full-disclosure - Re: [VulnWatch] Cross Domain XMLHttpRequest

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <307746.51047.qm@web56910.mail.re3.yahoo.com>
Date: Fri, 20 Apr 2007 00:16:37 -0700 (PDT)
From: anurag.agarwal@...oo.com
To: Michal Majchrowicz <m.majchrowicz@...il.com>, vulnwatch@...nwatch.org,
	vulndiscuss@...nwatch.org, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: Re: [VulnWatch] Cross Domain XMLHttpRequest

Not to take anything away from your work but a similar proof of concept has already been displayed before. Check out www.attacklabs.com for a proof of concept of Cross Domain Ajax Sniffer

Cheers,

Anurag Agarwal

SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal@...oo.com
Blog : http://myappsecurity.blogspot.com

----- Original Message ----
From: Michal Majchrowicz <m.majchrowicz@...il.com>
To: vulnwatch@...nwatch.org; vulndiscuss@...nwatch.org; bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Sent: Sunday, April 15, 2007 12:14:43 PM
Subject: [VulnWatch] Cross Domain XMLHttpRequest

Due to "security reasons" many Web Browsers doesn't allow cross
domain XMLHttpRequests. In fact this is only troublesome for web
developers and not for virus coders/crackers/etc. Some time ago there
was presetened a technic which used cssText property to perform some
cross domain requests. After some research I was able to create an
object that has some part of original XMLHttpRequests functionality
and allows Cross Domain requests. In conclusion Web Browers
Developpers should allow some limited cross domain XMLHttpRequests. My
implementation (MyXMLHttpRequest) uses script tag but it is possible
to use different ones (for instance style). It was tested on all
modern web browsers.
PoC: http://sectroyer.110mb.com/
It uses both XMLHttpRequest and MyXMLHttpRequests.
Michal Majchrowicz.
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/