O'Reilly logo

Programming Social Applications by Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Arbitrary Code Execution with document.createElement

If the third-party code has access to the page’s root DOM but has restrictions on the scripts being loaded, it can execute arbitrary code blocks that have access to the page’s global object.

The premise behind this attack vector is to create script blocks that can capture user information, such as site cookies:

var script = document.createElement("script");
script.appendChild(
   document.createTextNode(
      var userCookie = document.cookie;
      //use user cookies
   )
);
document.body.appendChild(script);

Using document.getElement, you can create a new script block, attach a block of code to hijack user information, and then attach that code to the body of the DOM to automatically render it, executing the malicious block within.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required