|
Cross-application scripting (CAS) is a vulnerability affecting desktop applications that don't check input in an exhaustive way. CAS allows an attacker to insert data that modifies the behaviour of a particular desktop application. This makes it possible to extract data from inside of the users' systems. Attackers may gain the full privileges of the attacked application when exploiting CAS vulnerabilities; the attack is to some degree independent of the underlying operating system and hardware architecture. Initially discovered by Emanuele Gentili and presented with two other researchers (Alessandro Scoscia and Emanuele Acri) that had participated in the study of the technique and its implications, it was presented for the first time during the Security Summit 2010 in Milan.〔(Technical Slides )〕〔(Presentation Video (SecuritySummit 2010 Milano) )〕〔(Security Summit website )〕 The format string attack is very similar in concept to this attack and CAS could be considered as a generalization of this attack method. Some aspects of this technique have been previously demonstrated in clickjacking techniques. == Concept == Like web interfaces, modern frameworks for the realization of graphical applications (in particular GTK+ and Qt) allow the use of tags inside their own widgets. If an attacker gains the possibility to inject tags, he gains the ability to manipulate the appearance and behaviour of the application. Exactly the same phenomenon was seen with the use of cross-site scripting (XSS) in web pages, which is why this kind of behavior has been named cross-application scripting (CAS). Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface. This makes it harder for the developer to check whether all the input a program might get from untrusted sources is filtered correctly. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Cross-application scripting」の詳細全文を読む スポンサード リンク
|