WebApp Sec: Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 14 Oct 2005 22:00:08 +0200

On 14 Oct 2005 at 11:14, Jeremiah Grossman wrote:


Oh ok, I see what you've done here now. This is quite clever.


Thanks :-)

You're

basically using the IFRAME URL as a source for receiving JS code,  
which you evaluate later when it becomes available. Nice.


Yep, thanks!

In my Phishing w/ Superbait talk, I used a similar technique in  
reverse to pass large amounts of data off-domain. 2K blocks at a time.


Yes, but there's some difference: in your paper you use the query part of an IMG to move 
data off-domain. You don't face the problem of importing data from off-domain, which is 
slightly harder (I think), if you undertake not to use the script tag (with SRC).

-Amit

By Date By Thread

Current thread:

Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Jeremiah Grossman (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
  - Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Jeremiah Grossman (Oct 14)
    - RE: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... dpw (Oct 14)
    - Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)