Security Information and Review

Collection of security information and review

Web Based Application and Basic Cross Domain Security

Author : Admin

Cross Domain Security issue is able people attention, as client, site owner or web base developer. With this vulnerability, cross domain security, allowing an attacker to access privat data on client browser in the same browser. We will take the case to clarify the description above by example. Client views a page on a malicious web site, attacker-hacker-site.com and other side is interacting with shopping online, victim-shop-online.com in the same browser, possibly in a different window. Code embedded in the malicious web page from attacker-hacker-site.com might be able to gain access to this user’s session with victim-shop-online.com, learn sensitive data associated with this user within the context of victim-shop-online.com, or maliciously make requests to victim-shop-online.com that appear to originate from this user. This issue was called the vulnerability cross domain security, the interaction of applications on different domains on the same browser used by the client. So, it’s very dangerous.

 

Allmost all modern browsers, support Dynamic HTML documents that specify content, layout and formatting through Cascading Style Sheet / CSS. Different browser support different client side scripting language, as an example, VBScript is supported by Internet Explorer but not Mozilla browsers. The language has been standardized by EMCA under the name ECMAScript. Most popular browsers, however, implement variants or supersets of the ECMAScript standard. Client-side script interacts with documents via the Document Object Model (DOM), which defines a hierarchical object model based on the structure of the document, plus an interface that allows script to inspect and manipulate a parsed HTML. Web browsers implement the so-called same-origin policy with respect to the access rights of script associated with a document loaded from a particular URL. Essentially, script can only access properties (including cookies, and DOM objects and their attributes) associated with documents from the same origin as the origin of the document with which the script is associated. So, how to this issue can be used an attacker to exploit this vulnerability ? See detail on next steps.

 

The same origin policy prevent script in a page of web site to access other page in different domain, which prevents it from reading, changing the contents of documents and reading other page of different domain cookie. So, how to an attacker can access privat data on client browser in the same browser ? See Code embedded in the malicious web page from attacker-hacker-site.com.

 

 

This code replacing the current window with the document loaded from victim-shop-online.com, here the browser loads the document into an embedded document frame. In addition, this happens automatically without user interaction and the style attribute instructs the browser to not visibly render the frame ( :read style=”dispaly: none; ” ) that is, the user would have no visual indication that his browser just loaded this page.

 

In this case, document were loaded into the main browser window or into a frame, the frame containing the victim-shop-online.com document is actually embedded in a page from attacker-hacker-site.com. However, there are a few situations in which data loaded from a URL in one domain is essentially considered to have originated from another domain for purposes of the same origin policy. Guess what will happen ?

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
 

[...] use a user that the website trusts with technique cross domain vulnerability, see detail at web based application and basic cross domain security. Cross Site Request Forgery also known as a one click attack or session riding and [...]

 

[...] because it’s simply easier … ) alone. A change on a CSS sheet changes all the pages Web Based Application and Basic Cross Domain Security - security.widyani.com 06/24/2009 Cross Domain Security issue is able people attention, as client, [...]

Added to my RSS, Thanks!
24 September 09 at 05:21
aadi :
Nice blog! Keep up the good work.
3 November 09 at 11:31
uma :
Hey this is a very interesting article!
13 November 09 at 09:10
Nice blog! Keep up the good work.
17 November 09 at 08:34
norman :
Good point! Thanks!
21 November 09 at 16:44
If you like this posts, please leave messages / comments.