The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.

As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`

Here's the httpd configuration to reproduce the behavior:

```
    <Location />
        ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
        ProxyPassReverse http://127.0.0.1:9000/ 
        Order allow,deny
        Allow from all
    </Location>
```

Link to post

Link to comment

Share on other sites

Followers 0

Go to topic listing

Recently Browsing 0 members
- No registered users viewing this page.

www.chthackerworld.com - 我们是一个生机勃勃的技术交流社区，致力于学习和分享黑客攻防知识、技术爱好、编程专业知识，并拥有许多正在开发的活跃项目。加入我们的用户可以在其中讨论黑客攻击、网络安全等。并参与本论坛举办的赛事！我们不会对友国或本国任何站点上进行非法渗透入侵或破坏网络活动，如果使用名称为The hacker World 或 CNHACKTEAM 名称进行黑客活动，请从站点服务器访问日志中识别执行此活动的 IP 地址，我们将积极配合调查。

黑客世界站内导航 (SITE MAP)

Create New...

Sign In

Apache Httpd mod_proxy - Error Page Cross-Site Scripting

Recommended Posts

This CHT

Link to post

Link to comment

Share on other sites

Recently Browsing 0 members

黑客世界站内导航 (SITE MAP)