Untitled Document
SecurView  
HomeSite Map
Untitled Document
 
Datasheets
Whitepapers
Vulnerability Analysis
XSIO - Cross Site Image Overlaying
INTRODUCTION
The following paper discusses a known attack type related to content injection in web applications (webapp). It intends to shed some light on a special case in which an attacker overlaps a specific part of a webpage with an image. This attack can be looked at as a special case of persistent XSS-type(2). More precisely, a hybrid attack. It is a cross between a Content Injection and XSS type(2). I have had the opportunity to do a forensic analysis of one of the recently disclosed cases of "Cross Site Request Forgery" vulnerability that has occurred in some popular websites lately. My observation of the experience encouraged me to take XSRF into account as well. Sometimes it is not easy to tell where XSS begins and XSRF ends, for instance - when you log cookies is it XSRF or XSS? Maybe, it's both. In spite of some debate over the naming of this attack, I have preferred to go with the acronym XSIO, Moreover, what is there in a name?

Though a few papers have already been published by others, I felt the need to write this to emphasize impact and remediation aspects. This attack is quite trivial to perform but can have a big impact under some circumstances, especially when it comes to the reputation of the website. This paper tries to encompass the possible techniques, examples, and mitigation strategies pertaining to such an attack.
Click here to download PDF version  
Untitled Document
Unified Communication (UC) Management
OnDEMAND Services
PCI Compliance
Untitled Document
COMPANY TECHNOLOGY OnDEMAND SERVICES MANAGED SERVICES COMPLIANCE SOLUTIONS PHYSICAL SECURITY PARTNERS/CUSTOMERS SUPPORT
© 2007 SecurView, Inc. All rights reserved. SecurView and the the SecurView logo are trademakrs of SecurView, Inc.
All other trademarks mentioned in this document or Website are the property of their respective owners.