ScamFraudAlert  


Go Back   ScamFraudAlert > In Our Opinion - Tell Us Yours
Reload this Page Web Browsers Become Tools For Criminals
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

In Our Opinion - Tell Us Yours We've decided to make this part of our forum censor free. A place where members can share his/her opinions or simply Blow Off Some Steam. What Is Your Beef?

   

Citizen Media Law Project: Legal Resources for Citizen Journalists
Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 08-02-08, 03:23 PM
Scrub's Avatar
Scrub Scrub is offline
Administrator
  
Join Date: Feb 2005
Location: CyberWorld
Age: 63
Posts: 22,083
Rep Power: 10
Scrub is on a distinguished road
Web Browsers Become Tools For Criminals
Web Browsers Become Tools For Criminals

According to security expert Jeremiah Grossman, the days for intricate attacks on web servers using special tools are numbered. Instead, he says, criminals can use web browsers as an all-round weapon for making money. According to Grossman, this becomes possible due to widespread business logic flaws in web applications, such as lack of authentication or unprotected access to information. The best example for such a flaw was a vulnerability in the open source osCommerce and xt:commerce shop systems discovered last February which allowed simply skipping the payment step while still generating a valid order by calling a URL.

Grossman says that instead of involved cross-site scripting attacks on users and SQL injection attacks on web server databases, criminals now only need a little bit of background knowledge to obtain money or goods. This is not a new type of vulnerability. A variation of the theme has been practised by hackers for years: Forced browsing, which involves using the browser to call pages or resources which don't actually have any link connections. Google in particular often discloses information not intended for the public by the web server operator.

Since many service providers now offer their services via the internet, Grossman says that it is now much easier to find vulnerable applications. According to his report the procedure isn't even necessarily illegal, and in many cases the attacker only violates the provider's terms and conditions.

It is relatively difficult to safeguard systems against this type of attack as attacks don't follow a set pattern the way SQL injections do. Normal Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) therefore struggle to detect and safeguard systems against them. Criminals are already said to exploit the vulnerabilities on a large scale.

At the upcoming Black Hat conference in Las Vegas, Grossman plans to present details of the attacks, including certain affiliate networks which rake in large amounts of cash via fraudulent user credentials. Grossman also intends to present the case of a bank which lost $70,000 because of a business logic flaw.

Source: heise online
__________________
Your Computer Is At Risks
Get McAfee Free SiteAdvisor

McAfee, Inc

Reply With Quote
Reply

Bookmarks

Tags
browsers , criminals , tools , web

« Previous Thread | Next Thread »
Thread Tools
Display Modes Rate This Thread
Linear Mode Linear Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -5. The time now is 12:25 AM.

Contact Us - ScamFraudAlert - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Page generated in 0.09226 seconds with 10 queries