It is possible thanks to a HTML5 feature - window.history.pushState(). It was created for AJAX websites so that they could easily change window location bar and manipulate history. Read more about the it on WHATWG site.
It's a great and convenient feature for developers - for example, AJAX apps can now easily support back & forward buttons without resorting to URI fragment identifier (#) hacks. But it can also be used for malicious purposes. Basically, in HTML5 you can no longer trust the location bar. For security reasons, specs say you can only change a path (i.e. not hostname, port etc.) and of course it is subject to same-origin restrictions but that is enough for XSS-Track. So now we have these convenient functions in XSS-track source code:
var getPath = function(url) { return url.match(/(\/.*)/)[1]; }; var changeAddressBar = function(url) { try { // html5 goodness - should work in Safari, Chrome, FF 4 window.history.pushState({}, "", getPath(url)); } catch(e) {} };
and navigating a link within vulnerable domain will update the address bar path accordingly, making XSS-track practically invisible (unless you click an external link).
Disclaimer:
window.history.pushState() works in Chrome 5, Safari 5 and Firefox 4 and more browsers will come in future. When it's not available, XSS-Track will just leave the URL of a vulnerable page, so we're forward compatible. Try and hack the demo site to see the effects in one of those browsers to see it in action. HTML5 FTW!
Yep http://heideri.ch/jso/?pushState
ReplyDelete@anonymous
ReplyDeleteMhm, mario is THE guy when it comes to wicked XSS vectors & html5 security.
Oh good grief, that's nasty.
ReplyDeleteCertainly hope that the browsers will come up with a UI element that will warn when the URL is being changed by javascript, or show the actual URL on hover, or whatever.
Any updates for FF10+, Chrome 18+ etc. ??
ReplyDeletehistory.pushState() should work in both of them, it's widely supported now - http://caniuse.com/#search=push
ReplyDelete