Cross-zone scripting
Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client executing the script. The vulnerability could be:
- a web browser bug which under some conditions allows content in one zone to be executed with the permissions of a higher privileged zone.
- a web browser configuration error; unsafe sites listed in privileged zones.
- a cross-site scripting vulnerability within a privileged zone
This type of vulnerability has been exploited to silently install various malware onto computers browsing a malicious web page.
Origins of the zone concept
There are four well known zones in Internet Explorer:- Internet. The default zone. Everything which does not belong to other zones.
- Local intranet.
- Trusted sites. Usually used to list trusted sites which are allowed to execute with minimal security permissions.
- Restricted sites.
There is also an additional hidden zone:
- Local Computer zone. This zone is particularly interesting because it can access files on the local computer. Historically this zone has been extremely insecure, but in recent versions Internet Explorer steps have been taken to reduce risks associated with zone.
Examples
Into the local computer zone
This type of exploit attempts to execute code in the security context of Local Computer Zone.The following HTML is used to illustrate a naive attempt of exploitation:
![]("attack.gif")
A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.
Into the trusted sites zone
A well-known example is the bug in Internet Explorer 6. It was discovered that the following URL
http://windowsupdate.microsoft.com%2f.example.com/
executed with "Trusted Sites" permission if was listed as a trusted site.