Cross zone scripting

Cross-zone scripting is a web browser exploit that takes advantage of the browser's zoning. The attack allows websites to execute arbitrary code within a privileged zone.

background

A cross-zone scripting attack is an authorization attack that specifically targets the zone-based security model of web browsers. In a zone-based model, pages belong to a group of zones that correspond to the privilege level assigned to that page. Pages in an untrusted zone would have less access to the system and / or would be restricted in the types of executable content they could access.

In a cross-zone scripting attack, a page assigned to a less privileged zone is given the privileges of a more trusted zone. This can be achieved by exploiting bugs in the browser, exploiting incorrect configurations in the zone controls or through a cross-site scripting attack in which the attacker's content is treated as if it came from a more trustworthy site.

This attack differs from Restful Privilege Escalation in that the latter correlates with insufficient security of RESTful access methods (e.g. HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as suggested by implemented in a browser.

impact

A cross-zone scripting vulnerability allows an attacker to trick a victim into executing content in their web browser that bypasses the browser's security zone controls in order to gain access to higher authorization zones. This would enable the attacker to execute scripts, applets or other web objects.

origin

The concept of security zones was first introduced in Internet Explorer 4. However, cross-zone scripting is a common problem that is not specific to Internet Explorer, as some other browsers also implicitly own the zone.

The following zones are known for Internet Explorer

Internet

This is the standard zone and includes everything that does not belong to other zones.

Local intranet

By default, the local intranet zone contains all network connections established via a UNC path and websites that bypass the proxy server or have names without a period (e.g. http://local), provided they are not in the Restricted Sites zone or the Trusted Sites zone assigned.

Trusted sites

This zone is typically used to list trusted websites that are allowed to run with minimal security permissions (e.g. run unsecured and unsigned ActiveX objects)

Restricted sites

This zone contains websites that are not trusted. If a website has been added to the Restricted Websites zone , it means that files that you download or run from the website can damage your computer or data. By default, there are no sites that are in the Restricted Sites zone and the security level is set to High.

The Restricted Sites zone contains websites that are not on your computer, on your local intranet, or that are not already assigned to another zone. The default security level is medium.

Examples

Local zone

This type of exploit attempts to execute code in the security context of the local computer zone.

The following HTML is used to illustrate a naive, but not working, attempt at exploitation:

<!DOCTYPE html>
<html>
<img src="codigomalicioso.gif">
<script src="file://C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\codigomalicioso.gif">
</html>

In this example, the HTML code tries to load the codigomalicioso.gif file into the cache using an IMG SRC reference. A SCRIPT SRC tag is then used to attempt to execute the script from the local computer zone by addressing the local file in the cache.

Trusted zone

The best known example is the Internet Explorer bug % 2f , which is now considered obsolete: The following vulnerability makes it possible to display the attacker's website in the domain context of the virtual shop . To do this correctly, the attacker's web would need to be configured to accept invalid values in the HTTP Host header.

http://tiendavirtual.com%2F%20%20%20.http://blackbox.psy.net/

Vulnerabilities

In the past, cross-zone scripting gaps were found repeatedly.

In February 2008 it was announced that there was a cross-zone scripting vulnerability in the VoIP application Skype . This vulnerability enabled an attacker to slip malicious code onto a victim while embedding videos from the Metacafe and Dailymotion platforms . Skype uses Internet Explorer web controls to render internal and external HTML pages. The "add video to chat" uses these web controls and they run in the local zone. Users who searched Skype for the video with the same keywords as in the title field had the attacker's code executed in his browser with local zone rights.

As announced in October 2012, security researchers from IBM found a hole in an embedded browser window that is used on mobile devices. This embedded browser window was used in the Dropbox app and the Google Drive app for iOS and Android.

Individual evidence

↑ ^a ^b ^c CAPEC-104: Cross Zone Scripting. Retrieved May 21, 2019 .
↑ ^a ^b ^c ^d ^e How to use security zones in Internet Explorer ( Memento from June 4, 2011 in the Internet Archive )
↑ ^a ^b XSS_Hacking_tutorial. (PDF) p. 52 , accessed on May 21, 2019 (English).
↑ Security update for Skype. February 7, 2008, accessed May 21, 2019 .
↑ Skype plugs critical cross-zone scripting hole. February 5, 2008, accessed May 21, 2019 .
↑ Cross-zone scripting vulnerabilities found in Dropbox and Drive. October 22, 2012, accessed May 21, 2019 .

[capec-1] CAPEC-104: Cross Zone Scripting. Retrieved May 21, 2019 .

[microsoft_zones-2] How to use security zones in Internet Explorer ( Memento from June 4, 2011 in the Internet Archive )

[xss_tutorial-3] XSS_Hacking_tutorial. (PDF) p. 52 , accessed on May 21, 2019 (English).

[4] Security update for Skype. February 7, 2008, accessed May 21, 2019 .

[5] Skype plugs critical cross-zone scripting hole. February 5, 2008, accessed May 21, 2019 .

[6] Cross-zone scripting vulnerabilities found in Dropbox and Drive. October 22, 2012, accessed May 21, 2019 .