Three Web Attack Vectors Using the Browser

Very interesting article on Three Web Attack Vectors Using the Browser: "

Three web attack vectors seem to be responsible for the majority of computer attacks that involve a web browser:

• The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security. For instance, the victim can supply data to a phishing site or install a program that will turn out to be malicious.
• The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.
• The attacker can exploit a vulnerability in the web browser or in local software that the browser can invoke. Such client-side exploits have targeted browser add-ons such as Flash, Adobe Reader and Java Runtime Environment (JRE).

Most attacks include one or two of the three techniques. For instance, Koobface worm targets the user (social engineering to click links) and the web application (hijacking social networking site sessions). An attack that combines all elements would be particularly effective (do you know of any examples?).





The following series of posts explores these three web browser attack vectors in greater detail, discussing how enterprises can protect themselves against such attacks:

• Mitigating Attacks on the User of the Web Browser
• Mitigating Attacks on Web Applications Through the Browser
• Mitigating Attacks on the Web Browser and Add-Ons

— Lenny Zeltser

Attack Surface Analyzer BETA

The Attack Surface Analyzer beta is a Microsoft verification tool now available free for everyone to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify the attack surface caused by installing applications on a machine.


Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.

Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.


Download the free tool (x64 and x86) at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en

Related article:

• SDL Tools

Inguma – The Penetration Testing & Vulnerability Research Toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. This program provides numerous tools for information gathering, target auditing and limited exploitation capabilities.

There are some good docs to get you up at their wiki site: Installation Guide, Getting Started, Console Quick Start, GUI Quick Start, Full Documentation. Follow them at Inguma Development.

Download it at http://code.google.com/p/inguma/

Google Code University

Learn programming at Google Code University. It does not require registration and materials are free to use.

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]: "

We were pretty stoked when Google debuted its multiple account sign-in feature, and reader Sam has discovered a way to switch between accounts faster using a small URL tweak.

I was flipping between two Gmail account tabs using Google's multiple logins feature, and I noticed that the two URLs are almost identical: https://mail.google.com/mail/u/0/#inbox and https://mail.google.com/mail/u/1/#inbox. It turns out that switching between the 0 and 1 (and presumably higher numbers if there are more than 2 accounts logged in) switches accounts. In particular, since there is no keyboard shortcut for switching between accounts, editing the URL may be the fastest way to do so using only the keyboard.

In fact, the fastest way to switch between them using only the keyboard would be to bookmark the sites and create address bar keywords for them, so you can flip back and forth using just a few keystrokes instead of having to use your mouse. Thanks, Sam!