[LUAU] How Does this Work?

Eric Hattemer hattenator at imapmail.org
Thu Apr 29 21:20:03 PDT 2004 

 From a more technical explaination, you can refer to rfc1738 among 
others, if that kind of thing excites you: 
http://www.faqs.org/rfcs/rfc1738.html .  I can't explain that particular 
URL.  The URL RFC explains that there are several special characters 
including @, :, & that aren't considered normal text.  Also, %HEXHEX 
represents the character of that numerical value. 

@ is a simple, yet somewhat obvious method.  When a site asks for a 
password, you can either wait for it to ask, or you can type 
http://user:password@site.com.  You can leave the password out if you 
want.  If the site doesn't actually require a user/password, it will 
ignore it.  So you can use anything you want in the username.  
www.microsoft.com at www.google.com will take you to google, and microsoft 
has no effect. 

Domain names don't have to be used.  http://216.239.57.104 will take you 
to www.google.com just as well.  However, even non-technical people know 
what an IP is, so that's too obvious in some cases.  IP's can be written 
in other forms with hex or octal and in some cases the .'s can be omitted. 

The & sign depends on the browser.  Old versions of IE and other 
browsers used to read an & as "ignore everything before this", so 
www.microsoft.com/stuff/stuff/stuff&www.ijusthackedyou.com wouldn't get 
you to microsoft.  The & is much less obvious than the @, but doesn't 
seem to work anymore, or at least not on mozilla. 

http usernames and passwords don't really work with '/' marks.  So 
www.microsoft.com/support at eric.com would fail or get you to an error 
page within microsoft. 

%HEXHEX makes any charater, printable or not.  %00 is NULL or \0.  NULL 
is used to terminate a string in most programming languages.  If you 
fill char[40] with "abc\0def" and leave the other 33 chars as the 
default, the 'string' in that array is "abc".  If you print 
www.microsoft.com/stuff/%00 at www.hacks.com shows up as 
www.microsoft.com/stuff in some cases.  Otherwise you can print entire 
URL's in %xx%yy%zz format. 

You can easily abuse javascript for some purposes.  A lot of URL's are 
of the form <a>this link</a> but some are of the form 
<a>www.stuff.com</a>.  Although the second is the same as the first, and 
that text could be anything, people are convinced that if the link 
contains a url, it must point to that url.  Javascript pseudo code 
something like: onMouseOver: statusBar.print(url)
will print the url in the status bar when you point the mouse at it.  
This emulates the normal behavior when you point to a link in most web 
browsers. 

There are other tricks, but I don't know all of them offhand. 

-Eric Hattemer

More information about the LUAU mailing list