Exploiting Any Trust Relationships

issued by that web site. There are several other trust relationships that can

sometimes be exploited in an XSS attack:

■■

If the application employs forms with autocomplete enabled, JavaScript

issued by the application can capture any previously entered data that

the user’s browser has stored in the autocomplete cache. By instantiat-

ing the relevant form, waiting for the browser to autocomplete its con-

tents, and then querying the form field values, the script can steal this

data and transmit it to the attacker’s server. The same technique can

also be performed against the Firefox password manager to steal the

user’s credentials for the application. This attack can be more powerful

than injecting Trojan functionality, because sensitive data can be cap-

tured without requiring any interaction by the user.

■■

Some web applications recommend or require that users add their

domain name to the “Trusted Sites” zone of their browser. This is

almost always undesirable and means that any XSS-type flaw can be

exploited to perform arbitrary code execution on the computer of a 

victim user. For example, if a site is running in the Trusted Sites zone of

Internet Explorer, then injecting the following code will cause the Win-

dows calculator program to launch on the user’s computer:

■■

Web applications often deploy ActiveX controls containing powerful

methods (see the “Attacking ActiveX Controls” section, later in this

chapter). Some applications seek to prevent misuse by a third party by

verifying within the control itself that the invoking web page was

issued from the correct web site. In this situation, the control can still be

misused via an XSS attack, because in that instance the invoking code

will satisfy the trust check implemented within the control.

Download 5,76 Mb.

Do'stlaringiz bilan baham: