This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Insecure Third Party Domain Access

From OWASP
Revision as of 20:24, 13 December 2008 by Kcfredman (talk | contribs)

Jump to: navigation, search
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


ASDR Table of Contents

Last revision (mm/dd/yy): 12/13/2008


Description

Occurs when an application contains content provided from a 3rd party resource that is delivered without any type of content scrub.

Environments Affected

  • Web servers
  • Application servers
  • Client Machines


Risk Factors

  • Allowing hosted content from an untrusted server into a trusted application: affecting the server, server environment, and client machine.
  • No confirmation of Third Party Controls.


Examples

This following type of development uses an iframe to insert a third party hosted flash into a trusted an application. The site hosting the content could vulnerable to attack. As such, all content hosted on that site would be vulnerable to inheriting malicious content.

<iframe src="http://site.com/share/Action.swf" width="720" height="420" 
marginwidth="0" marginheight="0" scrolling="Auto" frameborder="0"></iframe>

Related Attacks

Cross-Site_Request_Forgery

Related Vulnerabilities

TBD

Related Controls

TBD

References