According to the article:-
Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.
The net effect of this is the fact that the attacker doesn't just get access to a compromised session on a vulnerable web page, but may get access to any session belonging to web pages currently opened (or cached) by the browser at the time the attack is triggered.
Simply put, UXSS does not need a vulnerable web page in order to trigger, and can penetrate web sessions belonging to secure, well written web pages, thus creating a vulnerability where there isn’t one
Well-known vulnerabilities exploitable by UXSS:
- Vulnerability in the Adobe Acrobat extension for Internet Explorer 6 (or Mozilla plugin)
- Flaw in the XSS filters of Internet Explorer 8.
- Flash Player UXSS Vulnerability - CVE-2011-2107
- Vulnerability in Chrome for Android
The links below has more information:
http://www.acunetix.com/blog/web-security-zone/universal-cross-site-scripting-uxss
No comments:
Post a Comment