[lug] Web crawler advice
Nate Duehr
nate at natetech.com
Tue May 6 17:54:31 MDT 2008
karl horlen wrote:
> But how does one attach a js to an image if you don't control the page
> that loads the image? Since someone is deep linking the image from a
> page you don't own, if you don't own or control the page you can't
> insert js.
He's definitely saying the attacker owns the page the "fake" image tag
is on, loaded with JavaScript instead of an image file.
How hard is it to set up a web page on a server, put up something
"interesting" enough to the general public to get a few thousand page
views a day, and then embed evil things in it? Not very.
Now move that webserver off-shore where it's harder to get the attention
of the authorities and/or the ISP... but keep your ".com" domain name on
the foreign IP address...
You get the idea. Evil incarnate. And more common than people think,
sadly. Indiscriminate web browsing and bad browser behavior is right up
there with some of the worst real "threats" to modern computing as it
gets.
Common techniques today are starting to become things like "contained"
environments or "sandboxes" where the browser is only used/loaded inside
a virtualized OS that can be wiped and reloaded, keeping (hopefully) the
host OS safe from harm.
Nate
More information about the LUG
mailing list