Never trust a stranger…
No it’s not about stalking, this time. But trust relationships are firmly on my mind and I ain’t talking about my private life neither!
As you may know there’s lots of trust relationships in computing. Those of you who love Microsoft would know about trust relationships from back in the day. And to me, they are truly something to think about (and has been thought about) when dealing with web applications and weaknesses in them. As well documented, cross domain security issues relating to iframes and recently htmlrequests (xmlhttprequest). The latter allows absolute URLs in the open method. However, it’s almost useless and rarely used now as URIs are converted into the domain that the page resides from.
For an attacker (or in my case, developing a proof-of-concept) to exploit XSS so that information (e.g. cookies) is sent to the attacker’s site, the httprequest looks like it is blocked. The standard XSS-phishing site attack will always be available but this requires user intervention (or dumbness). However, the question is “Can you still make a XSS script attack to automatically upload information?” With iframes and httprequests obviously out of the question, this looks hard! Though, I can still think of 3 or 4 ways around this, I need to try them out first. But let’s just say, you have to go oldskule for most of these ideas. Mind you, if you and I can think of any, they are probably blocked…
On the flipside to this, this makes it very awkward for sharing information between sites on-the-fly, which is the key to web2.0, (social networks, blogs, etc). The work around is to incorporate sharing information techniques in server-side scripts rather than client-side. This could be opened up slightly by having… yes you’ve guessed it… “trust relationships”. A site could instill certain friendly domains as part of the server-side scripts to client browsers. The problem with this though is, it has to be enforced that the trust domains cannot be changed at the client.