Posts Tagged With ‘XSS Vulnerabilities’


XSS Vulnerabilities Can Affect Embedded Browsers in Mobile Apps

A security researcher has noted that the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks. Developers of mobile software have found it can be effective to embed a smartphone operating system’s web browser and then create their user interface using HTML, CSS and JavaScript. The user interface is then more portable to other devices and is easier to customise using CSS. But this convenience comes at a cost. Researcher Kyle Osborn, who is presenting his findings at TakedownCon, found that some developers don’t clean the data being sent to their HTML-based user interface.  Read more…


Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

At today’s TakeDownCon security conference in Las Vegas, researcher Kyle Osborn will present some examples of cross-site scripting attacks that he and colleagues have discovered on mobile devices. “XSS is generally considered to be a browser attack,” Osborn said in an interview with Ars Technica. But many applications, he said, such as those built with cross-platform mobile-development tools like PhoneGap, use HTML rendering to handle display of data. If applications aren’t properly coded, it’s possible for JavaScript or other web-based attacks to be injected into them through externally-provided data. “Often, there are times when you can just make a JavaScript request and pull files from the local filesystem,” he said. Read more…