“We went from screwing around and having fun on MySpace to an attacker harvesting e-mail addresses to sell to spammers, all in less than 8 months,” Hoffman said.
Such attacks are just an early sign of things to come, said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, who talked about Javascript threats at Black Hat. Grossman showed off techniques for detecting which of a list of popular sites that a victim has visited and demonstrated a way to port scan an internal network to which the victim is connected, all through Javascript and without exploiting vulnerabilities.
Considered by many security researchers to be a less-than-hackerly technique used by script kiddies, phishers and spammers to fool trusting users, cross-site scripting (XSS) is a key method for injecting malicious code into a victim’s Web session. Cross-site scripting allows a malicious Web site to inject code into the context of another Web site; a user that believes they are interacting with a popular social networking site, might instead be loading a script in from some other malicious site.
“If you don’t want your Web site to be helping spread malware, the best way to prevent it is to resolve your cross-site scripting issues,” Grossman said.
Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said.
http://www.securityfocus.com/news/11405