Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: metal_hurlant () YAHOO COM (Metal Hurlant)
Date: Wed, 5 Jan 2000 11:52:46 +0100
On Wed, 05 Jan 2000, Henrik Nordstrom wrote:
What is more suprising is why it is so hard to make a JavaScript scrubber filter. The ways javascript may be inserted in HTML is generic, and not tied to any specific tag or attributes. (see Netscape JavaScript client guide, chapter 9) <script> </script> <tag attribute="&{javascript_code};"> <tag url_attribute="javascript:javascript_code"> Due to the open nature of HTML it is impossible to know all attributes which may contain URLs. And I thinks it is safe to assume that all attribute values may be contain URLs... I can't come up with a practical HTML application where the attribute value "javascript:<something>" makes much sense other than when refering to javascript code to be executed.
Things are a bit more complicated than that: - javascript code can be placed in a growing number of optional tag parameters (like onmouseover, onload, etc..). The only way to block those is to keep an extensive and up-to-date list of every possible parameter allowing to run a script. - Netscape supports something called javascript style sheets, allowing to embed javascript between <style> tags - Netscape recognizes mocha: and livescript: urls and treats them like javascript: urls I'm sure IE has its own share of incompatible and not widely known ways to run scripts. Everyone thinks Javascript is cool (except maybe some weird security folks), so each new browser version is very likely to have a few new ways to do more cool things in javascript.. Regards, Henri Torgemane
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG Kevin Hecht (Jan 03)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)