Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
Following is an example of a common type of web application vulnerability that
extends the security boundary of a site to be across multiple domains. These types of
boundary extensions should be permitted only when there is a good business case and
developers are intentionally accepting this risk. Often these boundary extensions are
done without justification or consideration of the security impact.
Web pages are usually constructed from multiple files such as these:
??? .html ?¬? les that contain HTML content or framesets
??? .js ?¬? les ?¬? lled with scripts used in rendering the page
??? .gif, .png, and .jpg ?¬? les for images
??? .css ?¬? les ?¬? lled with style sheets
When a single web page is written, it references other resources for the browser to
include when rendering it??”for example, table layout and style information, images, and
scripts to activate animations, perform calculations, or display advertisements.
Advertisements are often written by third parties and they are often hosted on thirdparty
sites, some of which have a dubious reputation and are not trusted by reasonable
users. A sample bit of page content that provides for ad inclusion might look like this: