Skip to content

Monthly Archives April 2009

Overwriting native functions in javascript

I research a lot of Javascript as part of my job and I’ve been toying with the idea of a perfect native function overwrite. The idea is that you can still call the native function and have control over it but once it’s been defined it cannot be modified only destroyed.
My idea was to redefine [...]

Posted 08 April 2009 Gareth Heyes § Security § javascript Comments (4)

onreadystatechange

I like this event, it’s pretty cool. The reason why it’s interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances.
I’d better mention that the event [...]

Posted 08 April 2009 Gareth Heyes § Security § xss Comments (3)

Cross browser javascript sandbox

I think I’ve managed to create a good sandboxing system using same origin policy. The only downside is that it uses new windows to prevent top.location assignments. It works by injecting code into another domain (sandbox.businessinfo.co.uk) and executing the code in the context of that domain and returning the result of the code in [...]

Posted 03 April 2009 Gareth Heyes § Security § javascript Comments (5)