[clug] Drive-By Pharming Attack Could Hit Home Networks
Martijn van Oosterhout
kleptog at svana.org
Mon Feb 19 09:18:17 GMT 2007
On Sun, Feb 18, 2007 at 08:49:32PM +0100, Kim Holburn wrote:
> <snip> JS can hijack all the links
> on a page, it can create a link that will appear to a cgi script that
> someone filled in a correct username and password and changed
> settings.
Have you tried this? Last time I checked the browser complained that I
was clicking on a link that already had a username/password embedded
and was I really sure. It's been that way ever since scams began using links
like:
http://ebay.com.au:sklfskfs@some.fake.ip/foo
While everything you say is true, conceptually nothing JS can generate
isn't something you can also do with straight HTML. The only difference
is that JS can change things on the fly, but browsers have "Show
generated HTML" these days anyway. Preventing attacks relies on not
caring if it was generated by JS or not, but if it is dangerous or not.
JS changes very little.
Have a nice day,
--
Martijn van Oosterhout <kleptog at svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20070219/72c92208/attachment.bin
More information about the linux
mailing list