This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Insecure Third Party Domain Access"

From OWASP
Jump to: navigation, search
(New page: {{Template:Stub}} {{Template:Vulnerability}} __TOC__ ASDR Table of Contents Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' [[Category:FIXME|Thi...)
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Stub}}
 
{{Template:Stub}}
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
__TOC__
 
 
[[ASDR Table of Contents]]
 
  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
 
 
 
  
 
==Description==
 
==Description==
Line 29: Line 23:
  
 
==Examples==
 
==Examples==
This following type of development uses an iframe to insert a third party hosted flash into a trusted an application.
+
This following example is a common method to insert third party hosted content into a trusted an application.
The site hosting the content could vulnerable to attack. As such, all content hosted on that site would be vulnerable to inheriting malicious content.  
+
If the hosting site is vulnerable to attack, all content delivered to an application would be vulnerable malicious changes.  
 
<pre>
 
<pre>
 
<iframe src="http://site.com/share/Action.swf" width="720" height="420"  
 
<iframe src="http://site.com/share/Action.swf" width="720" height="420"  

Latest revision as of 01:26, 21 February 2009

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 02/21/2009

Vulnerabilities Table of Contents

Description

Occurs when an application contains content provided from a 3rd party resource that is delivered without any type of content scrub.

Environments Affected

  • Web servers
  • Application servers
  • Client Machines


Risk Factors

  • Allowing hosted content from an untrusted server into a trusted application: affecting the server, server environment, and client machine.
  • No confirmation of Third Party Controls.


Examples

This following example is a common method to insert third party hosted content into a trusted an application. If the hosting site is vulnerable to attack, all content delivered to an application would be vulnerable malicious changes. 

<iframe src="http://site.com/share/Action.swf" width="720" height="420" 
marginwidth="0" marginheight="0" scrolling="Auto" frameborder="0"></iframe>

Related Attacks

Cross-Site_Request_Forgery

Related Vulnerabilities

TBD

Related Controls

TBD

References

Retrieved from "https://wiki.owasp.org/index.php?title=Insecure_Third_Party_Domain_Access&oldid=55135"