-
July 8th, 2010, 02:33 PM
#11
Well there is the problem! Letting IE save your passwords is a major problem because all a XSS attack needs to know is where IE stores them. There is also a plethora of tools that crack IE in this same fashion. Tell your friends that storing their passwords is more dangerous than worrying about key loggers. =P
-
July 9th, 2010, 11:52 AM
#12
Yeap...Snuggles is right.
Alot of those malware target the pstore file specifically
MLF
Last edited by morganlefay; July 9th, 2010 at 11:56 AM.
Reason: spell as usual
How people treat you is their karma- how you react is yours-Wayne Dyer
-
July 9th, 2010, 12:02 PM
#13
Hi Guys,
Thanks for that. They werent saving it in Native I.E , it was a toolbar plugin that saves it, would this have the same effect as you suggest above? Wouldnt AV stop this attack?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
July 9th, 2010, 12:50 PM
#14
Toolbar that stores passwords???
Thats just wrong on so many levels...i have no words
And no ...av doesnt stop alot of these things
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
July 9th, 2010, 03:08 PM
#15
You see, the beauty of XSS is that it is your browser that runs the code. There are some protections you can do, like turning scripts off or blocking most of them, but AV won't stop really stop a malicious site. noScript even has problems blocking malicious scripts from time to time. Also, I agree with Morgan, a plug-in that saves passwords sounds shady at best. I suggest changing passwords and not using IE or that plug-in/toolbar
Last edited by SnugglesTheBear; July 9th, 2010 at 03:16 PM.
-
July 12th, 2010, 03:07 PM
#16
Cool, thanks for all the replies.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
July 12th, 2010, 03:23 PM
#17
Originally Posted by SnugglesTheBear
I suggest changing passwords and not using IE or that plug-in/toolbar
People wouldn't have these issues if they didn't run as Administrator, ran there updates regularly and not continually download nakedbritneyspears.JPG.exe all the time..
the not using IE thing is aload of bull... Heck i am still using ie7 not because i have to, or i carn't update etc i use it because i like it, and it suits my needs and does what i want.
-
July 13th, 2010, 05:20 PM
#18
well not only does IE not conform to w3c standards like the rest of the world, it is bloated and inefficient IMO. What you say is true though hybrid, if you don't run as administrator you can minimize the amount of damage a XSS attack could do. However, they can still have their sessions/private information stolen via a XSS attack. But that is a problem with many popular browsers. The big problem with IE and especially older versions of IE, like IE7, in terms of security is its use of activeX. Yes you can disable it, but there exists code that can unset the killbit for activeX and so disabling it doesn't really work. ActiveX alone can give a rogue script complete access to your machine and results in a drive-by download. This is a huge security flaw thanks to the designers at M$. Eventually M$ just did away with all the activeX nonsense, but you would appear to still have it =P But if you want a recent example, in January 2010, there was a big exploit targeting older versions of I.E. with a 0day. Here is a link detailing it =P
http://praetorianprefect.com/archive...oit-in-action/
The funny thing is that M$ knew about the hole for months, just never got around to fixing it =P Just another reason why closed source is less secure
-
July 14th, 2010, 12:49 AM
#19
-
July 14th, 2010, 03:54 PM
#20
I use more current web filters than proxomitron =P, but when I am feeling especially paranoid, I use Tor for close to true anonymity though it is incredibly slow .
On the terms of the XSS, I wasn't referring to password stealing so much, though that can be accomplished if they let their browser save their password, as I was referring to session stealing. So say I am logged into gmail and checking my mail but then I go to another page without logging out of gmail, so my browser still has all my authenticated cookies. The server hosting the other page can then easily jump into my mail using my browser's credentials by telling my browser to do just that. I suggest reading this nifty little handbook http://code.google.com/p/browsersec/wiki/Main
It is a gnarly read as the surfers would say especially if you are into web development =P
But anywho boo, the reason why I didn't suspect a session stealing attack from the OP was because most attacks of that type are done by sending the victim an email that has a link to a malicious site so the attacker is pretty sure that the victim is logged in from the beginning. So, I guess I was assuming that the users were able to tell legitimate vs illegitimate email. Both ways could have happened, but the xss attack will only be effective for as long as the attacker stays logged in.
IE has plenty of code to try and stop many other the attacks that unset the killbit, but eventually m$ that it was just a bad idea to begin with since it wasn't too much of a leap to subvert most of those protections >.< Blech, the reason browsers are so insecure is because of band-aid patching like that, as well as very loose protocols/standards as the handbook I linked goes over very thoroughly (seriously check it out if you are interested in browser security).
I didn't say ALL browsers were insecure. I simply stated most popular browsers are insecure, some more than others, but that boils down to their implementation of scripting. The power behind web languages like javascript (which has a kind of funny history where netscape threw it together very haphazardly and quickly) as well as many mistakes that were made in the design of the web, such as loose standards of HTML and URL rendering etc. etc., lead browsers to be very insecure. There are secure browsers out there, you won't get nearly the functionality out of them, such as dillo and lynx. Lynx is to my knowledge the most secure browser, it is just text rendering everything else is discarded NOW THAT'S SECURITY!, though dillo is secure enough, though it can be attacked via overflows in their image rendering libraries etc. Heh, It is kind of funny to see the seemingly one to one relationship that functionality vs security have, the more of one you have, the less of the other you have.
I think I have ranted long enough, back to work
Similar Threads
-
By MrLinus in forum Miscellaneous Security Discussions
Replies: 13
Last Post: August 26th, 2008, 02:16 AM
-
By SDK in forum General Computer Discussions
Replies: 0
Last Post: October 11th, 2004, 05:26 PM
-
By yourdeadin in forum AntiOnline's General Chit Chat
Replies: 12
Last Post: September 16th, 2004, 10:55 AM
-
By phunction in forum Web Security
Replies: 29
Last Post: September 8th, 2004, 10:47 AM
-
By MrLinus in forum Web Security
Replies: 3
Last Post: April 27th, 2004, 07:51 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|