Insecure Third Party Domain Access

Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.

Vulnerabilities Table of Contents

Description

Occurs when an application contains content provided from a 3rd party resource that is delivered without any type of content scrub.

Environments Affected

  • Web servers
  • Application servers
  • Client Machines

Risk Factors

  • Allowing hosted content from an untrusted server into a trusted application: affecting the server, server environment, and client machine.
  • No confirmation of Third Party Controls.

Examples

This following example is a common method to insert third party hosted content into a trusted an application. If the hosting site is vulnerable to attack, all content delivered to an application would be vulnerable malicious changes.

<iframe src="http://site.com/share/Action.swf" width="720" height="420"
marginwidth="0" marginheight="0" scrolling="Auto" frameborder="0"></iframe>

Cross-Site_Request_Forgery

TBD

TBD

References

Category:Vulnerability Category:OWASP ASDR Project