Comments on: JavaScript Remoting Dangers http://www.gnucitizen.org/blog/javascript-remoting-dangers/ Information Security Think Tank Tue, 06 Jan 2009 04:37:06 +0000 http://wordpress.org/?v=2.7 hourly 1 By: James http://www.gnucitizen.org/blog/javascript-remoting-dangers/comment-page-1/#comment-122422 James Mon, 02 Jun 2008 18:19:30 +0000 http://www.gnucitizen.org/blog/javascript-remoting-dangers#comment-122422 Hello, Can you please clarify how this example works: <pre><code>var iframe = document.createElement('IFRAME'); //have the IFRAME download the content we want to steal iframe.src = 'http://site.com/AddressBook.php); //make the IFRAME invisible iframe.style="width:0px; height:0px; border: 0px" //set our function to call when the IFRAME is done loading iframe.onload = callbackFunction; //now add the IFRAME to the DOM. Document.body.appendChild(iframe);</code></pre> From what I can tell, the above code will only work if this script is included on the site.com domain. iframes prevent access to their data by parent windows of different domain names. Therefore, I don't see how an attacker can access this data? I use this technique in one of my applications to pass data from one website to another, but I have control of both websites. I placed a script tag on domainA from domainB. without access to domainA, I don't see how this can be accomplished. I hope my question is clear. Please email me if it's not as I feel it's important that I understand the security implications of this technique for my product. Thanks, James Hello,

Can you please clarify how this example works:

var iframe = document.createElement('IFRAME');
//have the IFRAME download the content we want to steal
iframe.src = 'http://site.com/AddressBook.php);
//make the IFRAME invisible
iframe.style="width:0px; height:0px; border: 0px"
//set our function to call when the IFRAME is done loading
iframe.onload = callbackFunction;
//now add the IFRAME to the DOM.
Document.body.appendChild(iframe);

From what I can tell, the above code will only work if this script is included on the site.com domain. iframes prevent access to their data by parent windows of different domain names. Therefore, I don’t see how an attacker can access this data?

I use this technique in one of my applications to pass data from one website to another, but I have control of both websites. I placed a script tag on domainA from domainB. without access to domainA, I don’t see how this can be accomplished.

I hope my question is clear. Please email me if it’s not as I feel it’s important that I understand the security implications of this technique for my product.

Thanks,
James

]]> By: Cheat Code » JavaScript Remoting Dangers http://www.gnucitizen.org/blog/javascript-remoting-dangers/comment-page-1/#comment-5242 Cheat Code » JavaScript Remoting Dangers Sat, 24 Feb 2007 14:38:49 +0000 http://www.gnucitizen.org/blog/javascript-remoting-dangers#comment-5242 [...] Original post by pdp and powered by Img Fly [...] [...] Original post by pdp and powered by Img Fly [...]

]]> By: busin3ss http://www.gnucitizen.org/blog/javascript-remoting-dangers/comment-page-1/#comment-3110 busin3ss Thu, 01 Feb 2007 06:07:22 +0000 http://www.gnucitizen.org/blog/javascript-remoting-dangers#comment-3110 awesome article... you guys rock! Keep up the good work awesome article… you guys rock! Keep up the good work

]]> By: pdp http://www.gnucitizen.org/blog/javascript-remoting-dangers/comment-page-1/#comment-3061 pdp Wed, 31 Jan 2007 09:28:13 +0000 http://www.gnucitizen.org/blog/javascript-remoting-dangers#comment-3061 very interesting summary. good stuff. very interesting summary. good stuff.

]]> By: pagvac http://www.gnucitizen.org/blog/javascript-remoting-dangers/comment-page-1/#comment-3033 pagvac Tue, 30 Jan 2007 22:56:16 +0000 http://www.gnucitizen.org/blog/javascript-remoting-dangers#comment-3033 Nice job Acidus! This is a very nice summary of different ways to craft nasty HTTP requests using JavaScript. Nice job Acidus! This is a very nice summary of different ways to craft nasty HTTP requests using JavaScript.

]]>