WebApp Sec: Re: Importing large code piece into Javascript context without SCRIPT SRC=...

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

> Hi 
>
> Recently, I've been toying with the somewhat academic 
> question of whether it is possible to  "import" a large 
> piece of JS code (to be used as XSS payload), given that a 
> script context  is already available, BUT without using 
> SCRIPT SRC=... 
> This question is triggered by the "script" keyword of 
> Gervase Markham's Content- Restrictions suggestion 
> (http://www.gerv.net/security/content-restrictions/). 
Come to think of it, I have another idea. The attacker can use the 
document.location itself to provide the payload to its bridge-head. That
is, the attacker can add an unexpected parameter to the URL, populate
it with the payload, and access it in the bridge-head. In fact, it can be
even better: the attacker can use the fragment trick (discussed in my
"DOM Based Cross Site Scripting" paper - http://www.webappsec.org/projects/articles/071105.shtml) to totally conceal 
the payload
from the application. 

So the attack URL will look like:

http://target.site/vulnscript.cgi?injectme=<script>eval(document.location.search.substr(69))</script>#...JS payload 
here...

This method has two downsides though:
1. It is less inconspicious - the victim sees a large payload in the URL 
(this may be solved by an innocent looking URL that redirects to the attacking
URL).
2. It is restricted by the maximum URL size the browser is willing to handle.

However, unlike the original posting, it does not require to inject another object
(IFRAME, in the original example) and reference it.

-Amit