加入書簽:
最近看到一篇文章寫著插入script tag 到XML file裡面…
又是插來插去= =
好像哪裡都能插一樣= =|||
他的全文如下↓
Firefox is now the browser I like hacking, there’s just so much stuff it can do. I simply don’t have enough time to explore everything, but what I have found was some very interesting XML behavior. I was helping Ronald a while back with a Firefox chrome security flaw and we discussed on slackers that some XML entities in Firefox contain sensitive information which it is possible to read using XHR.
I thought of what other interesting things I could do with XML entities and I found a way of injecting script tags using them. This could have implications if you offer a HTML upload service but you filter out dangerous tags for example. The proof of concept is very basic but displays the method clearly.
轉自The Spanner
其實這很多東西自己以前都玩過自己了XD~
只是那時沒想過寫 blog = =
所以不知道現在才有人發出來 O.O|||
下面提供一個test file , 不具威脅性啦XD~
test file :click me
Tags: inject, xml
本文共有 0 條評論
留下評論: