Paul Theriault (Consultant, SIFT)

Presentation Title Browser Ghosting Attacks
Presentation Abstract

The web is built on a page-based model, where a user loads pages consecutively as they navigate through websites. Content is loaded and unloaded in a sequential manner and at any given point only the content from the current website is loaded in the browser. The introduction of interactivity through JavaScript and third-party plug-in content has complicated this interaction model, and introduced many complex security issues. One of these issues is how to deal with non-linear navigation in an efficient, yet secure manner.

In a simple user scenario the web browser makes the request on behalf of the user, a page is loaded, parsed and rendered, including the retrieval of additional scripts and other content as required. At some point the user clicks a link or submits a form, and a new page is loaded in the browserís window. As it appears to the user, the current page is disposed of, including all content, and a new page is loaded to replace it. However, the content that was previously loaded is not completely destroyed this point.

The browser & plug-ins cache previously viewed content for performance reasons. The browser must enforce rules to ensure that the page currently being viewed is the only one actually loaded ñ or more importantly ensure only JavaScript & active content from the current page is running. The challenge for plug-in developers is that they must attempt to match the browserís current state ñ i.e. when a web page is disposed, all the content from that page should be unloaded, or at least serialized to a dormant state and system resources released. Frames, forward and back navigation buttons, and offline modes all further complicate this issue.

As it turns out, scripts and other active content may also continue to run in certain circumstances described in this paper, a situation which can be exploited by an attacker in client-side attacks. Successful attack involves achieving persistence beyond that which is intended. Once this achieved there are several attacks that may be possible:

– Enabling a persistent command and control channel
– Key logging & click monitoring
– Accessing or modifying subsequently loaded web pages (potential cross-domain breach)
– Abuse of system resources

About Paul Theriault

Paul Theriault is a consultant with SIFT, specialising in application security testing, guidance and code review. He has an in-depth technical knowledge of application security developed through over six years of application security experience including penetration testing, code review and training developers in secure web application development. His application security skills are supported by a background in software development and active contribution to the software development community. He has presented at several national and international security conferences including HK Information Security Summit & OWASP Asia Pacific, and is the actively involved in the Sydney chapter of the Open Web Application Security Project (OWASP).