On 29 Dec 2009, at 13:48, MustLive wrote: > Recently, 26th of December 2009, I wrote the article MouseOverJacking > attacks (http://websecurity.com.ua/3807/), and today I > wrote English version of it (http://websecurity.com.ua/3814/).
Hardly news. If you can inject arbitrary HTML into a web page, there are plenty of ways (many of them easier or more flexible than this) you can get it to run Javascript: - <script> tags, obviously - Binding other events that'll trigger without an event, like onLoad - CSS (either inline, in a <style>, or loaded from another site with <link rel="stylesheet">) containing any of: * Background images loaded with the javascript: protocol * expression() (MSIE only?) * -moz-binding - Embedded objects (say, Flash, using ExternalInterface) None of this is considered particularly novel at this point. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
