Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Cross-application scripting
open-in-new
<h2 id="concept">Concept</h2> <p>Like web interfaces, modern frameworks for the realization of graphical applications (in particular <a href="/facts/GTK%252B/oLpVm9pp">GTK+</a> and <a href="/facts/Qt_(framework)/gVhwlQnJ">Qt</a>) allow the use of tags inside their own <a href="/facts/Software_widget/fQplKMwk">widgets</a>. If an attacker gains the possibility to inject tags, he gains the ability to manipulate the appearance and behaviour of the application. Exactly the same phenomenon was seen with the use of <a href="/facts/Cross-site_scripting/dhtusKKm">cross-site scripting</a> (XSS) in web pages, which is why this kind of behavior has been named cross-application scripting (CAS). </p><p>Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface. This makes it harder for the developer to check whether all the input a program might get from untrusted sources is filtered correctly. </p> <h2 id="cross-application-request-forgery">Cross-application request forgery</h2> <p>If cross-application scripting is the application equivalent for XSS in web applications, then cross-application request forgery (CARF) is the equivalent of <a href="/facts/Cross-site_request_forgery/RN7XuvsW">cross-site request forgery</a> (CSRF) in desktop applications. </p><p>In CARF the concept of “link” and “protocol” inherited from the web has been extended because it involves components of the graphical environment and, in some cases, of the operating system. </p><p>Exploiting vulnerabilities amenable to CSRF requires interaction from the user. This requirement isn't particularly limiting because the user can be easily led to execute certain actions if the graphical interface is altered the right way. Many misleading changes in the look of applications can be obtained with the use of CAS: a new kind of “<a href="/facts/Phishing/hvgfz4U8">phishing</a>”, whose dangerousness is amplified by a lack of tools to detect this kind of attack outside of websites or emails. </p><p>In contrast to XSS techniques, that can manipulate and later execute commands in the users' browser, with CAS it is possible to talk directly to the operating system, and not just its graphical interface. </p> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Technical Slides <a href="https://web.archive.org/web/20110722052914/http://milano.securitysummit.it/upload/file/atti%20milano%202010/16%20marzo/12_GENTILI_ACRI_SCOSCIA.PDF" target="_blank">https://web.archive.org/web/20110722052914/http://milano.securitysummit.it/upload/file/atti%20milano%202010/16%20marzo/12_GENTILI_ACRI_SCOSCIA.PDF</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Presentation Video (SecuritySummit 2010 Milano) <a href="https://vimeo.com/10258669" target="_blank">https://vimeo.com/10258669</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Security Summit website <a href="https://www.securitysummit.it" target="_blank">https://www.securitysummit.it</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> </ol>