If the third-party code has access to the page’s root DOM but has restrictions on the scripts being loaded, it can execute arbitrary code blocks that have access to the page’s global object.
The premise behind this attack vector is to create
script blocks that can capture user
information, such as site cookies:
var script = document.createElement("script"); script.appendChild( document.createTextNode( var userCookie = document.cookie; //use user cookies ) ); document.body.appendChild(script);
The full code for this sample is available at https://github.com/jcleblanc/programming-social-applications/blob/master/chapter_8/attack_vector_code_execution.js.
can create a new
script block, attach
a block of code to hijack user information, and then attach that code to
the body of the DOM to automatically render it, executing the malicious