[WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...
Pilon Mntry
pilonmntry at yahoo.com
Mon Oct 17 02:48:27 EDT 2005
Hi Amit,
I was, too, confused when I first read your argument.
It might be more clear if you could use evil2.site
instead of target.site in the explanation. just a
comment.
In the link you gave
'http://www.gerv.net/security/content-restrictions/'
there is also another kind of restriction about
frames, specifically 'frames-parent', which says 'the
parent is accessible, but not the children'. So, in
such a context, can we still use your code?
But I suppose what you meant to show has a different
aim, namely the 'script' part of the above link.
-pilon
--- Jeremiah Grossman <jeremiah at whitehatsec.com>
wrote:
>
> On Oct 14, 2005, at 11:05 AM, Amit Klein
> (AKsecurity) wrote:
>
> > On 14 Oct 2005 at 10:56, Jeremiah Grossman wrote:
> >
> >
> >> Admittedly, I was a bit confused by what your
> trying to achieve with
> >> code. So sticking the question at hand...
> >>
> >> "Importing large code piece into Javascript
> context without SCRIPT
> >> SRC" ...
> >> I take to do not use the HTML syntax... <script
> src="http://foo/
> >> file.js"></script>
> >>
> >> Here's an idea..
> >>
> >> 1) DOM Programming
> >> var js = document.createElement('script');
> >> js.setAttribute('src', 'http://foo/file.js');
> >> document.body.appendChild(js);
> >>
> >> * same effect, but different style.
> >>
> >>
> >
> > Not fair ;-)
> >
> > This will not be allowed (I supposed) by
> Content-Restrictions that
> > specify no external code
> > (see the link in my original writeup). I think
> (hope...) that the
> > Content-Restrictions
> > would apply to any JS executed, and to dynamically
> created HTMLs
> > (such as the above).
> >
> > And there's also a Content-Restriction against
> creating/modifying
> > HTML nodes.
> >
> > But yes, I suppose I should have clarified this.
> So thanks!
>
>
> Oh ok, I see what you've done here now. This is
> quite clever. You're
> basically using the IFRAME URL as a source for
> receiving JS code,
> which you evaluate later when it becomes available.
> Nice.
>
> In my Phishing w/ Superbait talk, I used a similar
> technique in
> reverse to pass large amounts of data off-domain. 2K
> blocks at a time.
>
>
> Regards,
>
> Jeremiah-
>
>
>
>
>
>
>
>
>
>
---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list