While XHR specifically prevents cross-domain
Introduction xxi
xxii Hacking Exposed Web 2.0
interaction, much to the developer??™s dismay, there is some flexibility in certain Web 2.0
technologies. For example, Flash has XHR restrictions, but it has a method to support
cross-domain functionality. The following code shows an example of the flexibility from
crossdomain.xml:
In addition to the domain name, a wildcard can be used such as domain="*".
(Many web developers are bypassing XHR security controls to add cross-domain
functionality to their web applications.) Cross-domain functionality becomes very scary
when CSRF attacks are apparent. As noted, CSRF can force a user to perform actions
without his or her knowledge or permission. With the ability of cross-domain support,
CSRF attacks can allow an attacker or phisher to force actions across domains with a
single click. Hence, clicking a story from a user??™s blog might actually reduce your bank
account by $10,000.
Another risk with Web 2.0 is the ability to discover and enumerate attack surfaces in
a far easier fashion than with a Web 1.
Pages:
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50