This interaction produces security problems for organizations that
want to maintain the security of their sites. It is hard enough for an individual to ensure
that his or her own web application is secure, but now organization must ensure that
every advertisement, RSS feed, mashed-up site, news article, or any other third-party
content is secure as well. As noted in Chapter 3, the cross-domain interactions of many
Web 2.0 applications reduce the security level to the weakest link. Hence, one secure web
application with content from a second insecure third party equates into two insecure
web applications.
In this case study, we will apply what we learned about cross-domain attacks
in Chapter 3 to a few real work examples, including a study of cross-domain stockpumping
attack and cross-domain security boundaries.
Cross-Domain Stock-Pumping
Phishing attacks, where criminals utilize dishonest or forged e-mails to lure unsuspecting
users into browsing to a malicious site professing to be a popular banking or e-commerce
site, represents a significant chunk of the online fraud universe. The basic goal of
phishing sites is to trick a user into giving up personal information or login credentials,
or to utilize a widespread browser vulnerability to install malware and gather the same
information via a more direct route, such as a keyboard logger.
Pages:
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266