3
edits
Cross Site XMLHttpRequest: Difference between revisions
m
formatting changes
m (formatting changes) |
|||
| Line 90: | Line 90: | ||
** Messes up soap: Should be researched/tested | ** Messes up soap: Should be researched/tested | ||
** XSS/CSRF: If website A.com is vulnerable to an XSS exploit, then all the data of all other domains having accepted *.A.com is suddenly vulnerable | ** XSS/CSRF: If website A.com is vulnerable to an XSS exploit, then all the data of all other domains having accepted *.A.com is suddenly vulnerable | ||
** Propagation of XSS: Suppose we have 3 domains, A.com, B.com and C.com. B.com retrieves data of A.com and renders this data in a <pre | ** Propagation of XSS: Suppose we have 3 domains, A.com, B.com and C.com. B.com retrieves data of A.com and renders this data in a "<pre" environement. Domain C retrieves the content of the "<pre" block of B.com. The user cannot control any values of C.com, thus C.com claims to be safe against XSS exploits | ||
Now suppose we can control the data of A.com ; B.com will not have an XSS exploit since it is in a<pre | Now suppose we can control the data of A.com ; B.com will not have an XSS exploit since it is in a "<pre" tag. Unfortunately C.com has an XSS exploit and will render the code of A.com. This code now runs in the context of C.com and is able to request other data of B.com; | ||
Conclusion is that the statement in the previous bullet might have more implications than one thought. | Conclusion is that the statement in the previous bullet might have more implications than one thought. | ||