Full Disclosure mailing list archives
Re: [VulnWatch] Cross Domain XMLHttpRequest
From: anurag.agarwal () yahoo com
Date: Fri, 20 Apr 2007 00:16:37 -0700 (PDT)
Not to take anything away from your work but a similar proof of concept has already been displayed before. Check out www.attacklabs.com for a proof of concept of Cross Domain Ajax Sniffer Cheers, Anurag Agarwal SEEC - An application security search engine Web: www.attacklabs.com , www.myappsecurity.com Email : anurag.agarwal () yahoo com Blog : http://myappsecurity.blogspot.com ----- Original Message ---- From: Michal Majchrowicz <m.majchrowicz () gmail com> To: vulnwatch () vulnwatch org; vulndiscuss () vulnwatch org; bugtraq () securityfocus com; full-disclosure () lists grok org uk Sent: Sunday, April 15, 2007 12:14:43 PM Subject: [VulnWatch] Cross Domain XMLHttpRequest Due to "security reasons" many Web Browsers doesn't allow cross domain XMLHttpRequests. In fact this is only troublesome for web developers and not for virus coders/crackers/etc. Some time ago there was presetened a technic which used cssText property to perform some cross domain requests. After some research I was able to create an object that has some part of original XMLHttpRequests functionality and allows Cross Domain requests. In conclusion Web Browers Developpers should allow some limited cross domain XMLHttpRequests. My implementation (MyXMLHttpRequest) uses script tag but it is possible to use different ones (for instance style). It was tested on all modern web browsers. PoC: http://sectroyer.110mb.com/ It uses both XMLHttpRequest and MyXMLHttpRequests. Michal Majchrowicz.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [VulnWatch] Cross Domain XMLHttpRequest anurag . agarwal (Apr 20)
