Books for you

:)



Step 1 uses an iframe named WebmailIframe to load http://webmail.foo.com/
ViewContacts, which is a call in the webmail application to gather the user??™s contact list.
Step 2 waits 1 second and then runs the JavaScript function doEvil(). The delay ensures
that the contact list was loaded in the iframe. After some assurance that the contact list
has been loaded in the iframe, doEvil() attempts to access the data from the iframe in
Step 3. If the same origin policy was broken or did not exist, the attacker would have the
victim??™s contact list in the variable victimsContactList. The attacker could send the
contact list to the evil.com server using JavaScript and the form in the page.
The attacker could make matters worse by using cross-site request forgery (CSRF) to
send e-mails on behalf of the victimized user to all of his or her contacts. These contacts
would receive a seemingly legitimate e-mail that appeared to be sent from their friend,
asking them to click http://www.


Pages:
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92