Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

[Jeremiah Grossman <jeremiah () whitehatsec com>]

On Oct 14, 2005, at 11:05 AM, Amit Klein (AKsecurity) wrote:

> On 14 Oct 2005 at 10:56, Jeremiah Grossman wrote:
>
>
> > Admittedly, I was a bit confused by what your trying to achieve with
> > code. So sticking the question at hand...
> >
> > "Importing large code piece into Javascript context without SCRIPT
> > SRC" ...
> > I take to do not use the HTML syntax... <script src="http://foo/
> > file.js"></script>
> >
> > Here's an idea..
> >
> > 1) DOM Programming
> > var js = document.createElement('script');
> > js.setAttribute('src', 'http://foo/file.js&apos;);
> > document.body.appendChild(js);
> >
> > * same effect, but different style.
>
> Not fair ;-)
>
> This will not be allowed (I supposed) by Content-Restrictions that  
> specify no external code
> (see the link in my original writeup). I think (hope...) that the  
> Content-Restrictions
> would apply to any JS executed, and to dynamically created HTMLs  
> (such as the above).
>
> And there's also a Content-Restriction against creating/modifying  
> HTML nodes.
>
> But yes, I suppose I should have clarified this. So thanks!


Oh ok, I see what you've done here now. This is quite clever. You're  
basically using the IFRAME URL as a source for receiving JS code,  
which you evaluate later when it becomes available. Nice.

In my Phishing w/ Superbait talk, I used a similar technique in  
reverse to pass large amounts of data off-domain. 2K blocks at a time.


Regards,

Jeremiah-