The traditional conception of web application security covers how attacks piggyback HTTP(S) through a firewall to attack servers. Yet this is a bidirectional path; web browsers can be attacked by compromised sites with malicious payloads. Such attacks exploit assumptions of trust and security between the browser and web site.
HTML, JavaScript and similar engines like ActiveX, Flash, and Java present a relatively uniform, cross-platform exploit environment for attackers. This combination of delivery mechanism (a vulnerable web application), large victim base (web browsers), and access (no intervening firewalls) produces a significant risk to users. It enables new generations of botnets and provides new threats to users’ information.
This presentation will summarize past web application worms and present the potential for new types of worms and browser attacks. One consequence of widespread web application attacks is phishing (identity theft). As worms become more complex, they may gain persistence, cross-application targeting, intranet reconnaissance, and take advantage of the inherent trust firewalls place in permitting web traffic into a network. Attendees will be shown how previous worms have exploited browsers as well as JavaScript source, examples and techniques that new ones might use.
Understanding the capabilities of a web application worm is important for creating defenses. Web browsers have started to implement countermeasures to phishing. Browsers are the gateway between a host and the Internet, a path which is all too often unaffected by firewalls or network security devices.