Local Cross-Site Scripting

I don’t like the term Cross-Site Scripting. We’re in need of better terminology for the kind of attacks were seeing against Acrobat reader and Google Dessktop. I think Amit Klein did a good job point out the terminology problem. But I’m not happy with any of the suggested terms I’ve heard.

XSS typically refers to scripting across domain boundaries. Instead of scripting across domain boundaries; we’re seeing vulnerabilities that allow for scripting on the local host. This type of vulnerability allows an attacker to read files and manipulate the local system. Web-apps have come of age. Web-apps are everywhere, even in applications that run locally on your system. I’m seeing a greater number of applications going this route. I see the advantages. It’s a quick way to build cross platform applications. Not only that, you can use your existing web programs to get the job done.

The other day I came across an application that uses HTML documents for scripting. The app basically uses an MSHTML control to load “script” files. These script files are really nothing more than HTML docs being run in the context of the local system. The uses VBScript to script a local ActiveX control. It’s easy to find people who can write JavaScript/VBScript code; so it would appear to be a good platform for scripting. The trouble is that it only takes one Cross-Site Scripting vulnerability to sink the system.