Cross-zone Scripting
   HOME

TheInfoList



Click Here for Items Related To - Cross-zone Scripting
OR:
Cross-zone Scripting on:   [Wikipedia]   [Google]   [Amazon]

Cross-zone scripting is a
browser exploit A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to breach browser security to alter a user's browser settings without their knowledge. Malici ...
taking advantage of a
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a
privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The res ...
within the client (web browser) executing the script. The vulnerability could be: * a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone. * a web browser configuration error; unsafe sites listed in privileged zones. * a
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
vulnerability within a privileged zone A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components. This type of vulnerability has been exploited to silently install various
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
(such as
spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...
, remote control software,
worms Worms may refer to: *Worm, an invertebrate animal with a tube-like body and no limbs Places *Worms, Germany, a city **Worms (electoral district) *Worms, Nebraska, U.S. *Worms im Veltlintal, the German name for Bormio, Italy Arts and entertainme ...
and such) onto computers browsing a malicious web page.


Origins of the zone concept

There are four well known zones in
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
: * Internet. The default zone. Everything which does not belong to other zones. * Local intranet. * Trusted sites. Usually used to list trusted sites which are allowed to execute with minimal security permissions (e.g. run unsafe and unsigned
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web. ...
objects). * Restricted sites. These zones are explained in detail by "How to use security zones in Internet Explorer".Q174360: How to use security zones in Internet Explorer
/ref> There is also an additional hidden zone: * Local Computer zone (or ''My Computer'' zone). This zone is particularly interesting because it can access files on the local computer. Historically this zone has been extremely insecure, but in recent versions Internet Explorer (for Windows XP) steps have been taken to reduce risks associated with zone. Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.


Examples


Into the local computer zone

This type of exploit attempts to execute code in the security context of Local Computer Zone. The following HTML is used to illustrate a naive (non-working) attempt of exploitation: A computer which considers intranet.example.com a part of ''Local Intranet'' zone will now successfully be cross zone scripted.


Into the trusted sites zone

A well-known example is th
%2f
bug in
Internet Explorer 6 Microsoft Internet Explorer 6 (IE6) is a graphical web browser developed by Microsoft for Windows operating systems. Released on August 24, 2001, it is the sixth, and by now discontinued, version of Internet Explorer and the successor to Internet ...
. It was discovered that the following URL 
http://windowsupdate.microsoft.com%2f.example.com/
executed with "Trusted Sites" permission if was listed as a trusted site.


References

{{reflist


External links


Secunia SA11830 Internet Explorer Security Zone Bypass and Address Bar Spoofing
An vulnerability in (Internet Explorer) reported by ''bitlance winter'' which allows cross-zone scripting into Trusted Sites) Web security exploits System administration