The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Various frameworks have been developed to demonstrate and exploit the vari-

ety of possible attacks that may be carried out against end users on the Inter-

net. These typically require a JavaScript hook to be placed into the browser of

a victim, via some vulnerability such as XSS. Once the hook is in place, the

browser contacts a server controlled by the attacker, and may poll this server

periodically, submitting data back to the attacker and providing a control

channel for receiving commands from the attacker.

Actions which may be carried out within this type of framework include the

following:

■■

Logging keystrokes and sending these to the attacker.

Capturing clipboard contents and sending these to the attacker.

■■

Hijacking the user’s session with the vulnerable application.

Fingerprinting the victim’s browser and exploiting known browser vul-

nerabilities accordingly.