Cross-zone scripting


Cross-zone scripting

Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be:

  • a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone.
  • a web browser configuration error; unsafe sites listed in privileged zones.
  • a cross-site scripting vulnerability within a privileged zone

A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.

This type of vulnerability has been exploited to silently install various malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page.

Contents

Origins of the zone concept

Internet Explorer 4 introduced a security zone concept into Internet Explorer. However, this is a generic issue which is not Internet Explorer specific; some other browsers also implicitly implement the Local Computer zone[citation needed].

There are four well known zones in Internet Explorer:

  • Internet. The default zone. Everything which does not belong to other zones.
  • Local intranet.
  • Trusted sites. Usually used to list trusted sites which are allowed to execute with minimal security permissions (e.g. run unsafe and unsigned ActiveX objects).
  • Restricted sites.

These zones are explained in detail by Q174360: How to use security zones in Internet Explorer.

There is also an additional hidden zone:

  • Local Computer zone (or My Computer zone). This zone is particularly interesting because it can access files on the local computer. Historically this zone has been extremely insecure, but in recent versions Internet Explorer (for Windows XP) steps have been taken to reduce risks associated with zone.

Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.

Cross-zone scripting examples

Cross-zone scripting into Local Computer Zone

This type of exploit attempts to execute code in the security context of Local Computer Zone.

The following HTML is used to illustrate a naive (non-working) attempt of exploitation:

<HTML>
<IMG SRC="attack.gif">
<SCRIPT SRC="file://C:\Documents and Settings\Administrator\
         Local Settings\Temporary Internet Files\attack.gif">
</HTML>

Explanation: the HTML code attempts to get attack.gif loaded into the cache by using an IMG SRC reference. Then a SCRIPT SRC tag is used to attempt executing the script from the Local Computer Zone by addressing the local file in cache.

Cross-zone scripting into Local Intranet Zone

Consider this scenario

  • an attacker could (somehow) know of a cross-site scripting vulnerability in on http://intranet.example.com/xss.php
  • a lot of http://intranet.example.com users regularly visit http://www.example.com/, where anyone can add Cool links.
  • Attacker adds a Cool link to:
http://intranet.example.com/xss.php?<script>alert()</script>

A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.

Cross-zone scripting into Trusted Sites Zone

A well known example is the %2f bug in Internet Explorer 6. It was discovered that the following URL

http://windowsupdate.microsoft.com%2f.example.com/

executed with "Trusted Sites" permission if windowsupdate.microsoft.com was listed as a trusted site.

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Cross-Zone Scripting — ist ein Browser Exploit für den Internet Explorer, der die Zonenaufteilung dieses Browsers ausnutzt. Der Angriff erlaubt Webseiten beliebigen Code innerhalb einer privilegierten Zone auszuführen. Ursachen ein Programmfehler des Browsers, der… …   Deutsch Wikipedia

  • Cross-site scripting — (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to… …   Wikipedia

  • Cross Site Scripting — Le cross site scripting, abrégé XSS, est un type de faille de sécurité des sites Web, que l on trouve typiquement dans les applications Web qui peuvent être utilisées par un attaquant pour faire afficher des pages web contenant du code douteux.… …   Wikipédia en Français

  • Cross site scripting — Le cross site scripting, abrégé XSS, est un type de faille de sécurité des sites Web, que l on trouve typiquement dans les applications Web qui peuvent être utilisées par un attaquant pour faire afficher des pages web contenant du code douteux.… …   Wikipédia en Français

  • Cross-site scripting — Le cross site scripting, abrégé XSS, est un type de faille de sécurité des sites Web, que l on trouve typiquement dans les applications Web qui peuvent être utilisées par un attaquant pour provoquer un comportement du site Web différent de celui… …   Wikipédia en Français

  • Cross-Site-Cooking — Beim Cross Site Cooking, nutzt der Angreifer einen Fehler des Browsers, um einen falschen Cookie zum Server zu übermitteln. Cross Site Cooking ist eine Art von Browser Exploit (dt.: Ausnutzung eines Bugs in einem Browser), welche es einem… …   Deutsch Wikipedia

  • Cross-site cooking — In cross site cooking, the attacker exploits a browser bug to send an invalid cookie to a server. Cross site cooking is a type of browser exploit which allows a site attacker to set a cookie for a browser into the cookie domain of another site… …   Wikipedia

  • Cross-Site Cooking — Beim Cross Site Cooking nutzt der Angreifer einen Fehler des Browsers, um einen falschen Cookie zum Server zu übermitteln. Cross Site Cooking ist eine Art von Browser Exploit (dt.: Ausnutzung eines Bugs in einem Browser), welche es einem… …   Deutsch Wikipedia

  • Privilege escalation — is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application… …   Wikipedia

  • Rechteausweitung — Als Rechteausweitung, auch Rechteerhöhung, Privilegienerweiterung oder Privilegien Eskalation genannt, bezeichnet man die Ausnutzung eines Computerbugs bzw. eines Konstruktions oder Konfigurationfehlers einer Software mit dem Ziel, einem Benutzer …   Deutsch Wikipedia


We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.