Richard Reiner reports, [...] > Full details, and HTML-based and Javascript-based demos, can be found at > http://www.securexpert.com . Richard didn't disclose details on how webmasters can prevent their sites from being used as unwitting accomplices to this attack. So here goes... It appears that the attacker needs to guess the name of the target frame, which for static pages is trivial. If this is true, then dynamically generated HTML can defeat the attack at the host side, by generating an address- or session-based frame name that is unguessable by the attacker. To do this, modify the frame name to use the hash of a secret appended to the remote's IP address: frame_name = original_name + SHA1( browser_IP_address + secret); cheers, -- Paul Shields, mailto:shieldsat_private Custodian Software Inc. 962 Bloor Street West Toronto, Ontario M6H 1L6 Tel: +1 416 537-0015 Fax: +1 416 536-5793
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:01 PDT