Web-app-exploitation-entry-points

From Brett
Revision as of 06:48, 4 March 2014 by WikiSysop (Talk | contribs) (alternative)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

For AsYouWish (or older version at AMO languishing in loneliness awaiting preliminary approval), while it opens up a lot of fun, it is also a bit scary given the number of ways in which its power could be exploited by the malicious.

Here are some entry points which require proper awareness if not sanitizing by AsYouWish websites (though they also may invite ideas for proper usage):

Input source Protagonist
URL parameters User in URL bar, user clicking third-party link, or user visiting third-party website (with hidden XSRF potential)
regular postMessage Third-party developer
privileged postMessage (as from WebAppFind invocation from OS desktop and potentially in the future from AtYourCommand) User
registerProtocolHandler User in URL bar, user clicking third-party link, or user visiting third-party website (with hidden XSRF potential)
bookmarklet Third-party site (potentially coming from other users if XSS is an issue)
local data store Potentially other users
remote data store Potentially other users

A very important principle is to make all GET-able URL-accessible parameters (URL parameters or custom protocols) idempotent, while allowing for pseudo-POST (via postMessage) to, if proper checks are in place, provide safe code with side effects (bearing in mind that a "null" origin may not differentiate between file:// URLs, etc.). Where the context does not allow for POST-like behavior, one can still allow bookmarkable non-idempotent behaviors upon user confirmation (ideally after they are provided with source code of exactly what will be changed/added).