NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0253 Two New Trends In Malicious Web Exploits Described:
While cross-site scripting (XSS) threats remain by far the most widespread method in use today and will be fore the foreseeable future, experts indicate that "response splitting" and "cross-site forgery" (CSRF) could represent the next big things in terms of vulnerability exploitation trends.
As defined by the Open Web Application Security Project (OWASP), HTTP response splitting vulnerabilities occur when data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a web user without being validated for malicious characters. The attacker then attempts to feed malicious data to a vulnerable application, including the data in an HTTP response header. To mount a successful exploit, the application must allow input that contains carriage return characters into the header. The characters, in turn, give attackers control of the remaining headers and body of the response the application intends to send, and allows them to create additional responses entirely under their control. Using the technique, hackers are already creating a range of new attacks, including variants on XSS, according to web security and testing expert Jeremiah Grossman. "Response splitting has been discounted for years as too hard to execute, but as soon as we began adjusting our tests to look for it, we started seeing it everywhere," he said.
Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a web page that contains a malicious request, much like traditional phishing attacks or XSS threats. Using the technique, hackers try to misappropriate victims' identities and privileges to carry out activities such as changing their applications' passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding, and Hostile Linking. CRSF threats and XSS attacks are most commonly being used together, said Grossman.
(weblog.inforword.com 13JUL07)
Last Modified: Tuesday, 31-Jul-2007 22:44:51 EDT