To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
Languages
Recent
Show all languages
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

Cross-application scripting

From Wikipedia, the free encyclopedia

Cross-application scripting (CAS) is a vulnerability affecting desktop applications that don't check input in an exhaustive way. CAS allows an attacker to insert data that modifies the behaviour of a particular desktop application. This makes it possible to extract data from inside of the users' systems. Attackers may gain the full privileges of the attacked application when exploiting CAS vulnerabilities; the attack is to some degree independent of the underlying operating system and hardware architecture.

Initially discovered by Emanuele Gentili and presented with two other researchers (Alessandro Scoscia and Emanuele Acri) that had participated in the study of the technique and its implications, it was presented for the first time during the Security Summit 2010 in Milan.[1][2][3]

The format string attack is very similar in concept to this attack and CAS could be considered as a generalization of this attack method. Some aspects of this technique have been previously demonstrated in clickjacking techniques.

YouTube Encyclopedic

  • 1/1
    Views:
    1 452
  • Security Focus Europe: MS12-004 midiOutPlayNextPolyEvent Heap Overflow

Transcription

Concept

Like web interfaces, modern frameworks for the realization of graphical applications (in particular GTK+ and Qt) allow the use of tags inside their own widgets. If an attacker gains the possibility to inject tags, he gains the ability to manipulate the appearance and behaviour of the application. Exactly the same phenomenon was seen with the use of cross-site scripting (XSS) in web pages, which is why this kind of behavior has been named cross-application scripting (CAS).

Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface. This makes it harder for the developer to check whether all the input a program might get from untrusted sources is filtered correctly.

Cross-application request forgery

If cross-application scripting is the application equivalent for XSS in web applications, then cross-application request forgery (CARF) is the equivalent of cross-site request forgery (CSRF) in desktop applications.

In CARF the concept of “link” and “protocol” inherited from the web has been extended because it involves components of the graphical environment and, in some cases, of the operating system.

Exploiting vulnerabilities amenable to CSRF requires interaction from the user. This requirement isn't particularly limiting because the user can be easily led to execute certain actions if the graphical interface is altered the right way. Many misleading changes in the look of applications can be obtained with the use of CAS: a new kind of “phishing”, whose dangerousness is amplified by a lack of tools to detect this kind of attack outside of websites or emails.

In contrast to XSS techniques, that can manipulate and later execute commands in the users' browser, with CAS it is possible to talk directly to the operating system, and not just its graphical interface.

References

  1. ^ Technical Slides
  2. ^ Presentation Video (SecuritySummit 2010 Milano)
  3. ^ Security Summit website
This page was last edited on 10 December 2021, at 00:03
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy