8 and then submitted a patent request for it so when it gets approved in a year (as does anything more technical than sliced bread) they can attempt to sue NoScript authors. 

    Yeah, let's all go to Slashdot and discuss how Ballmer is eating puppies!

    Hmm..  he used to feast on little black orphan babies.  I guess he's getting soft in his old age.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.