Cross Site Attacks

From Web Security

Cross Site Attacks

There are a number of attacks that are made possible due to the security model of the Web. This page attempts to make an overview of those that happen cross domain. Some people would like to see a unified approach to dealing with Web security, dealt with by the Server Owner. If security can be done properly once per server, the chance of misconfigurations is lower. It would be possible to create a single specification to deal with all of these issues, and which would only need implementation once per server.

Attack Example Responsibility of Prevention Future Standards Future Responsibility of
Cross Site Framing (Clickjacking) Site A loads site B in an iframe, making it look like part of site A. Site A then tricks the user to click on the iframe, thus using the user's credentials to perform actions at site B. Page Owner JavaScript frame busting, X-Frame-Options, NoScript X-Frame-Options, Content Security Policy Server Owner
Cross Site Request Forgery (CSRF) Many CSRF attacks combine cross-posting and cross-authentication. Page Owner Randomly assigned form tokens Origin Page Owner
Cross Posting (CSRF) Site A creates a POST request and makes the user agent send it to site B. As far as site B can tell the request comes from a particular user (for instance based on IP address, or since it is inside the intranet), and allows the request.
Cross Authentication (CSRF) Site A includes a particular URL from site B in a page, and makes the user agent request it. The URL is created in such a way that it will cause site B to include a script of site A's choosing. As the page is loaded with the user agents credentials, the script is able to perform actions at site B in the user's name.
Cross Site Scripting (XSS) Site A includes a particular URL from site B in a page, and makes the user agent request it. The URL is created in such a way that it will cause site B to include a script of site A's choosing. As the page is loaded with the user agents credentials, the script is able to perform actions at site B in the user's name. Page Owner Sanitize all input Content Security Policy Server Owner
Cross Site Double Clicking Site A opens a popup for site B, then another popup for site A. Site A tricks the user to double click on the topmost page. The first click closes the topmost page, the second click performs an action on site B. A short while thereafter, site A can close the other popup, and the user might only notice a flicker. Nobody Not considered important None

Note: Content Security Policy overlaps somewhat with Strict Transport Security, a unified approach could include both.