, SecurityFocus 2006-08-04
LAS VEGAS-- Exploiting a lack of security checks in browsers and Web servers, Web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday.
"This isn't a proof of concept; this isn't academic," Hoffman told attendees at the Black Hat Briefings. "People are already doing this."
"We went from screwing around and having fun on MySpace to an attacker harvesting e-mail addresses to sell to spammers, all in less than 8 months," Hoffman said.
"We are back in the early days of the e-mail viruses where people were experimenting to see what can be done," he said.
"We don't need to hack the operating system anymore--everything you need to attack is online," Grossman said.
The Web worms also mark the comeback of meaningful cross-site scripting attack.
Considered by many security researchers to be a less-than-hackerly technique used by script kiddies, phishers and spammers to fool trusting users, cross-site scripting (XSS) is a key method for injecting malicious code into a victim's Web session. Cross-site scripting allows a malicious Web site to inject code into the context of another Web site; a user that believes they are interacting with a popular social networking site, might instead be loading a script in from some other malicious site.
"If you don't want your Web site to be helping spread malware, the best way to prevent it is to resolve your cross-site scripting issues," Grossman said.
SPI Dynamics' Hoffman agreed.
"If you don't do input validation with an application, you may hurt the user," Hoffman said. "If you don't do input validation on a Web application, your hurt the user and every other user."
A recent audit of popular social networking sites found that many of them have serious cross-site scripting issues that could be used to create Web worms.
Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said. If the Web site from which the attack is launched uses SSL, then the traffic--encrypted between the site and the user--cannot be parsed by a network-based IDS system.
The most permanent fix would be for browser makers to find ways to confirm that AJAX code is indeed running in the context of the current Web site being visited by a user, while marking Web requests with the source of the request--whether a human or a script--could limit attacks on high-value sites, such as brokerage firms and banks.
"We have made a call out to the browsers makers to fix the problems," Grossman said. "We hope it comes soon before the bad attacks happen."