If the third-party code has access to the page’s root DOM but has restrictions on the scripts being loaded, it can execute arbitrary code blocks that have access to the page’s global object.
The premise behind this attack vector is to create script
blocks that can capture user
information, such as site cookies:
var script = document.createElement("script"); script.appendChild( document.createTextNode( var userCookie = document.cookie; //use user cookies ) ); document.body.appendChild(script);
The full code for this sample is available at https://github.com/jcleblanc/programming-social-applications/blob/master/chapter_8/attack_vector_code_execution.js.
Using document.getElement
, you
can create a new script
block, attach
a block of code to hijack user information, and then attach that code to
the body of the DOM to automatically render it, executing the malicious
block within.
3.15.235.188