Peace XSS
This article is about the XSS peaceful atom . Let's make evil work for good!
The simplest example will explain everything:
You are developing a web service that delivers data to other sites (weather, real-time trading data, chat, etc.). You need to organize cross-site data transfer (weather data, trades, chat text) on the client side.
Summary table for all methods
')
Iframe tag is created, events are hung, src changes - that's all, request went.
The data comes in the body of the iframe document.
Retrieves data from contentWindow.
Inside the ifraim is a script that executes itself.
Or the data is sent via window.postMessage () (HTML5) implementation and example to the parent window (writes in the article that it only supports Opera 9 (it didn't work for me at 9.61), Firefox 3 (it works), Safari (at 4 pre dev works)) ) (Thanks xonix )
Similarly with the iframe. The script tag is created, events are hung, src changes - that's all, the request went.
The data comes in the script body.
The script itself performs. Or there is a data extraction from his body (only Opera - added den1234554321 ).
Description www.inattack.ru/article/572.html
An example of eyeonsecurity.org/advisories/flash-demo/demo1.html if you wait, it gives alerts
Thank you @Nuty
Description and implementation:
habrahabr.ru/blogs/javascript/41669
www.sitepen.com/blog/2008/07/22/windowname-transport
There is a tag linl rel = "stylesheet", hangs the event. In the src attribute write somefile.css? options. Now we are waiting through the timeout when the code comes ...
The code comes in this format:
or
Then through the DOM we get everything after about: blank.
Implementation: www.tralfamadore.com/2008/08/xsstc-cross-site-scripting-through-css.html
The img tag is created, events are hung up. In the src attribute write somefile.php? options. We are waiting for the event when the content comes.
A png-8 image comes in, pushes it onto the canvas and through getImageData () we get its contents, then it remains to decode.
This method has more disadvantages than advantages: it is necessary for the user to include pictures. Costly coding / decoding process.
Pros: decrease in volume (Prototype.js squeezed from 124Kb to 30Kb).
Decoding implementation: blog.nihilogic.dk/2008/05/compression-using-canvas-and-png.html
Fill the server with the proxy script and send the usual XHR via the script to another domain (PHP fsockopen to help).
PS I hope soon all browsers will comply with the recommendations of the W3C on XSS XHR , so that you and I will not do everything transanally ... =)
Firefox 3.1 first
The second Internet Explorer 8 (through some of its own XDomainRequest) added bolk
What for?
The simplest example will explain everything:
You are developing a web service that delivers data to other sites (weather, real-time trading data, chat, etc.). You need to organize cross-site data transfer (weather data, trades, chat text) on the client side.
XSS organization methods
- Via iframe tag
- Via script tag
- Via flash <-> javascript
- Through window.name + iframe + form
- Via CSS hack
- Via canvas + img
- Through proxy
Summary table for all methods
| Method | onLoad Event | onError Event | Get | POST | disadvantages |
|---|---|---|---|---|---|
| iframe | there is | there is | Yes | not | A lot of elements, a story appears. |
| script | there is | not | Yes | not | Creates a script |
| flash <-> javascript | ? | ? | Yes | ? | Extra flash drive |
| window.name + iframe + form | there is | there is | Yes | Yes | A story appears. Restrictions in some implementations on the amount of data transferred. |
| css hack | not | there is | Yes | not | Excess tag. |
| canvas + img | there is | there is | Yes | not | Excess tag, brakes with decoding. If the user chopped off the pictures, then nothing will come. Plus: data compaction. |
| proxy | there is | there is | Yes | Yes | You must install the server script. |
Briefly about the implementation of each method
')
Via iframe tag
Iframe tag is created, events are hung, src changes - that's all, request went.
The data comes in the body of the iframe document.
Inside the ifraim is a script that executes itself.
Or the data is sent via window.postMessage () (HTML5) implementation and example to the parent window (writes in the article that it only supports Opera 9 (it didn't work for me at 9.61), Firefox 3 (it works), Safari (at 4 pre dev works)) ) (Thanks xonix )
Via script tag
Similarly with the iframe. The script tag is created, events are hung, src changes - that's all, the request went.
The data comes in the script body.
The script itself performs. Or there is a data extraction from his body (only Opera - added den1234554321 ).
Flash <-> javascript
Description www.inattack.ru/article/572.html
An example of eyeonsecurity.org/advisories/flash-demo/demo1.html if you wait, it gives alerts
Thank you @Nuty
window.name + iframe + form
Description and implementation:
habrahabr.ru/blogs/javascript/41669
www.sitepen.com/blog/2008/07/22/windowname-transport
CSS hack
There is a tag linl rel = "stylesheet", hangs the event. In the src attribute write somefile.css? options. Now we are waiting through the timeout when the code comes ...
The code comes in this format:
#id {
background-image: url ('about: blank # Hello% 20World');
} or
#id {
background-image: url ('about: blank? Hello% 20World');
} Then through the DOM we get everything after about: blank.
Implementation: www.tralfamadore.com/2008/08/xsstc-cross-site-scripting-through-css.html
Via canvas + img
The img tag is created, events are hung up. In the src attribute write somefile.php? options. We are waiting for the event when the content comes.
A png-8 image comes in, pushes it onto the canvas and through getImageData () we get its contents, then it remains to decode.
This method has more disadvantages than advantages: it is necessary for the user to include pictures. Costly coding / decoding process.
Pros: decrease in volume (Prototype.js squeezed from 124Kb to 30Kb).
Decoding implementation: blog.nihilogic.dk/2008/05/compression-using-canvas-and-png.html
Through proxy
Fill the server with the proxy script and send the usual XHR via the script to another domain (PHP fsockopen to help).
PS I hope soon all browsers will comply with the recommendations of the W3C on XSS XHR , so that you and I will not do everything transanally ... =)
Firefox 3.1 first
The second Internet Explorer 8 (through some of its own XDomainRequest) added bolk
Source: https://habr.com/ru/post/46339/
All Articles