[WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

Pilon Mntry pilonmntry at yahoo.com
Mon Oct 17 02:48:27 EDT 2005


Hi Amit,
I was, too, confused when I first read your argument.
It might be more clear if you could use evil2.site
instead of target.site in the explanation. just a
comment.

In the link you gave 
'http://www.gerv.net/security/content-restrictions/'
there is also another kind of restriction about
frames, specifically 'frames-parent', which says 'the
parent is accessible, but not the children'. So, in
such a context, can we still use your code?

But I suppose what you meant to show has a different
aim, namely the 'script' part of the above link.

-pilon

--- Jeremiah Grossman <jeremiah at whitehatsec.com>
wrote:

> 
> On Oct 14, 2005, at 11:05 AM, Amit Klein
> (AKsecurity) wrote:
> 
> > On 14 Oct 2005 at 10:56, Jeremiah Grossman wrote:
> >
> >
> >> Admittedly, I was a bit confused by what your
> trying to achieve with
> >> code. So sticking the question at hand...
> >>
> >> "Importing large code piece into Javascript
> context without SCRIPT
> >> SRC" ...
> >> I take to do not use the HTML syntax... <script
> src="http://foo/
> >> file.js"></script>
> >>
> >> Here's an idea..
> >>
> >> 1) DOM Programming
> >> var js = document.createElement('script');
> >> js.setAttribute('src', 'http://foo/file.js');
> >> document.body.appendChild(js);
> >>
> >> * same effect, but different style.
> >>
> >>
> >
> > Not fair ;-)
> >
> > This will not be allowed (I supposed) by
> Content-Restrictions that  
> > specify no external code
> > (see the link in my original writeup). I think
> (hope...) that the  
> > Content-Restrictions
> > would apply to any JS executed, and to dynamically
> created HTMLs  
> > (such as the above).
> >
> > And there's also a Content-Restriction against
> creating/modifying  
> > HTML nodes.
> >
> > But yes, I suppose I should have clarified this.
> So thanks!
> 
> 
> Oh ok, I see what you've done here now. This is
> quite clever. You're  
> basically using the IFRAME URL as a source for
> receiving JS code,  
> which you evaluate later when it becomes available.
> Nice.
> 
> In my Phishing w/ Superbait talk, I used a similar
> technique in  
> reverse to pass large amounts of data off-domain. 2K
> blocks at a time.
> 
> 
> Regards,
> 
> Jeremiah-
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list