Web browsers prevent web pages from one domain from reading information from a page on another domain, but browsers do allow images to be loaded from another domain and for scripts to be run from another domain. This can be exploited to read user data from one domain when that user is accessing another domain.
Exploit:
Say www.amazon.com has a script that reads your private account information from its servers. That script can be added to www.hackersite.com. When you access www.hackersite.com, it will pull information included in your private account from Amazon's server and can store it HackerSite's server.
Example:
Step 1: You can run a script from another website by including a
<script src="www.domain.com"></script>to your web application
Step 2: So I can use the example script
<script src="http://amazon.com/accountstuff/info.gtl"></script>and add that to my website (www.hackersite.com) to access your Amazon account information when you access my site (www.hackersite.com).
Fix:
OWASP details fixes on their website:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion
No comments:
Post a Comment