I am experimenting with cross site scripting. I have a website which allows users to insert comments and view them on the website. The website filters the string “script” though from the comment but it allows iframes. I understand that I could embed an iframe that points to a website that I craft and I can run whatever script I wish. My question is: will my iframe script be able to read cookies initiated by the original website? I have tried alert(document.cookie) but it shows an alert with nothing in it. The original website always sets a cookie though when a client requests it. Any idea what I am missing?
I am experimenting with cross site scripting. I have a website which allows users
Share
Both the surrounding page need to come from the same domain. This is limited by the Same Origin Policy, which states that a script in one frame may only access data in another frame given they are on the same protocol, have the exact same domain name and are running on the same port. It can be slightly relaxed by setting document.domain to the top level domain in both frames, and thus allowing frames from subdomain to communicate.
You could though try to input , though that may be blocked in newer browsers.
Limiting script is however not enough to stop XSS. There are many many other ways. See http://html5sec.org and http://ha.ckers.org/xss.html