[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- From: Bil Corry <bil@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- Date: Tue, 07 Oct 2008 00:55:53 -0500
Achim Hoffmann wrote on 10/6/2008 12:12 PM:
> this attack/threat (Web Trojan aka CSRF aka Session Riding) is well
> described since centuries. You just need to read the docs published
> in last 4 or so years, nothing new at all. Some of these papers
> descibe most (all?) possible countermeasures. It's done.
I've seen this sentiment come up every now and again where a "new" attack vector is disclosed and there are grumblings that it isn't new, but just an old attack vector repackaged with a shiny new name and maybe PoC. Is the issue that it's been repackaged (possibly for media consumption)? Or that not enough effort was made to acknowledge the roots of the attack vector? Or is there another objection?
For example, SideJacking generated some criticism that it was just "cookie theft" [1] and that it was very well known for years [2]. Would it have been better if Robert Graham had instead presented a tool that exploits good ol' cookie theft instead of coining "SideJacking"? Would the media have run with a story about a new tool for an old attack vector as much as they did with SideJacking? Is there a benefit to the wide media coverage SideJacking received?
Then there's also the distinction; if SideJacking is cookie theft and Surf Jacking is cookie theft, is there some benefit to having terms that distinguish between the passive SideJacking and the active Surf Jacking? Or does it only serve to confuse by introducing yet more lexicon into the already crowded security industry lingo?
And consider that "Surf Jacking" was coined by Sandro Gauci [3] while the same attack is also called "Automated HTTPS Cookie Hijacking" by Mike Perry [4]. In the case of Mike, he described the attack a year before he presented it at DEFCON [5] but received no media attention until he built a PoC for his DEFCON presentation a year later. And while "Automated HTTPS Cookie Hijacking" is the more technical term, I'd hazard to guess more (non-security) people know it as "Surf Jacking."
So it turns out that "Surf Jacking" vs. "Automated HTTPS Cookie Hijacking" is an interesting case study of the two methods. Which one is the proper way to describe the attack vector? The one labeled with the shiny new name or the one with the more technically-accurate name? And which one had the most positive impact, that is, which one educated the most people? And finally, should security researchers package security issues for media consumption?
- Bil
[1] 'SideJacking' is fucking retarded.
http://www.memestreams.net/thread/bid36055/
[2] mh.blackhatFeedback(Side-jacking, Hamster)
http://www.sensepost.com/blog/1320.html
[3] Surf Jack - HTTPS will not save you
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
[4] Automated HTTPS Cookie Hijacking
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
[5] Active Gmail "Sidejacking" - https is NOT ENOUGH
http://seclists.org/bugtraq/2007/Aug/0070.html
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|