[ISN] Researchers warn on emerging web hack

From: InfoSec News (alerts@private)
Date: Mon Apr 02 2007 - 02:17:34 PDT

Previous message: InfoSec News: "[ISN] Five civil servants suspended over "DNA espionage'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.techworld.com/security/news/index.cfm?newsID=8427

By John E. Dunn
Techworld
30 March 2007

The threat from cross-site scripting (XSS) web attacks could get 
dramatically worse if hackers start combining it with cross-site request 
forgery (CSRF) attacks, researchers have claimed.

Visitors to this weekends Black Hat security conference in Amsterdam 
will hear Ernst & Young researchers detail how such a synthesis of 
attack types could be used to greatly increase the effectiveness 
compared to using the attacks on their own.

Researchers will demonstrate two attack types, the first of which will 
who how to use an easy-to-infect social networking website as a proxy 
for an attack on a credit union by hijacking a users session. The second 
will show how the same principle of hijacking a users browser can be 
used to evade conventional database security in a company network, which 
would exclude any external source from sending database queries.

In both examples, the attack appears to come from the hijacked machine 
rather than the real source. CSRF is used to execute the veiled attack, 
with XSS used to get session feedback.

"We're in a stage now where people know about it, but are ignoring it, 
and that's kind of dangerous," Billy Rios of Ernst & Young told a 
third-party source. "We will show how when you use the two in 
combination, you can use the strength of one to overcome the weakness of 
the other," he said.

While XSS attacks are the bane of web and e-commerce security, CSRF is 
less well documented, though as powerful the researchers will claim. 
Such a technique is much harder to do anything about because it depends 
on hijacking legitimate sessions, something that is inherently hard to 
detect.

"Any kind of client-side vulnerability that's leveraged by using it in 
combination with another one expands your [the attackers] arsenal, said 
Rios.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

Previous message: InfoSec News: "[ISN] Five civil servants suspended over "DNA espionage'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Apr 02 2007 - 02:31:20 PDT