T 5.173 Integration of third party data and malicious code in web applications

If the input and output data of a web application is validated insufficiently, an attacker may integrate content such as malicious code for manipulating the web application of the client (e.g. web browser). The integrated data is presented to the user within the security context of the web application. Accordingly, the user of the web application cannot or only to a limited extent identify the manipulated parts of the web application. This way, the attacker can exploit the position of trust of the authenticated user regarding the web application.

Both the clients and the servers of the web application may be subject to an attack by the integrated malicious code. For example, data embedded by an attacker may contain malicious code to be executed on the clients (e.g. for reading confidential data) or forged login forms designed to steal access data. If the integrated program code is executed in the web application, the operating system underlying the web application may also be compromised.

Examples:

• Parameters in the URL can be used to integrate third party content into dynamic websites that cannot be differentiated from the content of the web application (e. g. http://host.tld/index.php?frame=http://angreifer.tld&title=modofied title). In this, the transmitted title parameter is embedded in the returned website of the web application as title within the HTML document. The frame parameter is also used as a source for a frame on the website. This way, any content and program code (e.g. JavaScript) can be integrated into the website using the parameter values.

• A forwarding function accepts any values as target address. Subsequently, a manipulated parameter can be used by an attacker to induce forwarding to untrustworthy websites (e. g. http://host.tld/redirect.php?target=http://angreifer.tld). Based on the initial domain of the web application, the user expects to be forwarded to a trustworthy address. The attacker may use this in order to trigger a phishing attack by forwarding to a forged login page for entering the access data.

• Third party content of partners (e. g. ads in an iFrame) can be integrated into web applications. Normally, this content is controlled by the partner and not by the operator of the web application. If the partner integrates malware or undesired content, this may damage the reputation of the web application operator, because the user sees the content in the context of the web application. Furthermore, the clients of the users may be infected and thus compromised by the malware.

• The upload function of the web application can be used to save any files to the directory structure on the server. This way, damaged scripts may be stored for execution on the web application or existing files (e.g. configuration files) may be overwritten. Uploading large amounts of data may also impair the service.