[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] MouseOverJacking attacks
From: Andrew Farmer <andfarm () gmail ! com>
Date: 2009-12-31 5:15:55
Message-ID: 2A4A815C-EA3A-47D9-9890-6279EE9CA147 () gmail ! com
[Download RAW message or body]
On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).
Hardly news. If you can inject arbitrary HTML into a web page, there are plenty of ways (many \
of them easier or more flexible than this) you can get it to run Javascript:
- <script> tags, obviously
- Binding other events that'll trigger without an event, like onLoad
- CSS (either inline, in a <style>, or loaded from another site with <link rel="stylesheet">) \
containing any of:
* Background images loaded with the javascript: protocol
* expression() (MSIE only?)
* -moz-binding
- Embedded objects (say, Flash, using ExternalInterface)
None of this is considered particularly novel at this point.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic