Microsoft Internet Explorer seems to be a bottomless barrel-o-fun when it comes to browser entrapment vulnerabilities. Just to recap, in these attacks, the user is made believe he had left a webpage he stumbled upon (and the URL bar or SSL state data reinforce him in this belief) - but in reality, is prevented from doing so, and his browser continues to display only the content originating from the attacker. See MSIE7 onUnload and MSIE6 location pages for a discussion of previously reported flaws of this type.

Well, here's another one, this time based on the disruptive nature of document.open() call. In essence, repeatedly calling this function after a new URL is entered by the user, before onBeforeUnload is invoked, inhibits page transition - but target URL bar state is retained. Note that this problem occurs at a much earlier stage than the onUnload approach, before any attempt to resolve the domain or connect to the server is made - and as such, is a distinctive (and fast!) attack vector.

Click on the link below to visit a new page, then try to navigate away from it. In MSIE7, the URL bar will be updated as if your attempt succeeded, yet you will be taken elsewhere. The demo is one-shot, and obviously requires Javascript. Not tested with MSIE6.

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.