Information in this Chapter
A wicked Web of deceit lurks beneath many of the Web sites we visit everyday. Some may be obvious, such as misspellings and poor grammar on an unsophisticated phishing page. Some may be ambiguous, such as deciding whether to trust the person buying or selling an item at auction or through an online classified. Other attacks may be more artful, such as lacing Web pages we regularly visit and implicitly trust with treacherous bits of Hypertext Markup Language (HTML). Web traffic is bidirectional. A click in a browser generates traffic to a Web server, which in turn updates content in the browser. This also means that Web security is not limited to attacks from the browser to the server, but naturally covers ways in which the server can attack the browser. In Chapter 1, “Cross-Site Scripting,” and Chapter 2, “Cross-Site Request Forgery,” we saw how an attacker bounces an exploit from a server to a victim's browser. This chapter explores more risks that browsers face from maliciously designed Web pages or pages that have been infected with ill-intentioned content.
Many of the examples we've seen throughout this book have had a bias toward events or Web sites within the United States. Although many of the most popular Web sites are based in the United States, the worldwide aspect of the Web is not under American hegemony in terms of language or absolute popularity of sites. Taiwan has a significant presence on the Web and a large number of users. In 2006, nude photos of a celebrity started making appearances on Chinese-language Web sites. Whether through innocent curiosity or voyeuristic desire, many people started searching for sites serving the pictures (www.v3.co.uk/vnunet/news/2209532/hackers-fabricate-sex-scandal). Unbeknownst to most searchers, the majority of sites served photos from pages contaminated with malware. This lead to thousands of computers being compromised with a brief period of time. More familiar Hollywood celebrities have been co-opted for the same purpose. Criminals set up Web sites for the sole purpose of attracting unwitting visitors to salacious photos (real or not) with the intent of running a slew of exploits against the incoming browsers.
Infecting a Web site with malware represents a departure from the site defacements of the late 1990s in which a compromised site's home page was replaced with content shouting their subculture greetz to other hackers, a political message, or other content such as pornographic images. Such vandalism is easily detected and usually quickly removed. Conversely, an infected Web page doesn't carry the same markers of compromise and may remain undetected for days, weeks, or even months. Attackers reap other benefits from infecting rather than defacing a site. Spam has served (and regrettably continues to serve) as an effective dispersal medium for scams, malware, and phishing, but spam has the disadvantage that millions of messages need to be sent for a few of them to bypass e-mail filters, bypass virus scanners, and bypass users’ skepticism. An infected Web site reverses this traffic pattern. Rather than blast a vulnerability across e-mail addresses that may or may not be active, an attacker can place the exploit on a server that people regularly visit and wait for victims to come to the exploit.