Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

[Amit Klein <aksecurity@xxxxxxxxx>]

RSnake wrote:
> > 2. While thinking more about this solution, I observed that if the 
> > attacker can have an "agent" sharing the same IP address with the 
> > victim (by agent I mean an entity that can communicate with the 
> > target web site and read back its response data), then the algorithms 
> > I suggested will not be effective. Note that an attacker can share IP 
> > address with the victim when both share a forward proxy (e.g. some 
> > universities and ISPs), or when the attacker and victim share the 
> > same machine (multi-user environment). Still, that narrows down the 
> > attack surface significantly.
>
> It should be noted that this isn't as rare as just a few universities
> and ISPs.  This also happens in lots of corporate networks (rogue user
> on the internal network),  it happens with lots of internet cafe's, it
> happens with AOL (~5MM users) and it happens with TOR users.  So while,
> yes, I agree it is better than nothing it is hardly a rock solid
> solution for anyone on a shared IP.
The point is - someone with shared IP is vulnerable ONLY to an attacker 
with the same IP. Which makes attacks much less generic and much more 
painful. Rock solid it ain't, but I think it's a pretty good band-aid 
until all (hmmm...) clients upgrade to Acrobat Reader 8.0.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]