Cross-Site Scripting in the Wild Exploiting Your Droid

Wednesday, March 16, 2011

Rafal Los


This may be slightly old news but worth mentioning in case you've mised it. 

Jon Oberheide has a brilliant write-up of a post on his blog where he talks about an issue with the Google Android Market (which has since been patched) which allowed for persistent Cross-Site Scripting.

Persistent Cross-Site Scripting... isn't that something that we should have a pretty good handle on by now?  Apparently not.

It stinks for Jon because he almost won the pwn2own contest which would have been great, and I admit that it would have been compounded by the fact that it was a, as he puts it, "lame XSS vuln".

So what are we to learn from this, if anything?  Well we need to learn that it is all about 'the web' right now and into the future. 

Whether you're talking about mobile applications, desktop applications it really doesn't seem to matter.  There is a web-attack vector in virtually every single scenario.

That brand new flat screen you have that allows you to tweet and browse your Facebook can be attacked with silly lame vulns like Cross-Site Scripting to compromise your TV.  That's right, your TV and your Facebook and Twitter and ...

Furthermore, you've got mobile devices now, the iPhone, the 'Droids, the RIM devices, Windows7 handsets and of course WebOS-based devices too... guess where all the 'apps' and updates come from? 

Guess what the #1 used transport protocol is on those devices... HTTP (maybe HTTPS comes in a distant second). 

If you're getting hacked, attacked, and pwn3d, it's going to keep happening via the web.

Fortify your web apps, APIs and services people. 

In all seriousness, whether you're pushing widgets, a mobile handset OS (they're not phones anymore, let's face it) or flat screen TV 'browsers plug-ins... it's all on the web and subject to the same old Cross-Site Scripting (and other types of client-side attacks) we've been hit with for a decade now!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
PDAs/Smart Phones
HTTP Security Web Application Security Mobile Devices Android Cross Site Scripting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.