Security Information and Review

Collection of security information and review

Web Based Application and Basic Cross Domain Security

Author : Admin

Cross Domain Security issue is able people attention, as client, site owner or web base developer. With this vulnerability, cross domain security, allowing an attacker to access privat data on client browser in the same browser. We will take the case to clarify the description above by example. Client views a page on a malicious web site, and other side is interacting with shopping online, in the same browser, possibly in a different window. Code embedded in the malicious web page from might be able to gain access to this user’s session with, learn sensitive data associated with this user within the context of, or maliciously make requests to that appear to originate from this user. This issue was called the vulnerability cross domain security, the interaction of applications on different domains on the same browser used by the client. So, it’s very dangerous.


Allmost all modern browsers, support Dynamic HTML documents that specify content, layout and formatting through Cascading Style Sheet / CSS. Different browser support different client side scripting language, as an example, VBScript is supported by Internet Explorer but not Mozilla browsers. The language has been standardized by EMCA under the name ECMAScript. Most popular browsers, however, implement variants or supersets of the ECMAScript standard. Client-side script interacts with documents via the Document Object Model (DOM), which defines a hierarchical object model based on the structure of the document, plus an interface that allows script to inspect and manipulate a parsed HTML. Web browsers implement the so-called same-origin policy with respect to the access rights of script associated with a document loaded from a particular URL. Essentially, script can only access properties (including cookies, and DOM objects and their attributes) associated with documents from the same origin as the origin of the document with which the script is associated. So, how to this issue can be used an attacker to exploit this vulnerability ? See detail on next steps.


The same origin policy prevent script in a page of web site to access other page in different domain, which prevents it from reading, changing the contents of documents and reading other page of different domain cookie. So, how to an attacker can access privat data on client browser in the same browser ? See Code embedded in the malicious web page from



This code replacing the current window with the document loaded from, here the browser loads the document into an embedded document frame. In addition, this happens automatically without user interaction and the style attribute instructs the browser to not visibly render the frame ( :read style=”dispaly: none; ” ) that is, the user would have no visual indication that his browser just loaded this page.


In this case, document were loaded into the main browser window or into a frame, the frame containing the document is actually embedded in a page from However, there are a few situations in which data loaded from a URL in one domain is essentially considered to have originated from another domain for purposes of the same origin policy. Guess what will happen ?

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.