In association with heise online

30 July 2008, 14:37

Web browsers become tools for criminals

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to security expert Jeremiah Grossman, the days for intricate attacks on web servers using special tools are numbered. Instead, he says, criminals can use web browsers as an all-round weapon for making money. According to Grossman, this becomes possible due to widespread business logic flaws in web applications, such as lack of authentication or unprotected access to information. The best example for such a flaw was a vulnerability in the open source osCommerce and xt:commerce shop systems discovered last February which allowed simply skipping the payment step while still generating a valid order by calling a URL.

Grossman says that instead of involved cross-site scripting attacks on users and SQL injection attacks on web server databases, criminals now only need a little bit of background knowledge to obtain money or goods. This is not a new type of vulnerability. A variation of the theme has been practised by hackers for years: Forced browsing, which involves using the browser to call pages or resources which don't actually have any link connections. Google in particular often discloses information not intended for the public by the web server operator.

Since many service providers now offer their services via the internet, Grossman says that it is now much easier to find vulnerable applications. According to his report the procedure isn't even necessarily illegal, and in many cases the attacker only violates the provider's terms and conditions.

It is relatively difficult to safeguard systems against this type of attack as attacks don't follow a set pattern the way SQL injections do. Normal Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) therefore struggle to detect and safeguard systems against them. Criminals are already said to exploit the vulnerabilities on a large scale.

At the upcoming Black Hat conference in Las Vegas, Grossman plans to present details of the attacks, including certain affiliate networks which rake in large amounts of cash via fraudulent user credentials. Grossman also intends to present the case of a bank which lost $70,000 because of a business logic flaw.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit