??? Force the user to perform activities without his or her knowledge, such as
visiting a web site of the attacker??™s choosing.
Lines 19 thru 22 of ActiveX.stream show the use of Shell.Explorer CLSID (8856F961-
340A-11D0-A96B-00C04FD705A2) to perform this action. Shell.Explorer CLSID is an
ActiveX control that can be called to open on a new browser within the user??™s existing
browser. While visiting www.isecpartners.com is not a hostile event, an attacker could
have the user go to a hostile web site, such as web page with reflected XSS or a web page
with CSRF attack. These attacks would compromise the user??™s session information or
212 Hacking Exposed Web 2.0
make the user perform online actions without their knowledge. Figure 8-4 shows the
results from ActiveX.stream.
Additionally, while the new browser is currently visible to the end user, as shown by
the width and height fields at 300 and 151, an attacker could make the browser virtually
invisible by changing the values to 1 and 1. This would simply show the words ActiveX
.stream on the hostile ActiveX page while the attacker forcers the user??™s system to visit a
location of the attacker??™s choice, all without the user??™s knowledge or permission.
Pages:
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380