Winnipeg Photographer

Date Posted: Sep 7, 2010

Author: Jared Heinrichs

Posted in Web Applications and tagged .

A few things everyone who uses the internet should be aware of.

There are some things people can do to help protect themselves on the internet.

1.) Know what the executable files are for your platform. On Windows it is .EXE, .COM, and .MSI. On a Mac it is typically .DMG. – As long as the executable file is designed for your platform whether it be PC or Mac you can get hacked.

2.) Turn on “Show extensions” for your computer. Most systems do not show extensions of known files like .jpg, .doc or .gif files. The reason why you should turn this on is if someone sends you a file called: report.doc.exe you will only see “report.doc”. This might make you think it is safe to download. This is very similar to number 1.

3.) Learn about cross site scripting. This is gaining traction in the hacker community. Almost 80% of non-static websites have some sort of Cross Site Scripting (XSS) vulnerability.

I will try and explain an example as quickly as possible. You can learn more about this at: http://en.wikipedia.org/wiki/Cross-site_scripting.

Non-persistent:

  1. Alice often visits a particular website, which is hosted by Bob. Bob’s website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information.
  2. Mallory observes that Bob’s website contains a reflected XSS vulnerability.
  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob’s website, but will contain Mallory’s malicious code, which the website will reflect.
  4. Alice visits the URL provided by Mallory while logged into Bob’s website.
  5. The malicious script embedded in the URL executes in Alice’s browser, as if it came directly from Bob’s server (this is the actual XSS vulnerability). The script can be used to send Alice’s session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice’s knowledge.

Persistent attack:

  1. Mallory posts a message with malicious payload to a social network.
  2. When Bob reads the message, Mallory’s XSS steals Bob’s cookie.
  3. Mallory can now hijack Bob’s session and impersonate Bob.

This type of attack is again not geared towards Mac or PC. Rather both platforms are venerable to this type of attack.

4.) URL shorteners – Don’t use them. Because the URL shorteners hide the actual URL it’s hard to tell where the link is going. Most Cross Site Scripting is hidden in shortened URLs.

Leave a Reply