Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
DOM sandbox challenge
Posted by: Gareth Heyes
Date: July 30, 2010 08:13AM

We have a new challenge!

Can you break my DOM sandbox?

More info here:-

It isn't a complete DOM yet but stuff like getElementById, firstChild etc should work. You can set attributes on the HTML element, a onclick event and styles. Past exploits include:-

//Code is already sandboxed so strings would execute (now fixed)

//attributes weren't being checked for evil url assignments
document.getElementById('x').onclick=function() { this.href='javascript:alert(location)';}

Have fun!

"People who say it cannot be done should not interrupt those who are doing it.";
labs : []
blog : []
Hackvertor : []

Options: ReplyQuote

Sorry, only registered users may post in this forum.