Who am I?
Where & When
Olde Style Page
Math Puzzles

By Ryan Pavlik

What is the purpose of the first malicious wish text, and how does it work?
It is a non-showing image file that causes the elves' browser to load a
page off the naughty kid's web server. This could be logged (finding an
internal IP address or similar, profiling browser, etc..), or could
exploit a browser security hole/buffer overflow with a malformed image.

What is the purpose of the second malicious wish text, and how does it work?
This submits the contents of the viewing elf's browser cookie to the
attacker, by submitting it as a URL argument to a CGI script on the
attacker's server. This could reveal, for instance, the password for the
web application. By recording that cookie, the attacker could
impersonate the elf who viewed that wish.

How could Hermey and Rudolph thwart the first and second types of
attacks by altering the Web application? Alternatively, how could they
stop these attacks by changing the configuration of the analyst elves'
They could have the web application filter out HTML tags, or possibly
also the contents between them (to get rid of the script text, too).
They could also disable javascript and images in the analyst elves'
browsers, though this may disrupt navigation in the web app, if it was
not built to be dependent only on text. A safer route would be to
disable javascript and disable loading images from remote servers. This
last option can be found in the recent Mozilla and Mozilla Firebird
browsers (mozilla.org).

Beyond these browser-based attacks, Hermey was also concerned about
attackers submitting similar elements in children's wish lists submitted
via e-mail. What are two different methods for defeating such attacks by
altering an e-mail reader's configuration?
The simplest way of defeating this attack would be to disable HTML
rendering in the email reader. If this is not feasible, Hermey could
also disable Javascript and remote images in email, which probably
should be disabled already. Additionally, if NO HTML traffic was
desired, the mail server could be set to filter out HTML emails.

Thank you!

Ryan Pavlik


Send me some e-mail

©Copyright 2004, Ed Skoudis