Scribd
Upload
1 views

Web Attcks Targeting User

Uploaded by

SAN JO clicks
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
1 views

Web Attcks Targeting User

Uploaded by

SAN JO clicks
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Malicious Web Content :-

• Try to cause harm to the user.


• Replace the parts of a web site and do so in a way that did not attract
attention.

E.g. Change the link in a website


• An application from a bank to enable its customers to manage
accounts their online.
• Users will not know if the tool is legitimate, the site from which the
tool comes is authentic.

Web Bug:-

• Web bug, also called a clear GIF, 1x1 GIF, or tracking bug.
• Is a tiny image, as small as 1 * 1 pixel, it will not normally be seen.
• When the web page is loaded, files are downloaded from a destination and
processed; during the processing they may invoke other files.
• Loaded and processed the web bug as a larger picture.
• Part of the processing is to notify the bug’s owner, who thus learns that another user has
loaded the advertising image.
• Cookies + Web bug

• Web bug allows this tracking across multiple merchants


• Web bugs can also be used in email with images – to get active emails

Is a web bug malicious?

• Probably not, But some people claim that the unannounced


tracking is a harmful invasion of privacy.

Clickjacking :
• Application programs or Operating system flag conformation.
• Computer attack uses an image pasted over, that is, displayed on top of,
another image.
• Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are
actually clicking on another.

• Attacker also makes this box transparent, so the victim is unaware of clicking
anything.
• The attacker chooses an action to which the user would ordinarily not agree, such
as
• Do you really want to delete all your files?
• Do you really want to send your contacts list to a spam merchant?
• Do you really want to install this program?
• Do you really want to change your password to AWordYouDontKnow?
• Do you really want to allow the world to have write access to your profile?
• Clickjacking attacker only has to be able to guess where the confirmation
box will land, make it transparent, and slip the For a Free Prize, Click [Here]
box under the invisible [Yes] button of the dangerous action’s confirmation
box.

Clickjacking attacker able to :-


• Change the image’s coloring to transparent
• Move the image to any position on the screen
- I Frame / Framming
Drive-By Download :-

• Drive-by download is an attack in which code is downloaded, installed,


and executed on a computer without the user’s permission and usually
without the user’s knowledge.

E.g. “Error 404— Page Not Found” message.

• Did not consent to all the things actually downloaded

• Drive-by download: downloading and installing code other than


what a user expects.
Protecting Against Malicious Web Pages :-
• Basic protection against malicious web content is access control.
• Users download code to add new applications, update old ones, or improve
execution.
• Without the user’s consent, applications, including browsers, can download
code either temporarily or permanently to assist in handling a data type.
• Some operating systems require administrative privilege to install programs – not all.
• Some naïve users run in administrative mode all the time.
• When the operating system does demand separate privilege to add new
code, users accustomed to annoying pop-up boxes from the operating
system routinely click [Allow] without thinking.
• Requires stronger action by both the user and the operating system.
• Relevant measures here would include least privilege, user training, and
visibility.
• Web page owner: Ensure that code on a web page is good, clean, or
suitable.

You might also like