In association with heise online

Framed up

More than just cookie stealing is possible with JavaScript when the web browser has unpatched security leaks. Particularly Internet Explorer, which can execute Microsoft's JavaScript extension JScript, has a number of weak spots which can be exploited by scripting. JavaScript can access and change all elements of an HTML page and add new ones, too -- but only when both pages are from the same domain ("principle of same origin"). This means that a JavaScript on this page could possibly modify the contents of a heise online page when this is open at the same time. A number of bugs in Internet Explorer, however, have already allowed the possibility to get around the same-origin principle.

This enables one web page to "remote control" other pages, even if they are from a different source. One extreme case was a bug that allowed the opening and tampering with a help window. This window was then empowered with the rights of the local computer and could therefore access local files. Such bugs allow what is called cross-frame scripting or cross-window scripting. You may want to check and see on the heisec Browsercheck site whether your own browser is vulnerable to such attacks. Some of the security leaks allow access to local files and even the execution of any program. You don't need much imagination to picture the possible consequences.


Cross-site scripting attacks exploit flaws in web applications, while attacks via cross-frame scripting take advantage of security leaks in the web browser or in its scripting functions. In particular, the combination of server and client weaknesses gives an attacker the chance to gain control over a PC. Most IE installations probably have Active Scripting enabled. A good protection would be to deactivate all scripting functions, but this cannot be a serious recommendation: after all, many web pages can't be properly displayed without them. However, installing the most current patches should make things harder for a potential attacker. (ehe)


[1] Evolution of Cross-Site Scripting Attacks
[2] Brute-Force Exploitation of Web Application Session IDs
[4] About Cross-Frame Scripting and Security

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit