Thursday, March 17, 2011

Cross-Site Scripting in the Wild Exploiting Your Droid

Cross-Site Scripting in the Wild Exploiting Your Droid


Wednesday, March 16, 2011



Rafal Los

F54396099d46369b547c1aa13ed5d028

This may be slightly old news but worth mentioning in case you've mised it. 

Jon Oberheide has a brilliant write-up of a post on his blog where he talks about an issue with the Google Android Market (which has since been patched) which allowed for persistent Cross-Site Scripting.

Persistent Cross-Site Scripting... isn't that something that we should have a pretty good handle on by now?  Apparently not.

It stinks for Jon because he almost won the pwn2own contest which would have been great, and I admit that it would have been compounded by the fact that it was a, as he puts it, "lame XSS vuln".

So what are we to learn from this, if anything?  Well we need to learn that it is all about 'the web' right now and into the future. 

Whether you're talking about mobile applications, desktop applications it really doesn't seem to matter.  There is a web-attack vector in virtually every single scenario.

That brand new flat screen you have that allows you to tweet and browse your Facebook can be attacked with silly lame vulns like Cross-Site Scripting to compromise your TV.  That's right, your TV and your Facebook and Twitter and ...

Furthermore, you've got mobile devices now, the iPhone, the 'Droids, the RIM devices, Windows7 handsets and of course WebOS-based devices too... guess where all the 'apps' and updates come from? 

Guess what the #1 used transport protocol is on those devices... HTTP (maybe HTTPS comes in a distant second). 

If you're getting hacked, attacked, and pwn3d, it's going to keep happening via the web.

Fortify your web apps, APIs and services people. 

In all seriousness, whether you're pushing widgets, a mobile handset OS (they're not phones anymore, let's face it) or flat screen TV 'browsers plug-ins... it's all on the web and subject to the same old Cross-Site Scripting (and other types of client-side attacks) we've been hit with for a decade now!

Cross-posted from Following the White

via infosecisland.com

Posted via email from Whistleblower

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)