Insecure Third Party Domain Access
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Occurs when an application contains content provided from a 3rd party resource that is delivered without any type of content scrub.
- Web servers
- Application servers
- Client Machines
- Allowing hosted content from an untrusted server into a trusted application: affecting the server, server environment, and client machine.
- No confirmation of Third Party Controls.
This following example is a common method to insert third party hosted content into a trusted an application. If the hosting site is vulnerable to attack, all content delivered to an application would be vulnerable malicious changes.
<iframe src="http://site.com/share/Action.swf" width="720" height="420" marginwidth="0" marginheight="0" scrolling="Auto" frameborder="0"></iframe>