To see what can happen, consider this attack scenario: You find yourself surfing to a site belonging to an attacker, or even an innocent Web site that hosts content from millions of other users, such as a social networking site, an auction site or a Web-based email site. (An innocent Web site is just as likely to propagate an XSS flaw if it doesn't properly scrub user input to filter out browser scripts.) Once there, evil script programs are dutifully passed down to your browser. The browser then runs the scripts, interpreting them as being sent by the site.
"And then what?" you ask. Well, mayhem ensues. A script, running in the browser, can do anything you can do on that site: bid on an auction, buy stuff or expand your buddy list to include unsavory people. But it gets worse. The script could scrape your browser history to see if you've visited any embarrassing Web sites, and in turn forward the information back to the attacker. The script could also use the browser to start scanning other Web servers, perhaps even those inside of your corporation's firewall.
It's astounding what is being done with browser scripts these days. And, all of this is possible just because you surfed to the attacker's site, or viewed an attacker's content on a third-party location. For more details on these threats, check out the startling presentation by Billy Hoffman at this year's Shmoocon show, an East Coast hacking convention.
So in a nutshell, an attacker can use the browser to wield bot-like control of a victim's machine. Sure, there are restrictions on what scripts can do in a browser. They can't directly access any file in the file system or run arbitrary programs on the machine, for example, but clever researchers are finding ways to either dodge those restrictions or live within them to achieve powerful controls.
What can you do to defend yourself? On highly sensitive machines, you may want to disable browser scripts altogether. Also, make sure you keep your antivirus tool up to date. And, watch this trend carefully. There's big stuff coming in this realm, to be sure.
Dig Deeper on Web application and API security best practices
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ... Continue Reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ... Continue Reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.