diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


DIY Widgets – How to embed XSS Components of your site on another site

Dr Nic Williams has written up a tutorial on how to embed your components on another site using a XSS approach instead of an iframe one.

The run-thru of what will happen

The user will load up the webpage (e.g. Ajaxian mock page) that has a small < script src="https://yoursite.com/magic_xss.js”></script > snippet in it [2]. When the page is loaded, the magic_xss.js file is loaded too. The user doesn’t know nor care.

When the magic_xss.js file is loaded it will do a couple of things:

  1. Install any stylesheets it needs

  2. Insert an empty, invisible HTML element into the page (e.g. <div id="my_magic_xss" />).

  3. Read in any variables (e.g. Google Adsense requires the website owner to specify a number of variables, such as google_ad_format)

  4. Fetch any additional Javascript files or data. This is where even more dynamic magic can be performed. When requesting the additional data, you could pass back the current document’s URL or the current users’s IP address, and the webserver could return data that is relevant to that URL or IP address/geographic location. Clever, eh.

  5. Insert new HTML into the #my_magic_xss element based on the data that is returned from your own server. Your server - not the host website’s server.
    Continue for more info....


DIY Widgets, How to embed, XSS, Components, of your site on another site

Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...