External Link
https://dl.acm.org/doi/10.1145/1653662.1653713
BibTeX
@inproceedings{10.1145/1653662.1653713, author = {Bojinov, Hristo and Bursztein, Elie and Boneh, Dan}, title = {XCS: cross channel scripting and its impact on web applications}, year = {2009}, isbn = {9781605588940}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1653662.1653713}, doi = {10.1145/1653662.1653713}, abstract = {We study the security of embedded web servers used in consumer electronic devices, such as security cameras and photo frames, and for IT infrastructure, such as wireless access points and lights-out management systems. All the devices we examine turn out to be vulnerable to a variety of web attacks, including cross site scripting (XSS) and cross site request forgery (CSRF). In addition, we show that consumer electronics are particularly vulnerable to a nasty form of persistent XSS where a non-web channel such as NFS or SNMP is used to inject a malicious script. This script is later used to attack an unsuspecting user who connects to the device’s web server. We refer to web attacks which are mounted through a non-web channel as cross channel scripting (XCS). We propose a client-side defense against certain XCS which we implement as a browser extension.}, booktitle = {Proceedings of the 16th ACM Conference on Computer and Communications Security}, pages = {420–431}, numpages = {12}, keywords = {xss, xcs, web security, embedded web servers, embedded devices}, location = {Chicago, Illinois, USA}, series = {CCS ‘09} }