Web of Worry

"Average users are sitting ducks," he says. "The more of these they install on their machines, the more vulnerable they are."

Ed Skoudis, a SANS instructor and founder and senior consultant with consulting firm Intelguardians, shares Stewart's concerns.

"Browser scripting attacks are something that concerns me a lot," he says. "With Web 2.0, we have millions of people surfing to Web sites to view content posted by hundreds of thousands of people. Google, eBay, MySpace and YouTube are all based on this model. If someone posts evil browser scripts along with their content, the bad guy can gain complete access to the browsers, and worse yet, the network infrastructure on which the browsing machine resides."

The threat is...

"Consider this scenario: we have an enterprise application, perhaps an e-commerce application, an enterprise security tool, or the cash management system of a bank," he says. "Suppose that the application logs various aspects of given transactions, such as transaction variables, date, time, etc. Also, it will likely log the user agent string presented by the browser of an application user. I've seen attacks in which the bad guy puts a malicious browser script in their user-agent string of the browser. They then engage in a transaction, leaving that malicious browser script in the application's logs."

Then, Skoudis explains, when an administrator uses a browser to access a Web-based application to view the logs, the attacker's script is delivered to the admin's browser, where it runs. It can then do anything in that application that an administrator can do, such as transferring money or shutting off security. "As we move more of our applications to Web services, the threat grows even bigger," he adds.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   11  |   12  |   13  |   14  |   15  |   16  |   NEXT PAGE  >