[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thursday 05 July 2007 21:57, Simon Waters wrote: > Tom Potts wrote: > >> I suspect we need to stop Javascript from accessing other websites (or > > > > IIRC javascript should be by default restricted to the originating domain > > - ie anything from offsite.org should not be able to access > > anywhere.onsite so visiting anywhere out of the LAN should not be able to > > access anywhere within the LAN. Should! > > Discussion is in and other places; > http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf > > You just generate a page on the server with a script tag with the URL > you want followed (GOT), and the webpage causes the browser to attempt > to access the URL in an attempt to fetch a page. > > I don't see of hand why a webpage with a lot of speculative (i.e. > broken) image URLs wouldn't do just as well. The Javascript just makes > it easier to do clever things client side, responding to the environment > in which it finds itself in, and what works (or fails). > > Similar techniques can be used to persuade other peoples computers to > perform abuse against a lot of websites and services. > > A good description of cross-site-request-forgeries is here; > > http://shiflett.org/articles/cross-site-request-forgeries > > The simple server side mistake is to change things on a GET, rather than > a POST. I know I've written code that is vulnerable to such attacks, and > I sure know we host other peoples code that is vulnerable to the same. > However there are other weaknesses in "all common browsers" that allow > more sophisticated attacks using your regular javascript programming > toolkit (although legitimate uses of iframes are fraught enough if you > ask me). All the above is valid - however it is also valid for any non simple display type activity in a browser - Java applets, ActiveX even PDF and Flash viewers have the potential to mess with your LAN (or the WAN) as they are compiled they can do it a lot faster - and you don't get to read the code to find out whats happening! Javascript is not the problem - badly secured infrastructure is! If you don't want web pages to mess with your intranet don't leave it visible to a web browser. Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html