Arbitrary Code Execution with document.createElement
If the third-party code has access to the page’s root DOM but has restrictions on the scripts being loaded, it can execute arbitrary code blocks that have access to the page’s global object.
The premise behind this attack vector is to create script blocks that can capture user
information, such as site cookies:
var script = document.createElement("script");
script.appendChild(
document.createTextNode(
var userCookie = document.cookie;
//use user cookies
)
);
document.body.appendChild(script);Note
The full code for this sample is available at https://github.com/jcleblanc/programming-social-applications/blob/master/chapter_8/attack_vector_code_execution.js.
Using document.getElement, you
can create a new script block, attach
a block of code to hijack user information, and then attach that code to
the body of the DOM to automatically render it, executing the malicious
block within.
Get Programming Social Applications now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
