Re: [WEB SECURITY] Re: [Webappsec] Security issues with advertising sites like doubleclick

["James Landis" <jcl24@xxxxxxxxxxx>]

Even if they're just using naked IMG tags with no scripting, with most
clients you still have to worry about Referer header leakage. That's
the way these types of bit bugs work, by tracking the referring URLs,
so anything you have in that URL is getting sent to the 3rd party.

That of course assumes that there are no client-side configurations
limiting loading of 3rd-party images and stripping of Referer headers,
which we're all doing, right?

Typical things that might leak through the Referer would be
"cookieless" session IDs, sensitive parameter keys, etc. Occasionally
I'll see account numbers or other data in URL parameters, as well.

-j

On 5/8/07, Anurag Agarwal <a_agrawwal@xxxxxxxxx> wrote:
> Hi andy
>
> Actually in this case, there are no javascripts at all. They are using img
> tag to send some parameters to their server and thats it. I am assuming that
> they will use this to install a cookie in the client browser and at other
> sites where they are displaying ads, will use the cookie to identify the
> user has visited our site and will display ads.
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal@xxxxxxxxx
>
> Blog : http://myappsecurity.blogspot.com
>
>
>
>
>
> ----- Original Message ----
> From: Andy Steingruebl <steingra@xxxxxxxxx>
> To: Anurag Agarwal <anurag.agarwal@xxxxxxxxx>
> Cc: WASC Forum <websecurity@xxxxxxxxxxxxx>; "webappsec @OWASP"
> <webappsec@xxxxxxxxxxxxxxx>
> Sent: Tuesday, May 8, 2007 12:35:18 PM
> Subject: [WEB SECURITY] Re: [Webappsec] Security issues with advertising
> sites like doubleclick
>
>
> Many of the advertising sites use javascript for sending client data
> to their site for ad selection.  Obviously you'll want to fully
> examine this javascript before making it a part of your site.
>
> - Andy
>
> On 5/8/07, Anurag Agarwal <anurag.agarwal@xxxxxxxxx> wrote:
> >
> >
> > I was wondering if anyone has experience or knowledge on the security
> issues
> > with advertising sites like doubleclick.
> >
> >
> >
> > Cheers,
> >
> >
> >
> > Anurag Agarwal
> >
> >
> >
> > SEEC - An application security search engine
> >
> > Web: www.attacklabs.com , www.myappsecurity.com
> >
> > Email : anurag.agarwal@xxxxxxxxx
> >
> > Blog : http://myappsecurity.blogspot.com
> >
> >
> >
> > _______________________________________________
> > Webappsec mailing list
> > Webappsec@xxxxxxxxxxxxxxx
> > https://lists.owasp.org/mailman/listinfo/webappsec
> >
> >
>
>
> --
> Andy Steingruebl
> steingra@xxxxxxxxx
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]