Client Side Web Server Hacking

Last week Symantec reported an active exploit of Cross Site Request Forgery (CSRF) against residential ADSL routers in Mexico (WHID 2008-05). In this attack, an e-mail with a malicious IMG tag was sent to victims. By accessing the image referenced by the e-mail message, the user initiated a router command which changed the DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server. For the Web Hacking Incidents Database (WHID) this type of attack presents a new category: until now WHID included attacks against servers and ignored attacks against clients. After all, this is the Web Hacking Incidents Database.

The closest WHID got to client side attacks were incidents in which a web site was hacked and a malicious code was inserted to abuse clients, such as the Dolphins Stadium Incident (WHID2007-10). WHID 2008-05 somewhat blurs the lines: while the attack is definitively against clients, and the bank is only indirectly involved, it is technically a web hack and demonstrates the need for better web application security.

The reason if of course that technology blurs the lines: when installing ADSL routers at customers’ premises we place a sophisticated piece of equipment at their hands. Neither the developers nor the service providers give the necessary attention to the security implications of this, making our computing environment much less protected than ever.

Another example of the same problem was discovered recently by Aaron Weaver who found that printers are susceptible to XSS. To signify this new trend we have added to WHID a new attribute, location, which will describe where the attack takes place. The default when location is not specified is server, while for WHID 2008-05 the value would be client. Another possible value for this attribute is proxy or service provider if the attack occurs somewhere along the way.