On 2009/09/10 16:59:27, MikeSamuel wrote:
http://codereview.appspot.com/115084/diff/1/2 File
src/com/google/caja/lang/html/html4-attributes-extensions-defs.json
(right):
http://codereview.appspot.com/115084/diff/1/2#newcode16 Line 16: ], The javascript port scanner at http://www.securiteam.com/exploits/5DP010KJFE.html uses both
img.onerror and
img.onload. Does this addition enable port scanning, or is onerror
required? hm. for that port scanning technique, it's the onerror handler that's important, because most of the urls tried will not return a valid img. if the onerror fires before the timeout, then it's either connection succeeded or connection refused. if the timeout happens, then the SYN got lost or dropped, or the server is slow or dead. I don't see any particular way onload helps you with portscanning. I suspect the real issue is construction of urls with arbitrary ports, like it might be possible to do portscanning without onerror or onload by using some other detectable condition when the browser tries to load a url, but I haven't thought of anything yet. but if there is a method, then the place to fix it would be the url policy. http://codereview.appspot.com/115084
