Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16498
HistoryMar 28, 2007 - 12:00 a.m.

Bypass phishing protection in Firefox / Opera

2007-03-2800:00:00
vulners.com
17
JSON

Hi, i've tested a simple way to bypass the phishing protection in Firefox 2.0.0.3 and Opera 9.10. Aparently both browsers fails to detect a phishing site if it is embeded in an IFRAME / OBJECT label.

I've released some demostrations to test the above:

http://zonafirefox.googlepages.com/prueba.html (using Javascript to create an iframe object)

http://zonafirefox.googlepages.com/prueba2.html
(without Javascript)

Also, the following code can be used to bypass the phishing protection:

"<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>"

The tests were realized using several many sites from Phishtank database. IE7 has no problems.

Any feedback and/or confirmation of the above will be very appreciated.

rgds,
nsp

JSON