[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MouseOverJacking attacks

To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] MouseOverJacking attacks
From: Andrew Farmer <andfarm@xxxxxxxxx>
Date: Wed, 30 Dec 2009 21:15:55 -0800

On 29 Dec 2009, at 13:48, MustLive wrote:
> Recently, 26th of December 2009, I wrote the article MouseOverJacking
> attacks (http://websecurity.com.ua/3807/), and today I
> wrote English version of it (http://websecurity.com.ua/3814/).

Hardly news. If you can inject arbitrary HTML into a web page, there are plenty 
of ways (many of them easier or more flexible than this) you can get it to run 
Javascript:

- <script> tags, obviously

- Binding other events that'll trigger without an event, like onLoad

- CSS (either inline, in a <style>, or loaded from another site with <link 
rel="stylesheet">) containing any of:

  * Background images loaded with the javascript: protocol
  * expression() (MSIE only?)
  * -moz-binding

- Embedded objects (say, Flash, using ExternalInterface)

None of this is considered particularly novel at this point.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] MouseOverJacking attacks
  - From: MustLive

Prev by Date: Re: [Full-disclosure] The Game
Next by Date: Re: [Full-disclosure] The Game
Previous by thread: [Full-disclosure] MouseOverJacking attacks
Index(es):
- Date
- Thread