Tuesday, September 05, 2006

Firefox is smart!

I was messing around with infinite 302 redirects using the URL shorteners. I set-up the following URL's - http://doiop.com/302_1 redirects to http://doiop.com/302_2 would redirect back to http://doiop.com/302_1

When I tested in Firefox (1.5.0.6), low and behold it detected it!


Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
* This problem can sometimes be caused by disabling or refusing to accept
cookies.

Bob Auger from cgisecurity.com helped me test in Internet Explorer 6. The browser just sat there trying to load. Not so smart.

6 comments:

Anonymous said...

Python's urllibs have a similar functionality, but I think it's just 10 redirects (by default), and you're out; it doesn't check for loops.

kuza55 said...

I think that checking for X numberof redirects is a better idea than trying to find loops because people can always forward to random pages which don't exist from a 404 page, and there would be no way to deduce that there was a loop other than by seeing that more than 10 redirects had been performed.....

Does anyone know what approach Firefox takes?

Anonymous said...

Well how about being fair and using the latest IE7 to do this comparison? It seems to give up quickly enough with a page not accessible error. For that matter even IE6 did that eventually so I'm not sure what kind of testing your friend did on IE6.

It sure is fashionable to keep bashing the years old IE6 when a more secure IE7 is soon to be available.

Jeremiah Grossman said...

When MS ports IE to OS X I'll be sure to test accordingly. Until then I have to depend on the kindness of Windows users.

Anonymous said...

Okay let me understand this ... You run a web security company and you don't bother to run IE for test purposes on a single machine or VM? Your security research is only for the folks who don't run IE or Windows? You don't believe in knowing the major products in your area of security expertise? For example its obvious that you don't have much knowledge about IE7 security when running in Vista. Sorry but I'm not sure how much confidence I personally would have in hiring your services ...

Jeremiah Grossman said...

I wasn't aware that this was such a pressing issue. And since you personally single me out with your comments, I'll try to address them as honestly as I can.

> You run a web security company and you don't bother to run IE for test purposes on a single machine or VM?

Correct. Unless there is a really compelling need for me to do so.

> Your security research is only for the folks who don't run IE or Windows?

My research primarily focuses on web applications, not necessarily browser security (though there is overlap). If anyone wants to test my results on their own systems (including IE and Windows), I'd love to hear about it.

> You don't believe in knowing the major products in your area of security expertise?

Be reasonable. No web application expert can be expected to know everything about everything all the time. I have my focus area (as most do) and I make it known where the gaps are. Again, if people want to share their experiences, I'm all ears and not opposed to learning something.

> For example its obvious that you don't have much knowledge about IE7 security when running in Vista.

Right you are and I make that fact known.

> Sorry but I'm not sure how much confidence I personally would have in hiring your services ...

That's your perogative of course. Though we typically get hired based on our web application security assessment capability. Not our knowledge of IE 7's handling of infinite redirects. If thats the type of vendor you need, use them.