The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

This attack involves injecting malicious data into a page of a web application

to feed misleading information to users of the application. It may simply

involve injecting HTML mark-up into the site, or it may use scripts (sometimes

hosted on an external server) to inject elaborate content and navigation into

the site. This kind of attack is known as virtual defacement because the actual

content hosted on the target’s web server is not modified — the defacement is

Chapter 12 

■

Attacking Other Users

70779c12.qxd:WileyRed  9/14/07  3:14 PM  Page 391

generated solely because of the way the application processes and renders

user-supplied input.

In addition to frivolous mischief, this kind of attack could be used for seri-

ous criminal purposes. A professionally crafted defacement, delivered to the

right recipients in a convincing manner, could be picked up by the news media

and have real-world effects on people’s behavior, stock prices, and so on, to the

financial gain of the attacker, as illustrated in Figure 12-7.

Figure 12-7: A virtual defacement attack exploiting an XSS flaw

Download 5,76 Mb.

Do'stlaringiz bilan baham: