Quote:
Originally Posted by Oswaldor
Care to dish up some references for those claims?
|
Computer Security Research - McAfee Avert Labs Blog
Computer Security Research - McAfee Avert Labs Blog
Quote:
|
Also the 'websites' have not installed any keyloggers. Think about it.
|
That is true, the websites themselves do nothing except serve up data. What the users or their systems decide to do with the data is a different story. Serving up information that was not planned due to xss vulnerabilities that process unsanitized inputs is the weakness.
You get to pick that nit for free.
Quote:
|
It is more likely that the browsers were unpatched. Ordinary users hardly ever fiddle with those settings. Since it has documented (see some of the threads on the official forums) that the attack targeted year old vulnerabilities, an unpatched system is enough. Also there is no such thing as a JavaScript control, xxs has nothing to do with this (you don't load 'stuff' from elsewhere with xss, you inject stuff into something else).
|
Thats another nit, but it stops short. Yes, you inject stuff into something else, but that injected 'stuff' can be code that WILL load 'stuff'. For your edification:
DOM-based attack- Mallory sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page.
- Alice clicks on the link.
- The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
- The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
- Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
Now, that attack hinges on there being a page existing on Alice's computer already. This one does not. It relies instead on finding a vulnerability in a site that is already trusted by Alice and her browser's settings.
Non-Persistent- Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
- Mallory observes that Bob's website contains a reflected XSS vulnerability.
- Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (i.e., the email is spoofed).
- Alice visits the URL provided by Mallory while logged into Bob's website.
- The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script can be used to email Mallory Alice's session cookie. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge.
What is your 'correct' term for javascript code that pops a window and loads content into that window from somewhere else? 'control' may not be the exact right word, but to those less pedantically minded it conveys the same connotations.
Quote:
|
Seriously dude, stop getting your information from online forums. Start reading about the underlying technologies. Perhaps then you might actually see just how retarded your comments are.
|
I know this comment will go laughably in this forum, but perhaps if people like yourself who do 'know' would be less condescending to people who WANT to know but don't, those others would be more receptive to listening to what you have to say and learn from it.
You're welcome for the attention your unctuous personality has caused me to spend on you. Savor it.
Re: Toon Hacking/Account Stealing/Keylogging Consolidated Thread
You guys are so cute when you try to be mean, come on.. lets hold hands and sing songs!
