De-Anonymizer (Script Bypassing)

Discussion in 'privacy problems' started by Paul Wilders, Apr 26, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Summary
    A technique allowing the bypassing of Anonymizer's SCRIPT filtering mechanism has been found. The technique would allow a malicious attackers to insert hostile JavaScript into their web pages and cause visiting users (even if they visit through Anonymizer) to execute it.


    Details
    The new technique utilizes a <SCR!PT> (NOTE: The letter I has been replaced with !) tag without a closing </SCRIPT> tag to fool Anonymizer into allowing an onError event to pass filters. This allows an attacker to execute JavaScript with obvious security breaches.

    Example (left out for security reasons - Forum Admin).

    source: securiteam

    regards.

    paul
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.