IE7 javascript echo

This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple :

Check it out:
Echo javascript

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 15

  1. .mario wrote:

    Yep - very bizarre. I was already wondering when updating the xssDB with your vectors seeing the javascript:alert: variant.

    So IE7 allows functions to be called with name:param in general?

    Posted 03 Aug 2007 at 12:46 pm
  2. Gareth Heyes wrote:

    It appears so yes, this could be dangerous but I haven’t really thought about it.

    I think IE7 allows you to overwrite the document but still retain the properties, I’m a bit tired today so I can’t quite get my head round it :)

    Posted 03 Aug 2007 at 12:54 pm
  3. pdp wrote:

    this is a standard behavior, not a bug. The last operand is taken as output of the expression. for example:

    javascript:4+4

    will result to 8

    but:

    javascript:4+4;void(0)

    results to nothing.

    This is how you can generate HTML via JavaScript… it is like the data protocol.

    javascript:’Check out’

    simple! :)

    Posted 03 Aug 2007 at 1:00 pm
  4. Gareth Heyes wrote:

    @pdp

    I still think it’s a bug:-
    javascript:’<script>alert(1)</script>’

    Posted 03 Aug 2007 at 1:05 pm
  5. Gareth Heyes wrote:

    You can see were I’m going with that.

    Or am I just tired? I was up late, I suppose once you’ve got javascript: you’ve got the document anyway. It is a different way of accessing the document though to avoid filters.

    Posted 03 Aug 2007 at 1:07 pm
  6. pdp wrote:

    nope :) it is not a bug. as I said the content will be rendered as html. You are still in about:blank! I think that I discussed thihs somewhere on GC.

    Posted 03 Aug 2007 at 1:35 pm
  7. Gareth Heyes wrote:

    Ok pdp I believe you :)

    But hey look at what can do, good for avoiding filters:-
    Test

    Posted 03 Aug 2007 at 2:17 pm
  8. Gareth Heyes wrote:

    That link translates to:-
    javascript:’<script>alert(1)</script>’

    I know it’s on the about:blank document but still I found it interesting.

    Posted 03 Aug 2007 at 2:36 pm
  9. Stefan Esser wrote:

    Ehmm I wonder what you are actually trying todo with your example.

    It seems for me to work in both IE7 and latest FF

    Posted 03 Aug 2007 at 2:39 pm
  10. Gareth Heyes wrote:

    Hi Stefan I just thought IE7 and now it appears Firefox has some odd behavior. In that it allows you to directly insert html or javascript code through the url without document.write.

    I noticed it when I was testing the PHPIDS for code injection. I’m not sure if it is really a problem or not because you have to use javascript: anyway.

    Posted 03 Aug 2007 at 2:56 pm
  11. Christian Wenz wrote:

    many people stumble upon that when they try something like and get an output like [window object] instead. And as Stefan already said, all browsers do that (starting from Netscape 2) ;-)

    Posted 04 Aug 2007 at 12:24 am
  12. Christian Wenz wrote:

    aah, the link I wanted to post was this one:

    [a href="javas*removethis*cript:window.open(...)"]

    Posted 04 Aug 2007 at 12:25 am
  13. sirdarckcat wrote:

    Hi!

    I also think it’s not a bug.. the javascript URI will output the response of the function to the document, it is the desired behaivor, and iin that I base JaSiLDBG (http://jasildbg.googlepages.com)..

    :P

    javascript:anything:thisfunctionsdoesntexist:”;

    The anything:something:whatever: think is because they are valid labels:

    http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Statements:label

    Greetz!!

    Posted 04 Aug 2007 at 7:39 am
  14. Gareth Heyes wrote:

    Yeah I agree it’s not a bug but it is quite interesting way to avoid filters as my example in comment 7.

    The : thing is quite interesting too because you can directly call a function in the url without using () again another thing to be aware of when developing html/javascript filters.

    Thanks everyone!

    Posted 04 Aug 2007 at 10:34 am
  15. JD wrote:

    it’s been round and used for a long time *EDITED (Nice Try) lol*

    Posted 04 Aug 2007 at 8:14 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam