[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Tom Potts wrote: > >> >> I suspect we need to stop Javascript from accessing other websites (or > > IIRC javascript should be by default restricted to the originating domain - ie > anything from offsite.org should not be able to access anywhere.onsite so > visiting anywhere out of the LAN should not be able to access anywhere within > the LAN. Should! Discussion is in and other places; http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf You just generate a page on the server with a script tag with the URL you want followed (GOT), and the webpage causes the browser to attempt to access the URL in an attempt to fetch a page. I don't see of hand why a webpage with a lot of speculative (i.e. broken) image URLs wouldn't do just as well. The Javascript just makes it easier to do clever things client side, responding to the environment in which it finds itself in, and what works (or fails). Similar techniques can be used to persuade other peoples computers to perform abuse against a lot of websites and services. A good description of cross-site-request-forgeries is here; http://shiflett.org/articles/cross-site-request-forgeries The simple server side mistake is to change things on a GET, rather than a POST. I know I've written code that is vulnerable to such attacks, and I sure know we host other peoples code that is vulnerable to the same. However there are other weaknesses in "all common browsers" that allow more sophisticated attacks using your regular javascript programming toolkit (although legitimate uses of iframes are fraught enough if you ask me).
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html