W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Wed, 13 Apr 2011 00:14:08 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9nii-0006C9-7A@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

--- Comment #13 from Simon <simon.young90@live.com> 2011-04-13 00:14:06 UTC ---
Aryeh,

You have not provided any comparison to the quote from my comment. You have
simply just obscured the command document.write(). Though your script could
be injected into a webpage, it is not cross-site scripting but just plain old
code injection. Besides, I have not mentioned obfuscation anywhere...

I will try and briefly define/rephrase the exploit for you. Perhaps then you
can go back to the top and re-read it.

Prior to HTML5 and cross-document messaging, this method of cross-site
scripting was not possible.

By implementing XSS this way, you can make an exploit behave in a seemingly
legitimate manner. What I mean by this in lose terms is: cross-document
messaging is designed to behave this way, so in a stored attack (residing on
the server and then being displayed to users) how do you distinguish between
friend and foe? 

This method of attack also provides the potential to legitimately use multiple
files from the external domain because the iFrames content is of the same
origin. Then via the slave the external domain can also legitimately access
files belonging to the exploited domain by providing appropriate instruction.

In response to:
<quote>It isn't enough to just list how your attack is different from previous
attacks. For the attack to actually be the fault of postMessage(), it has to be
something where no equivalent attack can be performed without using
postMessage(), which is just not the case here.</quote>

This is therefore a Cross-site scripting attack which completely conforms to
the same-origin policy. This was not possible before cross-document messaging.
And at the very least is a new way to implement an XSS attack.

Simon

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 13 April 2011 00:14:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:08 UTC