Most Dangerous -- Browser Hooking
Browser hooking -- the next attack vector on Ed Skoudis's <a href="http://cybersecurityreport.nextgov.com/2010/03/most_dangerous_attacks_-_day_1.php">most dangerous list</a> -- is stealthy, damaging and found all over the place.
Browser hooking -- the next attack vector on Ed Skoudis's most dangerous list -- is stealthy, damaging and found all over the place.
While the terminology can get a bit dicey, the concept is really rather simple. A bad guy posts content to a Web site that doesn't have the resources or understanding to filter it. The content can come in many forms; a status update on a social networking site, a comment on a video, an auction at an auction site, a document stored online, or any place that lets people post stuff for others to read. They call this a cross-site-scripting flaw (XSS).
From there a victim uses a Web browser to surf to a site and read the content. When the bad guy's content reaches the victim's browser, it runs. Running inside the browser, the malicious browser script can do anything that a user can do on the Web site it was fetched from. This includes but is not limited to posting data or even engaging in a transaction.
"This kind of attack is nearly impossible to avoid unless you just abandon the modern Internet," Skoudis said.
And it's prevalent too. This attack has been found in some of the world's most popular social networking sites. Twitter has had several XSS flaws, where one person would Tweet a script and then anyone who read the Tweet would automatically retweet it. MySpace had a big issue several years ago with the "Samy Worm." Google also had such a flaw. There are thousands of examples.
So how about the most important question: How do I protect myself? No one browser is safer than another. "Any browser that supports JavaScript, and other active execution technologies like Flash, Microsoft SilverLight, and others, could come under attack," said Skoudis. But one thing a Web surfer can do, according to Skoudis, is to use software that can help control or limit browser scripts. Internet Explorer 8 has such a feature built in called their "XSS Filter Feature." For Firefox there is a plug in called "NoScript."
For Webmasters, the best defense is to filter incoming data to remove characters that are associated with scripts, and to encode the output from your Web site so that it is rendered harmless when read in a browser, Skoudis told me. Here's a detailed technical article on this from Skoudis and Frank Kim.