Monday, August 06, 2007

Morfi! the Human readable+HTML+JavaScript file all in one..

Here I present a file that will appear different depending on which application you open it.
As plain text, it will describe how it works, as HTML, it will define XSS, and as JavaScript
it will pop up a simple alert(document.cookie+window.location); XSS PoC.

Opened as plain text (just reading the words in the code):

This HTML file is a PoC on how complex the HTML and JavaScript code can get and
here, with the use of style and changing the visibility to hidden on some non
style elements, we will hide and show some parts of js code and HTML, we will also make
Function and a javascript alert that shows a document cookie and the window location, a
script that takes as src the same file, and executes the code inside the script
and a HTML file that is also XML valid, and will define XSS.

Opened as JavaScript:


Opened as HTML in Firefox:

this, "the attack based on accessing and modifying a webpage in the context of other domain" is the function of XSS attacks.

It will also show an alert, produced by including itself as a javascript script.

This was submitted for The Month of Hacker Folklore at GNUCITIZEN.