[clug] Drive-By Pharming Attack Could Hit Home Networks
Kim Holburn
kim.holburn at gmail.com
Sun Feb 18 19:49:32 GMT 2007
On 2007/Feb/17, at 11:19 PM, Michael Cohen wrote:
> On Sat, Feb 17, 2007 at 03:41:44PM +0100, Kim Holburn wrote:
>> If a javascript got the router interface opened in an invisible
>> iframe and somehow got an enter or a click to the iframe after the
>> password manager filled in the details?
>
> Kim,
> Thats the whole point of the javascript security model (if it
> works that is).
I seem to remember that java was designed with security in mind but I
believe javascript came out of netscape as an afterthought very
basically based on the idea of java and has grown rather like topsy
ever since (and been embraced and extended ;-). There are different
javascripts in different browsers and none have a good security
reputation.
> JS is not supposed to have access to windows or iframes which
> open to a
> different domain from where it came from, otherwise you could do
> same with
> internet banking sites, or any other log in pages.
No-one seems to have thought of this scam yet but I expect you will
see it.
javascript can write just about what it wants into the current page.
You can create a whole page with javascript or rewrite one. How
could the browser really test for this? JS can hijack all the links
on a page, it can create a link that will appear to a cgi script that
someone filled in a correct username and password and changed
settings. If it can't open a page from another site it can entice
you to open it and make the page look like something else. It can
make a page that gets all it's resources from another site.
Javascript is not secure in hostile hands.
As we do more and more business and system administration on-line and
through browsers and use more and more AJAX this sort of thing is
going to become more dangerous.
> From time to time people find vulnerabilities in this model, but
> they are
> more implementation problems than fundamental problems with the
> security
> model.
Hmmm... I think there are fundamental flaws in javascript. I still
use it though.
> Occassionally the model gets in the way too - especially when trying
> to implement single sign on type stuff from different domains. It
> assumes
> that domains are security boundaries - i.e. all scripts hosted by
> a certain
> domain are to be trusted with the same data, this fails for example:
>
> 1) When a site is spead across a number of domains (e.g. sister
> sites in
> iframes etc)
>
> 2) When a single site hosts code from multiple sources - not all
> of which are
> trusted - e.g. if a site uses the /~usersname/ convension to host
> different
> usernames - one users js can access another users frames (because
> they both
> share the same domain). This type of problem is called cross site
> scripting
> (XSS) - which in its widest form means how to get scripting to
> cross site
> boundaries.
>
> For example if a forum software is vulnerable to XSS, one user
> may be able to
> post to the forum some JS which get users cookies and sends then
> off. Then
> every user that views that post in the forum becomes compromised
> - this is
> becuase the script runs in the same domain as the forum.
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3342707610
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list