W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Tue, 12 Apr 2011 11:06:23 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9bQN-0003fe-FA@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

--- Comment #10 from Simon <simon.young90@live.com> 2011-04-12 11:06:22 UTC ---
Thank you again for your input I do appreciate it. Though I think we may have
to agree to disagree as I feel Im just further reiterating my points.

I will say however, previous exploits require the injection of a script via:

<script src=www.externaldomain.com/script.js>

In the case of a stored XSS attack (one that becomes a permanent feature of a
website); this would be an obvious indicator of cross site scripting. 

In my example, script embedding can be a lot more subtle:

<iframe id="mommy" src="www.externaldomain.com/randomwebpage.html"
style="visibility:hidden; height:0; width:0"></iframe>

As a result of this same-origin compliant embedding, it would be harder to
detect any cross-site scripting activity. The corresponding injected <script>
accompanying the iFrame does not reference anything that could be deemed as
suspicious because it also complies with the same-origin policy and being
stored does not feature in the URL bar of the browser either (another method of
detecting XSS).

Many Thanks,

Simon

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 12 April 2011 11:06:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:08 UTC