2015/05 썸네일형 리스트형 XSS subdomain escape wirte up (on Dropbox) First, I think many people know that a html file uploaded on dropbox shows with rendering, and without any escaping. It means that, if we write down a JavaScript code to the html file, we can easily execute a JavaScript code on the html page without any problem.But, the script is executed on a sandbox domain, dl-web.dropbox.com. The important session is a httponly cookie, so we can't easily stea.. 더보기 이전 1 다음