Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > hacker invade > Content
Hot Articles
Invades Dong Yanni the i
MS08-067 introduces the
The local area network i
Invades RedHat the Linux
Invades the Turkish webs
Manual injection ASP scr
The RPC crack invades
The study contains the c
The SNORT invasion exami
Simulates the intruder t
Invades the chinalinux s
Invades the Linux operat
Invades in the process t
PHP pours into the invas
Brief analysis Linux sys
Recommend Articles
Manual injection ASP scr
Simulates the intruder t
Invades the chinalinux s
The local area network i
Invades the Linux operat
Invades in the process t
Invades once more using
Invades the WINDOWS serv
PHP pours into the invas
Brief analysis Linux sys
Invades the Turkish webs
Invades RedHat the Linux
Buffer overflow analysis
Invades the Linux system
The study contains the c
New Articles
The network invasion exa
php crack principle
Invades the BBSXP forum
Invades the BBSXP forum
Invades the Chinese DJ C
Invades CISCO (chart)
A common Linux invasion
Facebook wins USD 873 mi
jpchina_2008
The perfect version scri
Some invasion experience
Using others procedure t
The example demonstrates
How teaches you to invad
How teaches you to invad
Cross Iframe Trick:the Old New Thing (chart)
  Add date: 09/17/2008   Publishing date: 09/17/2008   Hits: 3
Total 2 pages, Current page:1, Jump to page:
 
I had pondered very long only then this's inside intriguing relations entire clear, I thought that many people looked I following paper will fall asleep, or simply “item of hundred lines” jumping over, but if you really wants to understand, will request transfer tries my each poc, will be helpful to the understanding (, although you possibly will faint). Please respect me the work achievement, code these many characters is not easy. Welcome the technology to discuss, but declines had not looked that carefully gesticulates. @_@
  First, to help everybody better understanding, I speak this kind of attack to be able first to achieve any effect:
  1. The cross territory carries out the script (IE, Firefox)
  2. Turns durable XSS non-persistent XSS
  3. The cross page carries out the script
  4. The browser will be very difficult the threat which patches this “the characteristic” to create
  5. Certainly has some condition limit, this only described this kind of attack theoretically.
  Then, anything is cross iframe, simply speaking does iframe an iteration, realizes between some iframe overlapping data accessing. In the normal web application, many places usefully to this kind of technology, for instance facebook, for instance yahoo.
  But expands some safe hidden dangers by cross iframe, is the key point which my here must discuss.
  The following is my testing environment:
  Windows XP SP2
  IE 6 SP2 (I only then IE6, does not have IE7, please voluntarily test IE7)
  Firefox 2.0.0.16
  Test domain name:
  www.A.com (/1.html, /4.html)
  www.B.com (/2.html, /3.html)
  This test has mainly used 4 html pages, please keep firmly in mind 1.html and 4.html is under territory A; 2.html and 3.html are under territory B
  First has a look at anything is Cross Iframe, they can do anything.
  Rule1: Under identical page's two iframe, if these two iframe aims at the identical territory, then they may visit mutually, and operates opposite party page's script.
  On www.A.com, has a 1.html, has contained two iframe, these two iframe has quoted on www.B.com's two pages separately. Its code is as follows:
1.html:
 
  Now our goal is transfers in iframe:tt2_3 javascript using iframe:tt2_2 the function.
  3.html's code is as follows:
 
function alertpoc() {
alert (“alert POC”);
}
2.html's code is as follows:
2.html:
window.onload = function() {
parent.frames [“tt2_3] .alertpoc();
}
  When then, visits http://www.A.com/1.html, in the iframe:tt2_2 script in www.B.com has carried out, it through reads the father window iframe:tt2_3, the attempt carries out script function alertpoc(). Because tt2_2 and tt2_3 with in www.B.com territory, therefore between them does not have the cross territory problem, the script is permitted the execution.
           

 
  Rule2: Territory B can by the iframe proxy way, on the operation territory A script, or the transmit message, realizes the cross territory operation.

 
Other pages: : 1 * 2 * Next>>
Prev:Invades under new technique CMD to add the sql account number Next:Invades DVBBS the php official net detailed process (chart)

Comment:

Category: Home > hacker invade
Home