Chapter 12  ■ Attacking Other Users

some means of introducing JavaScript (using 


An alternative method in this situation, which may bypass certain input fil-

ters, is to remain within the 

tag itself but inject an event handler con-

taining JavaScript. For example:

“onfocus=”alert(document.cookie)

Example 2

Suppose that the returned page contains the following:

Here, the string you control is being inserted directly into an existing script.

To craft an exploit, you can terminate the single quotation marks around your

string, terminate the statement with a semicolon, and then proceed directly to

your desired JavaScript. For example:

‘; alert(document.cookie); var foo=’

Note that because you have terminated a quoted string, to prevent errors

occurring within the JavaScript interpreter it is necessary to ensure that the

script continues gracefully with valid syntax after your injected code. In this

example, the variable 

foo

is declared, and a second quoted string is opened,

which will be terminated by the code that immediately follows your string.

Another method that is often effective is to end your input with 

//

to comment

out the remainder of the line.

Example 3

Suppose that the returned page contains the following:

Here, the string you control is being inserted into the 

src

attribute of an 

tag. On some browsers, this attribute may contain a URL that uses the

javascript:

protocol, allowing the following straightforward exploit to be used:

javascript:alert(document.cookie);

For an attack that works against all current browsers, you can use an invalid

image name together with an 

onerror

event handler:

“onerror=”alert(document.cookie)

Download 5,76 Mb.

Do'stlaringiz bilan baham: