Re: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

Hi Amit -

On 3/1/06, Amit Klein (AKsecurity) <aksecurity@xxxxxxxxxx> wrote:
> Hopefully this is obvious, but in order to focus the discussion,
> it is first needed to observe that a window loaded with URL
> http://www.some.site/bar/page1.html can be both fully read and
> fully written by a window opened with
> http://www.some.site/foo/attack1.html, by means of the latter
> incorporating a Javacript code that obtains a handle H for the
> Bar window, and then reads or assigns to
> H.document.body.innerHTML. Likewise the document URL
> (H.document.URL), the history collection of this window
> (H.history - actually, the way to exploit this is to traverse the
> history list via iterative application of the prev() and next()
> operations, each time reading the URL via H.document.URL) and the
> document referrer (H.document.referrer) can be accessed. It
> should be very clear that this is a fundamental security issue,
> enabling Foo to attack Bar and to fool Bar's user easily by
> changing data/events in Bar's page and reading sensitive data off
> the page.

I've spent the past day or two looking at javascript error messages
without being able to get this to actually work.  Are you willing to
share a proof-of-concept?

Regards,
Brian

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/