- To: SLUG-CHAT <slug-chat@xxxxxxxxxxx>
- Subject: Re: [chat] "Steal" data before encryption
- From: Felix Sheldon <dark_paw@xxxxxxxxxxxxxx>
- Date: 10 Jul 2003 23:25:27 +1000
- Organization:
On Thu, 2003-07-10 at 22:07, Phil Scarratt wrote:
> Hi All
>
> Member of main list for awhile ... new to slug chat...
>
> ...is it possible (however unlikely or difficult it might be - or even
> pointless due to other easier methods of doing effectively the same
> thing) for a hacker/attacker to get access to data entered into a form
> in a browser on an SSL connection to a remote server BEFORE it is
> encrypted but after the form submit has been clicked - so I guess what I
> am really asking is when/where does the encryption occur (I presume the
> browser does it) and is it possible to get at the data via some
> "backdoor" before encryption?????
>
> or I guess this is really a browser vulnerability question...
>
> I know keystroke loggers exist and presumably the data must exist in
> memory at some stage so looking at the memory might work...just a
> hypothetical question really which came about from some research into
> securing web apps that I am doing.
>
>
Google for 'cross frame scripting vulnerability' or 'cross site
scripting vulnerability'.
Basically, a vulnerable browser may allow a script in one page to use
the document object model to access data belonging to a different
page/site.
A secure browser should only execute scripts from the same source, but
even then it's possible to use the website itself to inject malicious
code:
http://www.cert.org/advisories/CA-2000-02.html
All this stuff will work just as well on SSL pages as non-SSL, because
the only thing secured by SSL is the network traffic.
--
Felix Sheldon <dark_paw@xxxxxxxxxxxxxx>
SLUG Mailing List Archives