Author Topic: Javascript design flaws...  (Read 2154 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Javascript design flaws...
« on: February 02, 2009, 04:34:03 PM »
Hi malware fighters,

Many have heard about JS exploits like clickjacking, but there are other  JavaScript design flaws, as the following example shows.... First of all the user clicks on a button/link. Then a new tab/window opens which loads the content of hxxp:// Five seconds later, the newly created tab is preloaded with the content of hxxp:// Disturbing here is the break in trust relationship between the user and and there are various other ways to play out this simple magic... as gnucitizen found.

Code: [Select]
      function clickme() {
        var w ='hxxp://');
        setTimeout(function () {
          w.location = 'hxxp://';
        }, 5000);
    <input type="button" value="click me" onclick="clickme(this)"/>
Just another reason to have NoScript and RequestPolicy inside the Fx browser,

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!