pseudo-flaw.net

From the parlor tricks department:

/* <script src="#"></script> */
alert("It Works");

If this is parsed in an HTML context, the script tag will re-include the content and cause it to be interpreted as script. The only catch is that the HTML needs to also parse as valid JavaScript.

Try it out.

Interesting, but most likely useless. Anywhere that one could inject this, one could also probably inject arbitrary script.

Tested successfully with Mozilla Firefox, Safari, Opera and Internet Explorer 6 and 7. Opera has a weird quirk of only executing it once; later invocations treat the file as script and display the contents instead of executing. Forcing a refresh of the page causes it to be re-interpreted as HTML though.

And I could swear that I had seen this before, but I can't find any references on the web searching through Google. I'm probably not hitting on the correct keywords. If anybody knows where else this is referenced, send me a link and I'll include it.

Mozilla Firefox exhibits an odd quirk when loading file: URI values that specify host components. When retrieving the data, the host portion is ignored. But when determining the origin of the data, the host is taken into account when displaying document.domain and location.host from JavaScript. RFC 1738 describes the file URL.

Download a simple demo and try it for yourself (source).

Although there are not any readily apparent attacks that can be implement from within Firefox, it suggests that there is a general confusion about the difference between what content is retrieved and how and where it is retrieved from. A quick test shows that Safari behaves the same as Firefox, but Internet Explorer attempts to treat the host as part of a UNC path. Opera treats the host as a UNC name, but Access Violates on the re-launch without host name.

Bug hunting at trust boundaries can be very fruitful.