[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] client-side "transaction monitoring" beacons
- From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
- Subject: RE: [WEB SECURITY] client-side "transaction monitoring" beacons
- Date: Wed, 28 May 2008 01:02:11 +0000
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E28547831G3W1111americ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
What interesting to me is if people (mistakenly) start to use this for thin=
gs other than statistics, analytics, or a poor-mans OSS lojack. What about =
port knocking? Browser identification? Spider-driven or human-driven CAPTCH=
A?
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi@aspectsecurity.com]
Sent: Tuesday, May 27, 2008 7:14 PM
To: Simone Onofri; Arian J. Evans
Cc: Licky Lindsay; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] client-side "transaction monitoring" beacons
There's lots of ways to do it, and there's lots of ways that the people on =
this list can bypass it. Fortunately for whoever "them" is, there's not eno=
ugh of us for them to really care.
Arshan
________________________________
From: Simone Onofri [mailto:simone.onofri@gmail.com]
Sent: Tue 5/27/2008 4:51 PM
To: Arian J. Evans
Cc: Licky Lindsay; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] client-side "transaction monitoring" beacons
On Tue, May 27, 2008 at 8:28 PM, Arian J. Evans
<arian.evans@anachronic.com> wrote:
> This has been going on for + 10 years.
>
> A great example is a lot of open source portal or plugin-projects
> (like many of the PHP and Python photo-gallery software packages)
> suck in a clear gif or some other benign content. They often put
> this tag in an obscure header or footer, or include. Something
> that might not be easily flagged and refactored in casual
> review of source.
>
> This is so they can track who installs, uses, or in some cases
> steals their software.
>
> It's a pretty basic, and very old, tracking technique.
Thinking this there are more places to insert it:
- Server-side code (PHP with fopen, curl...)
- Client-side code (XHTML with img, script, JS or CSS)
also SWFs may contain remote calls
(there are others?)
If You're checking tracking systems take care for encoded code (in
particular server side or JS) and for client-side You may check it
using plugins like Firebug (Net tab) or Live HTTP headers.
Cheers,
Simone
>
> --
> --
> Arian J. Evans.
>
> I spend most of my money on motorcycles, mistresses, and martinis. The
> rest of it I squander.
>
>
>
> On Tue, May 27, 2008 at 5:49 AM, Licky Lindsay <noontar@gmail.com> wrote:
>> Anyone familiar with these things?
>>
>> The basic idea is to hide a zero-pixel image in the customer's website
>> with the src attribute pointing at the the security vendor's site.
>> This causes end-user's IP address and probably other info (as
>> collected by the javascript or passed on the URL by the customer site)
>> to be sent to the security vendor. There they can be logged analyzed
>> for odd behavior.
>>
>> One example of vendors selling these things is RSA. There are others.
>>
>> Now, am I crazy, or is this emperor completely nude? This solution
>> trusts the *client* to send this info. All it takes it for the .. uhm,
>> "hacker" (it's hard to apply that term for such a trivial exercise) to
>> configure his browser to block images from domains other than the web
>> page currently being viewed, and voila he's invisible to the
>> "transaction monitoring". You don't even have to use any plugins or
>> proxies!
>>
>> To be fair to the vendors, I think these are sold as starter options,
>> quick ways to get something at all running, before moving up to more
>> serious forms of integration that involve direct server-to-server
>> calls. But to my mind that only makes it slightly better, if at all.
>>
>> Do people buy this stuff? Why?
>>
>
> -------------------------------------------------------------------------=
---
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
--
Simone Onofri
http://www.siatec.net/
---------------------------------------------------------------------------=
-
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E28547831G3W1111americ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [WEB SECURITY] client-side "transaction monitoring"
beacons</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>What interesting to me is if people (mistakenly) start to us=
e
this for things other than statistics, analytics, or a poor-mans OSS lojack=
.
