Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cross site scripting attacks and same origin policy

Tags:

same-origin-policy

xss

I am familiar with the persistent and non-persistent XSS. I also know about Same origin policy that prevents/restricts requests originating from one websites page to go to another websites servers. This made me think that the same origin policy can stop at least the non-persistent type of XSS attacks (Because in the persistent type of attack the malicious code origin would be same as the private information that is stolen). Is my understanding correct? Can SOP be used to stop/reduce these attacks?

EDIT: Okay I was confusing between invoking methods between 2 scripts at the browser side and invoking methods such as HTTP POST on another website. Thank you for the answer jakber.

Now I have another question, wouldn't SOP be able to prevent Cross-site request forgery? The example given in the wikipedia talks about Bob accessing a malicious image tag created by Mallory on the chat forum. However, as per the SOP rule, the malicious script should not be able to access bank's cookie. Am I missing something here?

like image 423
Methos Avatar asked Aug 10 '11 14:08

Methos

2 Answers

Typically no.

A non-persistant or reflected XSS attack exploits input that is echoed back as page content without proper sanitization, without persisting it. The injected script will seem to come from the exploited domain in both cases.

For example if you do this in PHP: echo $_GET['param'] and send a link to the page to somebody containing ?param=<script>alert('got you!');</script> it is a non-persistant XSS attack, and same-origin policy has nothing to do with it.

Same-origin means that you cannot directly inject scripts or modify the DOM on other domains: that's why you need to find an XSS vulnerability to begin with.

like image 126
jakber Avatar answered Oct 20 '22 19:10

jakber

SOP typically cannot prevent either XSS or CSRF.

For XSS, jakber's answer already provides a good explanation. I just want to add that the reason to call this vulnerability "cross-site" is because the attacker can inject code (e.g. <script src="...">) into the target page that loads malicious javascript from another website, which is typically controlled by the attacker. Loading Javascript from another website is not denied by SOP, because doing that will break the Web.

For CSRF, SOP cannot prevent it for most cases because SOP does not prevent website A to send GET and POST requests to website B.

like image 2
ZillGate Avatar answered Oct 20 '22 19:10

ZillGate
Sign in to Comment

Related questions

OWASP HTML Sanitizer cleans comments
How best to present a security vulnerability to a web development team in your own company?
How do I allow safely and inexpensively allow images on my site?
Tricky question for good understanding of CSRF
Prevent HTML form action from being changed
HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest
Preventing DOM XSS
Preventing XSS in ASP.Net Webforms: why is Validate Request not enough?
Why/How is `value="javascript:alert(1)"` considered as a XSS vulnerability in OWASP's ZAP tool?
What are the risks of cross domain JSONP communication?
How do I properly encode a mailto link?
Setting Content Security Policy in Apache web server
Sanitizing URL to prevent XSS in Rails
Some clarifications regarding XSS [closed]
& JavaScript includes
What do we mean by contextually autoescaping?
Vue - style user input in confirm message (allow specific html tags)
Is window.location = window.location susceptible to XSS
AWS WAF Getting 403 forbidden error while trying to upload an image
Codeigniter global_xss_filtering

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!