[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] client-side "transaction monitoring" beacons

From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] client-side "transaction monitoring" beacons
Date: Tue, 27 May 2008 23:13:32 -0400

------_=_NextPart_001_01C8C070.CF7100BE
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

There's lots of places I could do that, and there's lots of things the =
people on this list could say that about. Fortunately for them, I saved =
them an email because I care.
=20
<g/>
=20
But seriously, the answer is no. The web app vulnerabilities that people =
really care about allow a single attacker to cause widespread harm, =
either to confidentiality, integrity, available, surety, etc. In those =
situations, a single attacker does a lot of damage across an entire =
system, user base, etc.
=20
In this case, a single attacker can affect the system .00001%. Even if =
10% of users had some unbeatable anti-tracking busta busta busta, it =
wouldn't affect their overall tracking statistics enough to make a =
serious impact.=20
=20
And honestly, I don't know if people should get worked up about this =
unless they're doing something insane like sending personal data in the =
tracking signal. It's something they can do on the server side - they're =
just making it easier on themselves by outsourcing the OOB request to =
your browser client. Wal Mart can (and I'm sure does) watch tape of you =
walking through the aisles and see how they could rearrange the sections =
to make you stay longer and buy more. Is that an invasion of privacy? =
Somehow I don't think so.
=20
However, being the blame-corporate-America-first kind of guy that I am, =
I'm sure I could be persuaded otherwise.
=20
Cheers,
Arshan

________________________________

From: Jeff Robertson [mailto:jeff.robertson@gmail.com]
Sent: Tue 5/27/2008 9:32 PM
To: Arshan Dabirsiaghi
Cc: Simone Onofri; Arian J. Evans; Licky Lindsay; =
websecurity@webappsec.org
Subject: Re: [WEB SECURITY] client-side "transaction monitoring" beacons



On Tue, May 27, 2008 at 7:14 PM, Arshan Dabirsiaghi
<arshan.dabirsiaghi@aspectsecurity.com> wrote:
> There's lots of ways to do it, and there's lots of ways that the =
people on
> this list can bypass it. Fortunately for whoever "them" is, there's =
not
> enough of us for them to really care.

You could take those two sentences out of context and apply them to
just about any web application vulnerability, couldn't you?



------_=_NextPart_001_01C8C070.CF7100BE
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD><TITLE>Re: [WEB SECURITY] client-side "transaction =
monitoring" beacons</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText88620 dir=3Dltr><FONT face=3DArial =
size=3D2>There's lots of places I could do that, and there's lots of =
things the people on this list could say that about. Fortunately for =
them, I saved them an email because I care.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>&lt;g/&gt;</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>But seriously, the answer =
is&nbsp;no. The web app vulnerabilities that people really care about =
allow a single attacker to cause <STRONG>widespread</STRONG> harm, =
either to confidentiality, integrity, available, surety<EM>,</EM> etc. =
In those situations, a single attacker does a lot of damage across an =
entire system, user base, etc.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>In this case, a single =
attacker can affect the system .00001%. Even if 10% of users had some =
unbeatable anti-tracking busta busta busta, it wouldn't affect their =
overall tracking statistics enough to make a serious impact. =
</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>And honestly, I don't know if =
people should get worked up about this unless they're doing something =
insane like sending personal data in the tracking signal. It's something =
they can do on the server side&nbsp;-&nbsp;they're just making it easier =
on themselves by outsourcing the OOB request to your browser client. Wal =
Mart can (and&nbsp;I'm sure does)&nbsp;watch tape of you walking through =
the aisles and see how they could rearrange the sections to make you =
stay longer and buy more. Is that an invasion of privacy? Somehow I =
don't think so.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>However, being the =
blame-corporate-America-first kind of&nbsp;guy that I am, I'm sure I =
could be persuaded otherwise.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Cheers,</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Arshan</FONT></DIV>=0A=
<DIV dir=3Dltr>=0A=
<DIV dir=3Dltr><BR></DIV>=0A=
<DIV dir=3Dltr>=0A=
<HR tabIndex=3D-1>=0A=
</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DTahoma size=3D2><B>From:</B> Jeff Robertson =
[mailto:jeff.robertson@gmail.com]<BR><B>Sent:</B> Tue 5/27/2008 9:32 =
PM<BR><B>To:</B> Arshan Dabirsiaghi<BR><B>Cc:</B> Simone Onofri; Arian =
J. Evans; Licky Lindsay; websecurity@webappsec.org<BR><B>Subject:</B> =
Re: [WEB SECURITY] client-side "transaction monitoring" =
beacons<BR></FONT><BR></DIV></DIV>=0A=
<DIV>=0A=
<P><FONT size=3D2>On Tue, May 27, 2008 at 7:14 PM, Arshan =
Dabirsiaghi<BR>&lt;arshan.dabirsiaghi@aspectsecurity.com&gt; =
wrote:<BR>&gt; There's lots of ways to do it, and there's lots of ways =
that the people on<BR>&gt; this list can bypass it. Fortunately for =
whoever "them" is, there's not<BR>&gt; enough of us for them to really =
care.<BR><BR>You could take those two sentences out of context and apply =
them to<BR>just about any web application vulnerability, couldn't =
you?<BR></FONT></P></DIV></BODY><!--[object_id=3D#aspectsecurity.com#]-->=
</HTML>
------_=_NextPart_001_01C8C070.CF7100BE--

References:
- Re: [WEB SECURITY] client-side "transaction monitoring" beacons
  - From: Jeff Robertson

Prev by Date: Re: [WEB SECURITY] client-side "transaction monitoring" beacons
Next by Date: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Previous by thread: Re: [WEB SECURITY] client-side "transaction monitoring" beacons
Next by thread: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site