So which method to use? Many people believe XmlHttpRequest doesn't help XSS malware authors. They argue attacker have already been able to proactively fetch content using IFRAME remoting.
var iframe = document.createElement('IFRAME'); //have the IFRAME download the content we want to steal iframe.src = 'http://site.com/AddressBook.php); //make the IFRAME invisible iframe.style="width:0px; height:0px; border: 0px" //set our function to call when the IFRAME is done loading iframe.onload = callbackFunction; //now add the IFRAME to the DOM. Document.body.appendChild(iframe);
In the above code, the attacker is dynamically creating an IFRAME whose SRC attribute points to AddressBook.php. AddressBook.php is a web page which contains all the email addresses in a user's address book. The attacker also styles the IFRAME sothat it takes up no visible space and does not have a border surrounding it. This styling renders the IFRAME invisible to the user.
How bad is this for the attacker? Consider CNN's website http://www.cnn.com/. Using the View Dependencies extension for Firefox, we see that to display CNN fully, an astonishing 363 kilobytes (KB) of data must be downloaded to a user's machine. Only 23 KB of this, about 6% of the total data, is the HTML representing the text on the web page. Since the attacker is trying to extract text they care about downloading the HTML. However, because of the way IFRAMEs and the onload event work, the entire page must be downloaded before the attacker can extract data. Let's put this in prospective. Downloading 363KB of data over a 1 Mbps connection takes approximately 3 seconds. Downloading 23KB over the same link takes 0.17 seconds, or is 15 times faster. While 3 seconds may not seem like a whole lot of time you should focus on the 15 times figure. In this scenario, an attacker could request and siphon data from 15 pages using the XmlHttpRequest method for every 1 page retrieved using IFRAME.
In the interest of fairness, it should be noted that the entire 363 KB of CNN are not downloaded each and every time. CNN implements caching to ensure that the certain files do not need to be requested again. However, the browser does still send conditional GET requests. That is, the browser sends a complete GET request which includes an HTTP header telling CNN to return only the resource if it is newer than the version the browser has cached locally. Even if the browser's resource is still valid, the server must respond with an HTTP 304 message. This tells the browser to use its local copy. Even if all the local copies of the resources are fresh, some amount of network traffic still has to occur. From the attacker's point of view all of this traffic is a waste because they cannot use it and don't care about it. The bottom line is using IFRAME remoting to extract content from a web page is always slower than using an XmlHttpRequest. Thus, while IFRAME remoting can be used to siphon confidential data from a user without their knowledge, XmlHttpRequest makes this a much more realistic attack vector. Add on the fact the XmlHttpRequest allows access to response headersa and (some) modification of the request headers and XmlHttpRequest is the clear winner over IFRAME remoting for an attackers toolkit when used for data theft. This may be why nearly all the XSS malware to date uses XmlHttpRequest instead of IFRAME remoting to propagate.
document.createElement cannot be used, assemble your function call character by character in a string and then
eval it. If
eval is not allowed, use a
Thanks again to pdp for providing this chance, and happy hacking.
|Method||HTTP methods||Can access response||Can see response headers||Can communicate with any domain|
|Dynamically created HTML Tags||GET||No||No||Yes|
|Image Object||GET||Yes, but only image dimensions||No||Yes|