WebApp Sec mailing list archives
Re: penproxy accessing javascript?
From: Mads Rasmussen <mads () opencs com br>
Date: Mon, 16 Aug 2004 10:55:32 -0300
Rogan Dawes wrote:
My personal preference would be to script a modification to the javascript itself that is executed in the browser, to expose the keys to you in some appropriate way. For example, when we receive a request for "crypto.js", rather than fetching it from the server, fetch a modified version from the filesystem, and return it to the browser.
Hmm if the javascript is inlined in the html you would have to substitute the html page. So you are saying you could intercept the browsers request for the page and then enter with your own that would expose the variables in question? That could work when pentesting however my concern is that someone develops a trojan to intercept the javascript for a specific page. When it sees the page it will expose the values stored in the javascript variables and send them via ftp or email or something. Thats why I wanted to know if something doing that existed to measure the risk of someone mounting such an attack.
Regards, Mads
Current thread:
- penproxy accessing javascript? Mads Rasmussen (Aug 15)
- Re: penproxy accessing javascript? Rogan Dawes (Aug 17)
- Re: penproxy accessing javascript? Mads Rasmussen (Aug 17)
- Re: penproxy accessing javascript? Rogan Dawes (Aug 17)
- Re: penproxy accessing javascript? Mads Rasmussen (Aug 17)
- Re: penproxy accessing javascript? Rogan Dawes (Aug 17)