What about port knocking? Browser identification? Spider-driven or human-dr=
iven
CAPTCHA?<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'>
<p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-family:"Tahoma=
","sans-serif"'>From:</span></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Arshan Dabirs=
iaghi
[mailto:arshan.dabirsiaghi@aspectsecurity.com] <br>
<b>Sent:</b> Tuesday, May 27, 2008 7:14 PM<br>
<b>To:</b> Simone Onofri; Arian J. Evans<br>
<b>Cc:</b> Licky Lindsay; websecurity@webappsec.org<br>
<b>Subject:</b> RE: [WEB SECURITY] client-side "transaction
monitoring" beacons<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<div id=3DidOWAReplyText76863>
<div>
<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif";
color:black'>There's lots of ways to do it, and there's lots of ways that t=
he
people on this list can bypass it. Fortunately for whoever "them"=
is,
there's not enough of us for them to really care.</span><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'>Arshan</span><o:p></o:p></p>
</div>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>
<hr size=3D2 width=3D"100%" align=3Dcenter>
</div>
<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><b><span style=3D'font-=
size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size=
:10.0pt;
font-family:"Tahoma","sans-serif"'> Simone Onofri
[mailto:simone.onofri@gmail.com]<br>
<b>Sent:</b> Tue 5/27/2008 4:51 PM<br>
<b>To:</b> Arian J. Evans<br>
<b>Cc:</b> Licky Lindsay; websecurity@webappsec.org<br>
<b>Subject:</b> Re: [WEB SECURITY] client-side "transaction
monitoring" beacons</span><o:p></o:p></p>
</div>
<div>
<p style=3D'margin-bottom:12.0pt'><span style=3D'font-size:10.0pt'>On Tue, =
May 27,
2008 at 8:28 PM, Arian J. Evans<br>
<arian.evans@anachronic.com> wrote:<br>
> This has been going on for + 10 years.<br>
><br>
> A great example is a lot of open source portal or plugin-projects<br>
> (like many of the PHP and Python photo-gallery software packages)<br>
> suck in a clear gif or some other benign content. They often put<br>
> this tag in an obscure header or footer, or include. Something<br>
> that might not be easily flagged and refactored in casual<br>
> review of source.<br>
><br>
> This is so they can track who installs, uses, or in some cases<br>
> steals their software.<br>
><br>
> It's a pretty basic, and very old, tracking technique.<br>
<br>
Thinking this there are more places to insert it:<br>
<br>
- Server-side code (PHP with fopen, curl...)<br>
- Client-side code (XHTML with img, script, JS or CSS)<br>
<br>
also SWFs may contain remote calls<br>
<br>
(there are others?)<br>
<br>
If You're checking tracking systems take care for encoded code (in<br>
particular server side or JS) and for client-side You may check it<br>
using plugins like Firebug (Net tab) or Live HTTP headers.<br>
<br>
Cheers,<br>
<br>
Simone<br>
<br>
<br>
<br>
><br>
> --<br>
> --<br>
> Arian J. Evans.<br>
><br>
> I spend most of my money on motorcycles, mistresses, and martinis. The=
<br>
> rest of it I squander.<br>
><br>
><br>
><br>
> On Tue, May 27, 2008 at 5:49 AM, Licky Lindsay <noontar@gmail.com&g=
t;
wrote:<br>
>> Anyone familiar with these things?<br>
>><br>
>> The basic idea is to hide a zero-pixel image in the customer's web=
site<br>
>> with the src attribute pointing at the the security vendor's site.=
<br>
>> This causes end-user's IP address and probably other info (as<br>
>> collected by the javascript or passed on the URL by the customer s=
ite)<br>
>> to be sent to the security vendor. There they can be logged analyz=
ed<br>
>> for odd behavior.<br>
>><br>
>> One example of vendors selling these things is RSA. There ar=
e
others.<br>
>><br>
>> Now, am I crazy, or is this emperor completely nude? This solution=
<br>
>> trusts the *client* to send this info. All it takes it for the .. =
uhm,<br>
>> "hacker" (it's hard to apply that term for such a trivia=
l
exercise) to<br>
>> configure his browser to block images from domains other than the =
web<br>
>> page currently being viewed, and voila he's invisible to the<br>
>> "transaction monitoring". You don't even have to use any
plugins or<br>
>> proxies!<br>
>><br>
>> To be fair to the vendors, I think these are sold as starter optio=
ns,<br>
>> quick ways to get something at all running, before moving up to mo=
re<br>
>> serious forms of integration that involve direct server-to-server<=
br>
>> calls. But to my mind that only makes it slightly better, if at al=
l.<br>
>><br>
>> Do people buy this stuff? Why?<br>
>><br>
><br>
> ----------------------------------------------------------------------=
------<br>
> Join us on IRC: irc.freenode.net #webappsec<br>
><br>
> Have a question? Search The Web Security Mailing List Archives:<br>
> <a href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.web=
appsec.org/lists/websecurity/</a><br>
><br>
> Subscribe via RSS:<br>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.we=
bappsec.org/rss/websecurity.rss</a>
[RSS Feed]<br>
><br>
> Join WASC on LinkedIn<br>
> <a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://ww=
w.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
><br>
><br>
<br>
<br>
<br>
--<br>
Simone Onofri<br>
<a href=3D"http://www.siatec.net/";>http://www.siatec.net/</a><br>
<br>
---------------------------------------------------------------------------=
-<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappse=
c.org/lists/websecurity/</a><br>
<br>
Subscribe via RSS:<br>
<a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webapps=
ec.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.lin=
kedin.com/e/gis/83336/4B20E4374DBA</a></span><o:p></o:p></p>
</div>
</div>
</body>
</html>
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E28547831G3W1111americ_--
Brought to you by http://www.webappsec.org
Search this site
|