WebApp Sec mailing list archives
Re: Importing large code piece into Javascript context without SCRIPT SRC=...
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Mon, 17 Oct 2005 10:52:27 +0200
Hi Recently, I've been toying with the somewhat academic question of whether it is possible to "import" a large piece of JS code (to be used as XSS payload), given that a script context is already available, BUT without using SCRIPT SRC=... This question is triggered by the "script" keyword of Gervase Markham's Content- Restrictions suggestion (http://www.gerv.net/security/content-restrictions/).
Come to think of it, I have another idea. The attacker can use the document.location itself to provide the payload to its bridge-head. That is, the attacker can add an unexpected parameter to the URL, populate it with the payload, and access it in the bridge-head. In fact, it can be even better: the attacker can use the fragment trick (discussed in my "DOM Based Cross Site Scripting" paper - http://www.webappsec.org/projects/articles/071105.shtml) to totally conceal the payload from the application. So the attack URL will look like: http://target.site/vulnscript.cgi?injectme=<script>eval(document.location.search.substr(69))</script>#...JS payload here... This method has two downsides though: 1. It is less inconspicious - the victim sees a large payload in the URL (this may be solved by an innocent looking URL that redirects to the attacking URL). 2. It is restricted by the maximum URL size the browser is willing to handle. However, unlike the original posting, it does not require to inject another object (IFRAME, in the original example) and reference it. -Amit
Current thread:
- Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
- <Possible follow-ups>
- Re: Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 17)