WebApp Sec mailing list archives
Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 14 Oct 2005 22:00:08 +0200
On 14 Oct 2005 at 11:14, Jeremiah Grossman wrote:
Oh ok, I see what you've done here now. This is quite clever.
Thanks :-) You're
basically using the IFRAME URL as a source for receiving JS code, which you evaluate later when it becomes available. Nice.
Yep, thanks!
In my Phishing w/ Superbait talk, I used a similar technique in reverse to pass large amounts of data off-domain. 2K blocks at a time.
Yes, but there's some difference: in your paper you use the query part of an IMG to move data off-domain. You don't face the problem of importing data from off-domain, which is slightly harder (I think), if you undertake not to use the script tag (with SRC). -Amit
Current thread:
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Jeremiah Grossman (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Jeremiah Grossman (Oct 14)
- RE: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... dpw (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Jeremiah Grossman (Oct 14)
- Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=... Amit Klein (AKsecurity) (Oct 14)