Meta Redirects to the Internet President

It may be useful for the browser to obey meta tags found outside of a page head, but as far as I know they’re intended for use at the page level. This may be for backwards compatibility but it provides us some ways to disrupt other websites.

What I assume is a normal or expected series of events:

  1. User comes to your site and decides to participate
  2. User is provided a content entry form that allows html (blog post, comment, etc)
  3. User participates in normal and expected way
  4. Everything is sugar and rainbows

What I do:

  1. I go somewhere and try to break stuff
  2. I see a form that allows html, may be disguised as a wysiwyg editor
  3. I submit the form, capture the request and muck with it.

Basically what we’re talking about is XSS, XSRF, etc. In this example, we’re not doing anything nasty… just forwarding a buddy’s site to the Internet President (http://www.omgwtfbbq.com).

All I used was Firefox and TamperData, but the tools you use are not important.

Just open up TamperData and start tampering right before you submit the form, look at the requests until you find the one with your form submission and modify the field that allows html to something like the following.

Now if that content appears on the site as unfiltered html, it will redirect to that url, interesting, but just the most basic and useless example

I think one lesson here is not to allow html user submitted content… this is one of the reasons we saw the rise of bbcode and markdown. Perhaps implement a white list of allowed html tags if you must but remember FRONT-END CODE IS NOT THE FINAL STOP FOR VALIDATION! I say that loudly because I am surprised by how many people think it is.