Technology share: how to use the Dominator found Nokia(Nokia)the official website of DOM-type XSS vulnerability-vulnerability warning-the black bar safety net

2015-01-22T00:00:00
ID MYHACK58:62201558267
Type myhack58
Reporter 佚名
Modified 2015-01-22T00:00:00

Description

Background

DOM - XSS(cross-site scripting vulnerabilities are generally more difficult to find in this article The authors use the Dominator to find and use a Nokia(Nokia)OVI official website of the DOM XSS, which reminds me of the brother of that artifact:)

Description

Last year, the authors found and reported a http://store.ovi.com/ high-risk DOM XSS, the http://store.ovi.com/ use the H5 CORS to access web page resources and rendering the DOM, so that it's URL is generally following this form:

http://store.ovi.com/#/applications?categoryId=14

DIV of resources through the location. hash specified, the authors used a Dominator ran it, found the following results:

!

The upper figure shows the Find a control point: location. hash, and is by XMLHR. open to load resources, just the address with chrome open, found that the console output is as follows:

[1] [2] [3] next