• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Browser Vendor Same Origin Policy Design Error Vulnerability

The current specification of the Javascript Same Origin Policy is flawed such that it creates a vulnerability under some circumstances.

Only hostnames are used when evaluating whether access to content by script code should be permitted -- the IP address is not taken into consideration. If the IP address associated with a hostname were to change in DNS records, content served from a second host may be accessed by script code served from the first. This could theoretically be exploited to access content served from behind a firewall (or on an internal network).

Further simplifying attack, the same origin policy allows for DOM access privileges to be inherited across subdomains, for example: script from xxxx.yyy may access content in a child window opened to zzz.xxxx.yyy. This eliminates the need to quickly change a DNS record. To exploit this, the attacker need only create a subdomain with an address behind the victim firewall.