Firefox is now the browser I like hacking, there’s just so much stuff it can do. I simply don’t have enough time to explore everything, but what I have found was some very interesting XML behavior. I was helping Ronald a while back with a Firefox chrome security flaw and we discussed on slackers that some XML entities in Firefox contain sensitive information which it is possible to read using XHR.
I thought of what other interesting things I could do with XML entities and I found a way of injecting script tags using them. This could have implications if you offer a HTML upload service but you filter out dangerous tags for example. The proof of concept is very basic but displays the method clearly.
Comments 8
It works on Opera 9.23 Linux too
Posted 09 Oct 2007 at 3:17 pm ¶Hehe cool, I’ve not tried it in other browsers
Posted 09 Oct 2007 at 3:36 pm ¶/me likes it. very clever
Posted 09 Oct 2007 at 7:22 pm ¶In case you’re curious, Safari 2.0.4 doesn’t like the inject entity:
This page contains the following errors:
error on line 11 at column 46: Entity ‘inject’ not defined
iPhone version shows the alert(1) text itself, but not in a script element.
Posted 09 Oct 2007 at 8:02 pm ¶@Jordan
Thanks for the info useful
@thornmaker
Cheers
Posted 09 Oct 2007 at 8:42 pm ¶This works with WebKit 25438.
Posted 10 Oct 2007 at 4:36 am ¶Sweeeeet!
Posted 10 Oct 2007 at 9:18 am ¶Gareth Heyes
Honestly
i developed months ago,exploited google toolbar using this technique. i deserve some credit
if you are intrested about POC. let me know
Posted 14 Oct 2007 at 3:55 am ¶Post a Comment