It's a shampoo world anyway
 
Donnerstag, 16. Februar 2006


Cross Domain XMLHttpRequests are really not a good idea

There was more than one moment in the last month, in which I wondered about the reasons behind the same-origin restriction on the XMLHttpRequest JavaScript object’s destination URL. This restriction effectively prevents JavaScript initiated cross domain http requests. None of the other network aware elements of HTML/JavaScript are subject to such a policy (e.g. images, iframes or scripts).

Finally somebody convinced me: Lucas Carlson describes in a recent Blog entry how cross domain XMLHttpRequests could be employed to subvert firewall protection. A malicious JavaScript executed by a web browser behind a firewall would be able to communicate the content of any http intranet server, which would otherwise be protected by the firewall, to any host on the internet. Such a script is furthermore able to do a complete port scan on the intranet, thus discovering services and further attack targets.

What a pity, cross domain Ajax would be so much fun otherwise.

... Link


 
online for 8426 Days
last updated: 09.04.14, 16:14
status
Youre not logged in ... Login
menu
... home
... topics

... antville home

Februar 2006
So.Mo.Di.Mi.Do.Fr.Sa.
1234
567891011
12131415161718
19202122232425
262728
JanuarMärz
about:
the shampoo world is
the personal weblog of Martin Johns.
recent

xml version of this page

Made with Antville
powered by
Helma Object Publisher




...welcome to the long tail...