If browsers do not provide a mechanism for Web sites to securely recover from certain cross-site scripting (XSS) attacks, the attacks could become invincible and the site at the origin of the attack could remain compromised forever, warns Google security engineer Michal Zalewski.
XSS attackers insert rogue JavaScript code in targeted pages, where it is then executed in the context of their origin, defined by the domain, the protocol, and the port number. However, Web browsers do not currently provide a mechanism that can be used to invalidate such malicious code.
"At the very minimum, the attacker is in full control for as long as the user keeps the once-affected Web site open in any browser window; with the advent of portable computers, it is not uncommon for users to keep a single commonly used Web site open for weeks," Zalewski says.
Although users may think that an attack would stop as soon as the browser is closed, that is not necessarily the case. There are several methods that attackers can use to extend their hold on a compromised origin indefinitely, according to Zalewski. The attacks also can lead to multiple account compromises if the affected computers are used by different individuals.
From InfoWorld
View Full Article
Abstracts Copyright © 2011 Information Inc. , Bethesda, Maryland, USA
No entries found