Cross Application Scripting (CAS) is a vulnerability affecting desktop applications that don't check input in an exhaustive way. CAS allows an attacker to insert some code to edit the contents of a certain desktop application. This way it will be possible to extract sensible data from inside of the users' systems. Attacks to CAS vulnerabilities may have very large consequences as they could imply the complete compromission of the targets independently from their operating system or platform.

Initially discovered by Emanuele Gentili and presented with two other researchers (Alessandro Scoscia and Emanuele Acri) that have participated in the study of the technique and its implications, it was presented for the first time during the Security Summit 2010 in Milan. This new attacking technique showed to be very effective against well renowned commercial as well as open source software companies.

The concept behind Cross Application Scripting (CAS)

Similarly to web interfaces, modern frameworks for the realization of graphical applications (we're referring to GTK and QT now, being those the most important multi-platform frameworks) allow the use of tags inside of their own widgets.

This implies the possibility of formatting text in a particularly sophisticated way and representing and managing multimedia content (pictures, audio, video) or interactive ones (links). Of course the growing number of functionality, if not handled correctly, can lead to undesired use of the technologies, like the manipulation of the GUI (Graphical User Interface). Exactly the same phenomenon seen with the use of XSS in a web page.

This is exactly why we have decided to define this kind of behavior CAS (Cross Application Scripting). Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface.

This makes it harder for the developer to check whether all the input a program might get from untrusted sources is filtered correctly. Software vulnerable to basic Cross Application Scripting are many, including multiple applications made by renowned companies.

The concept of Cross Application Request Forgery (CARF)

If Cross Application Scripting is the application equivalent for what XSS is for web applications, then CARF (Cross Application Request Forgery) is the equivalent for CSRF in desktop applications.

In the case of CARF the concept of “link” and “protocol” inherited from the web has been extremely extended being that it involves components of the graphical environment and, in some cases, directly of the operating system.

Exploiting vulnerabilities amendable to CSRF requires a certain interaction from the user.

This problem in many cases isn't particularly limiting for the fact that the user can be easily led to execute certain actions if the graphical interface is altered the right way. In fact, many misleading changes in the look of applications can be obtained with the use of CAS: a new kind of “phishing”, whose dangerousness is amplified by a lack of tools to detect this kind of attacks outside of websites or emails.

In opposition to XSS techniques, that can manipulate and later execute commands on the users' browser side, with CAS it is possible to talk directly to the operating system and not only its graphical interface.