Comments on: Firefox applet fun

By: Gareth Heyes

Gareth Heyes — Wed, 21 May 2008 09:59:53 +0000

@.mario

Thx, I knew about the applet tag insert for a while but I didn’t think it was exploitable. It was good fun to find good luck with the conference

By: .mario

.mario — Wed, 21 May 2008 09:19:54 +0000

Nice stuff Gareth - finally a “real” XSS again Has been a pretty long time. The issues are fixed in the trunk - 0.4.8 as soon as I return from OWASP Europe.

By: Alex

Alex — Tue, 20 May 2008 22:16:07 +0000

I’ve tried some code to access data from within this “iframe”, but you’re right so far. ’til now I didn’t manage to get around the protection.

By: Gareth Heyes

Gareth Heyes — Tue, 20 May 2008 18:57:39 +0000

@Alex

Yeah I thought that might be possible but it appears that the properties can’t be accessed using “this” and the frames array. However if you can prove me wrong then I’d be very interested on how to do it

By: Alex

Alex — Tue, 20 May 2008 18:50:30 +0000

I’ve tested it with the latest FF2. Now it works.
It’s time to try accessing any property or value from outside that “iframe”. Maybe we can bypass the same origin policy and steal userinput from within this “iframe”.

By: Gareth Heyes

Gareth Heyes — Tue, 20 May 2008 14:50:03 +0000

@Alex

Not tried with beta but it works with latest FF2

By: Alex

Alex — Tue, 20 May 2008 14:47:25 +0000

Which version of Firefox did you use ? I tried it with Firefox 3 RC1 and it didn’t work.

By: daniel

daniel — Tue, 20 May 2008 13:37:41 +0000

interesting, damn good find then sir!

By: Gareth Heyes

Gareth Heyes — Tue, 20 May 2008 12:56:45 +0000

@daniel

I ran a test in strict html and it still seemed to work

By: daniel

daniel — Tue, 20 May 2008 12:50:10 +0000

My only issue would be sites that use strict XHTML, this would be rendered useless, no?