| Publisher | Association for Computing Machinery | ||
|---|---|---|---|
| Format | 424.1KB PDF | Date added | 02 Nov 2007 |
| Topics | Web Browsers, Anti-Hacking | ||
| Downloads | 27 | ||
This paper describes a new attack against web authentication, which the paper calls dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, the paper proposes two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys.
Did you find this white paper useful?
6 out of 11 users found this white paper useful
Related white papers
MSDN Webcast: Internet Explorer 8 for Developers (Level 200)
Windows Internet Explorer 8 ushers in a new wave of browser innovation from Microsoft, including Web Slices and Accelerators, while maintaining compatibility with the today's Web standards. The presenter of...
MSDN Webcast: Designing Creative DHTML, Silverlight UIs: Simple, Visualized & Intuitive (Level 300)
The presenter of this webcast shows off the new point and click Visual WebGui Control & Theme Designer. This designer joins the well known drag and drop Visual WebGui Form...
MSDN Webcast: Silverlight Controls Framework (Level 100)
The presenter of this webcast provides an overview of the Microsoft Silverlight controls and controls model. The presenter shows how to use Silverlight controls and how to make minor visual...
The Security Architecture of the Chromium Browser
Most current web browsers employ a monolithic architecture that combines "The User" and "The Web" into a single protection domain. An attacker who exploits arbitrary code execution vulnerability in such...
Leading TV and Online Sports Broadcaster Raises the Bar With Microsoft Silverlight
Founded in 1992 and based in London, Setanta Sports is a leading Internet and pay-TV sports broadcaster, operating channels in the U.K., Ireland, North America, and Australia. Setanta wanted to...
Web Technologies Help MTV Networks Create Dynamic Website and Improve Global Workflow
MTV Networks (MTVN), a division of Viacom, is one of the world's leading creators of entertainment content. In 2000, the company created ALIAS (Archive Library Information Access System), an enterprise...
Organizing Bookmarks With Firefox to Save Screen Space
The author is sitting here typing on a 13.3" 1280 x 800 resolution LCD screen, and to him, 1280 x 800 isn't low resolution, but it's not quite enough to...
