[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALx_OUAJOAyFq5H6-2k0oxUAght5y_AXhgUFzjOwaCN_OBJ2_A@mail.gmail.com>
Date: Thu, 8 Dec 2011 01:30:09 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: seamless bait-and-switch
Hello world,
Another whimsical browser proof-of-concept:
http://lcamtuf.coredump.cx/switch/
It seems that relatively few people realize that holding a JavaScript
handle to another window (either because we opened it, or because the
window was at some point displaying our content) allows the attacker
to tamper with the location and history objects at will, largely
bypassing the usual SOP controls. With some minimal effort and the
help of data: / javascript: URLs or precached pages, this can be
leveraged to replace content in a manner that will likely escape even
fairly attentive users.
/mz
PS. Obligatory plug: http://lcamtuf.coredump.cx/tangled/
Powered by blists - more mailing lists