DOM Race Conditions
It is interesting to note when playing with the onUnload event handler, that both Firefox and IE make requests and retrieve responses whilst the DOM is still set on the previous domain.
This got me toying with the idea of a timing attack to bypass the same-origin policy. The basic idea behind this attack is utilising the difference in timing between the DOM and the browser’s network API. I did not succeed in this endeavor but the concept was cool. Bringing race condition vulnerabilities to the browser context would truly open the *nyx boys eyes.
What I did find was that it is possible to kill IE7 :)
DNS Pinning hacks seem unreliable and very targetted. I am in search of something more flexible and powerful to enable cross-domain, bi-directional XSS capabilities. For now these lie in compromising browser plugins (Greasemonkey scripts etc), or in third party applications.
I found this today. It seems like this type of vulnerability has been exploited in the past:
http://www.juniper.net/security/auto/vulnerabilities/vuln905.html