|
|
|
|
|
|
by jpxxx
4996 days ago
|
|
|
Fake and malicious URLS can be filtered against and intercepted. This trick dodges those systems... but it still requires a malicious 'source' page to serve it up. Hrm. I imagine all of the payload (save for the return trip) could be put into innocent looking client-side Javascript, but that doesn't get around the fact that someone's still got to serve the JS... |
|
|
This API means that if a malicious JS can be executed, it's game over for a number of defenses that only communicate visually.