THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
[email protected] Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Security Thoughts

[ Back ]

Thursday, September 23, 2010, 08:37

Chrome Cross-origin property pollution

Last week, while working on the new project about DomXss, I found that Chrome v. 6.0.472.59
had an issue similar to the opener object on IE7.
Specifically, this can be done in spite of the SOP by creating, from an attacker's page, an IFRAME
with the name of the object the other window is trying to access and the overwriting it using JavaScript.
It works on every window reference. An attacker can trigger a Browser Based DOM Xss which will result
in stealing sensitive data, overwrite SOP protected window objects or execute JavaScript in the context
of a legit page.

...Continue reading on Minded Security blog here

Comments:

No comments yet.

 
Comments are disabled

Admin login | This weblog is from www.mylittlehomepage.net

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.