The WikiProject banner below should be moved to this article's talk page. If this is a demonstration of the template, please set the parameter |category=no to prevent this page being miscategorised.

Computer security: Computing A‑class High‑importance

This article is within the scope of WikiProject Computer security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer securityWikipedia:WikiProject Computer securityTemplate:WikiProject Computer securityComputer security A This article has been rated as A-class on Wikipedia's content assessment scale. High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as High-importance). Things you can help WikiProject Computer security with: Article alerts are available, updated by AAlertBot. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

The WikiProject banner below should be moved to this article's talk page. If this is a demonstration of the template, please set the parameter |category=no to prevent this page being miscategorised.

Computing: CompSci B‑class

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing B This article has been rated as B-class on Wikipedia's content assessment scale. ??? This article has not yet received a rating on the project's importance scale. This article is supported by WikiProject Computer science. Things you can help WikiProject Computer science with: edit history watch purge Here are some tasks awaiting attention: Article requests : Requested articles/Applied arts and sciences/Computer science, computing, and Internet Cleanup : Computer science articles needing attention Computer science articles needing expert attention Copyedit : Computing Expand : Computer science Infobox : Computer science articles without infoboxes Maintain : Timeline of computing 2020–present Photo : Find pictures for the biographies of computer scientists (see List of computer scientists) Computing articles needing images Stubs : Computer science stubs Unreferenced : WikiProject Computer science/Unreferenced BLPs Project-related : Tag all relevant articles in Category:Computer science and sub-categories with {{WikiProject Computer science}}

The WikiProject banner below should be moved to this article's talk page. If this is a demonstration of the template, please set the parameter |category=no to prevent this page being miscategorised.

Internet B‑class High‑importance

This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet B This article has been rated as B-class on Wikipedia's content assessment scale. High This article has been rated as High-importance on the project's importance scale.

Cross Application Scripting (CAS) is a vulnerability affecting desktop applications that don't check input in an exhaustive way. CAS allows an attacker to insert some code to edit the contents of a certain desktop application. This way it will be possible to extract sensible data from inside of the users' systems. Attacks to CAS vulnerabilities may have very large consequences as they could imply the complete compromission of the targets independently from their operating system or platform.

Initially discovered by Emanuele Gentili and presented with two other researchers (Alessandro Scoscia and Emanuele Acri) that have participated in the study of the technique and its implications, it was presented for the first time during the Security Summit 2010 in Milan. This new attacking technique showed to be very effective against well renowned commercial as well as open source software companies.

Similarly to web interfaces, modern frameworks for the realization of graphical applications (in particular GTK and QT, the most important multi-platform frameworks) allow the use of tags inside their own widgets.

This implies the possibility of formatting text in a particularly sophisticated way and representing and managing multimedia content (pictures, audio, video) or interactive ones (links). Of course the growing number of functionality, if not handled correctly, can lead to undesired use of the technologies, like the manipulation of the GUI (Graphical User Interface). Exactly the same phenomenon seen with the use of XSS in a web page, and this is why this kind of behavior has been defined CAS (Cross Application Scripting).

Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface. This makes it harder for the developer to check whether all the input a program might get from untrusted sources is filtered correctly. Software vulnerable to basic Cross Application Scripting are many, including multiple applications made by renowned companies.

If Cross Application Scripting is the application equivalent for what XSS is for web applications, then CARF (Cross Application Request Forgery) is the equivalent for CSRF in desktop applications.

In the case of CARF the concept of “link” and “protocol” inherited from the web has been extremely extended being that it involves components of the graphical environment and, in some cases, directly of the operating system.

Exploiting vulnerabilities amendable to CSRF requires a certain interaction from the user.

This problem in many cases isn't particularly limiting for the fact that the user can be easily led to execute certain actions if the graphical interface is altered the right way. In fact, many misleading changes in the look of applications can be obtained with the use of CAS: a new kind of “phishing”, whose dangerousness is amplified by a lack of tools to detect this kind of attacks outside of websites or emails.

In opposition to XSS techniques, that can manipulate and later execute commands on the users' browser side, with CAS it is possible to talk directly to the operating system and not only its graphical interface.

• PDF Pubblication

• Slides technique presentation

• Presentation Movie (SecuritySummit 2010 Milan)

• Talk Presentation (Security Summit 2010 Milan)

• speaker Emanuele Gentili presentation

• speaker Emanuele Acri presentation

• speaker Alessandro Scoscia presentation