Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

Hi Pilon,

On 16 Oct 2005 at 23:48, Pilon Mntry wrote:

> 
> Hi Amit,
> I was, too, confused when I first read your argument.
> It might be more clear if you could use evil2.site
> instead of target.site in the explanation. just a
> comment.
> 

But target.site is the site which has the XSS hole in it. It is the attacked site, so to 
speak. It is not evil...

> In the link you gave 
> 'http://www.gerv.net/security/content-restrictions/'
> there is also another kind of restriction about
> frames, specifically 'frames-parent', which says 'the
> parent is accessible, but not the children'. So, in
> such a context, can we still use your code?
> 

Good point. My example serves the purpose of showing that in some circumstances, importing 
large piece of JS code is possible without using SCRIPT SRC=..., and without invoking any 
URL from within the JS code (or adding nodes to the document, writing stuff into the 
document, etc.). A frames restriction may prevent this particular example (I'm not sure 
that "parent" restriction is too useful in the real world. It seems that the author was 
aiming at the "children" restriction: "children - The children are accessible, but not the 
parent. This allows sites to sandbox same-domain content inside an <iframe>.
HTML: the frames array is accessible, but not parent or top." - but ironically enough, this 
does allow a script to receive data from the mother ship), but what I was pointing at is 
that there are ways to receive data which do not involve the SCRIPT SRC=... or accessing 
forms, or creating/modifying HTML elements in the document, and definitely not invoking any 
URL whatsoever from the JS code bridgehead.
And even if the frames="parent"/"none" Content-Restriction is imposed, there may be other 
similar tricks (you'd expect that IMG can be used for the same purpose, but for some 
reason, IE provides me with the original URL when I access the_image.src. Nevertheless, I'm 
pretty sure that it may be possible, e.g. using an OBJECT tag, maybe from other browsers). 
The fact that it's a frame is incidental, in my mind. I hinted that much in the original 
posting ("I came up with a nice idea, which is abusing any manner of loading HTML content 
(such as IFRAME, new windows, etc.)"). 

> But I suppose what you meant to show has a different
> aim, namely the 'script' part of the above link.
> 

Quite, see above.

Thanks again for your comment,
-Amit


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/