There have been a few articles in the past on working around same-domain policies. I kinda' disregarded them in the past because they still require an XSS injection point, and there are other things that are still effective with XSS.
But a coworker today dinged me about trying to make an OTP proxy using a single XSS point. So I did a little futzing around with the DOM, and when the page loaded, replaced the submit button with a new button that evades same-domain by genning a <script> tag sourced from the attacker site, with parameters being passed from what is in the form.
While I was shocked at how easy it was, it still doesn't paralyze me with fear. Here's why:
- It still requires an XSS injection point. No XSS, no problem.
- Said XSS injection point would, in a perfect world, have to exist on the page that renders the form you want to steal (more on those of you who are telling me "now just a minute, buster!")
- Because of 1 and 2, there are other, really effective, and really simple things to do. Most notably, if I've got a victim user who will click on anything, they'll at some point ignore the site, and give up OTP's to the attacker site, rather than to the real site anyway, right?
So, it was a fun exercise, but not really as scary as the posts I've seen make it out to be.
For those of you who are developers, there's nothing new here - just get rid of all your XSS flaws. Er....ahem....Do output filtering on everything, then you won't need to worry about all this chaos.