HTML Injection in Mobile Applications
Some popular web applications have mobile counterparts. These mobile applications
generally have the same functionality, have less security features, and are still accessible
from browsers such as IE and Firefox. Thus, they are perfect for finding HTML injection
attacks and cross-site request forgery (discussed in Chapter 4).
Mobile applications are usually hosted on the same domain as the main web
application; thus any HTML injection in the mobile application will have access to the
entire domain, including the main web application or other web applications hosted on
that domain.
HTML Injection in AJAX Responses and Error Messages
Not all HTTP responses are intended to be displayed to the user. These pages, like
Asynchronous JavaScript and XML (AJAX) responses and HTTP error messages, are
often neglected by developers. Developers may not consider protecting AJAX responses
against HTML injections because their requests were not supposed to be used directly
42 Hacking Exposed Web 2.0
by the users. However, an attacker can mimic both AJAX GET and POST requests with
code snippets noted previously.
Similarly, HTTP error responses such as HTTP 404 (Not Found), HTTP 502 (Server
Error), and the like are often neglected by developers.
Pages:
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117