Technology share: how to use the Dominator found Nokia(Nokia)the official website of DOM-type XSS vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201558267
Type myhack58
Reporter 佚名
Modified 2015-01-22T00:00:00



DOM - XSS(cross-site scripting vulnerabilities are generally more difficult to find in this article The authors use the Dominator to find and use a Nokia(Nokia)OVI official website of the DOM XSS, which reminds me of the brother of that artifact:)


Last year, the authors found and reported a high-risk DOM XSS, the use the H5 CORS to access web page resources and rendering the DOM, so that it's URL is generally following this form:

DIV of resources through the location. hash specified, the authors used a Dominator ran it, found the following results:


The upper figure shows the Find a control point: location. hash, and is by XMLHR. open to load resources, just the address with chrome open, found that the console output is as follows:

[1] [2] [3] next