Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
SOP Question
Posted by: asilvermtzion
Date: August 06, 2008 06:11AM

If you have a vuln on a subdomain, obviously you can't access the main domain. I know you can circumvent this by setting document.domain on both sides, however when I tested it, if you don't actually manually set document.domain on the target it doesn't work? Perhaps someone could explain the theory behind that.

Also, are there any other ways to meddle with SOP? I know you can hook window.open and execute arbitrary code, but that's not the stealthiest of methods. I saw rsnake mentioning hooking iframes, it still doesn't let you execute so you are relying on the user being stupid enough to type in credentials or whatever it may be.

Options: ReplyQuote


Sorry, only registered users may post in this forum.