DIY Widgets - How to embed XSS Components of your site on another site

Dr Nic Williams has written up a tutorial on how to embed your components on another site using a XSS approach instead of an iframe one. The run-thru of what will happen The user will load up the webpage (e.g. Ajaxian mock page) that has a small < script src="http://yoursite.com/magic_xss.js”></script > snippet in it [2]. When […]

Dr Nic Williams has written up a tutorial on how to embed your components on another site using a XSS approach instead of an iframe one.

The run-thru of what will happen

The user will load up the webpage (e.g. Ajaxian mock page) that has a small < script src="http://yoursite.com/magic_xss.js”></script > snippet in it [2]. When the page is loaded, the magic_xss.js file is loaded too. The user doesn’t know nor care.

When the magic_xss.js file is loaded it will do a couple of things:

  1. Install any stylesheets it needs
  2. Insert an empty, invisible HTML element into the page (e.g. <div id="my_magic_xss" />).
  3. Read in any variables (e.g. Google Adsense requires the website owner to specify a number of variables, such as google_ad_format)
  4. Fetch any additional Javascript files or data. This is where even more dynamic magic can be performed. When requesting the additional data, you could pass back the current document’s URL or the current users’s IP address, and the webserver could return data that is relevant to that URL or IP address/geographic location. Clever, eh.
  5. Insert new HTML into the #my_magic_xss element based on the data that is returned from your own server. Your server - not the host website’s server.
    Continue for more info....

ajaxian

DIY Widgets, How to embed, XSS, Components, of your site on another site