RETURN $ecure;

Security, Technology and Life

Archive for September 2006

Other browsers expanding on Opera weirdness

with one comment

rsnake recently made a post regarding some weirdness I found in Opera. Opera gives an error message when unencoded html is inserted into the address bar.

The URL http://<script&gt; contains characters that are not valid in the location they are found.

  • The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.

This is the first time I’ve seen anything like this. Now while it may not in itself be a security feature, it could certainly go in that direction. If it also dealt with encoded chevrons (< as %3C) then it could be a large jump forward in the fight against XSS, specifically reflected vectors.
I have posted on a few various Web Browser community boards
with hopes to get attention to this suggestion. I doubt it will be implemented soon.
But with XSS being the top risk lately, it’s slightly comforting to know we might have
at least some defense.

I’ll update my non-existant readers on the status of the message board threads.

Written by Rodney G

09/22/2006 at 12:32 am

Posted in Uncategorized

Tagged with ,

Domain Testing

leave a comment »

Written by Rodney G

09/21/2006 at 10:46 pm

Posted in Uncategorized

Tagged with