Skip to Main Content
Hacking: The Next Generation
book

Hacking: The Next Generation

by Nitesh Dhanjani, Billy Rios, Brett Hardin
August 2009
Beginner content levelBeginner
298 pages
9h 5m
English
O'Reilly Media, Inc.
Content preview from Hacking: The Next Generation

Content Ownership

Many of the important security mechanisms that browsers enforce rely on the domain name of the content being served. The concept of the “same origin policy” enforces a policy where client-side code from two different domains cannot directly interact with each other. In other words, the same origin policy prevents client-side code served from http://www.evil.com from interacting with client-side code served from http://www.bank.com.

Perhaps one of the simplest examples of insecure content ownership is an application that allows a user to upload an HTML page. Assume that an application at http://www.example.com/ allows users to upload an HTML file to an uploads folder (http://www.example.com/uploads/). Also assume that an attacker uploads a file called evil.html onto this location. When a user requests http://www.example.com/uploads/evil.html, the browser will render and execute all content and script code under the context of http://www.example.com. If evil.html contains JavaScript that grabs the document.cookie object and ferries it to an attacker’s web server, the attacker will be able to steal the session of every legitimate user who visits http://www.example.com/uploads/evil.html. This is one of the most basic examples of insecure content ownership. In the following sections, we will discuss and demonstrate more advanced scenarios that illustrate the many emerging variants of content ownership tactics.

Abusing Flash’s crossdomain.xml

The same origin policy can ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Building a Modern Security Program

Building a Modern Security Program

Zane Lackey, Rebecca Huehls
Network Security Hacks

Network Security Hacks

Andrew Lockhart
Ransomware

Ransomware

Allan Liska, Timothy Gallo

Publisher Resources

ISBN: 9780596806309Errata Page