Friday, August 14, 2009

Browser as a weapon

Being a techie I can't help getting into such a topic even in a blog like this. But then, this is a blog of my thoughts. And, had it existed 10 years ago I might even have described AJAX (in concept) in it

My post comes from my own experience with testing web applications by firing http packets at it (not a lot of that, but enough)

Any hacker knows (and probably most users realize) that the browser is a window to the Web Server. What happens inside a web server is a result of what you send to it via your browser.

The code in a Web Server, if written carefully, should do all the data validations even if already carried out in the browser. However it is quite common for a Web Programmer, especially a novice, to just do the validation in Javascript on the browser and take the incoming data for granted in the Web Server

In case you didn't catch it, the keyword in the previous para is "Javascript" - as in "disabling Javascript"..

However this is not even the beginning of what I would like to express here.

When a Developer writes a code for the Web, he uses the commonly available browsers. He may be the best coder in the world, but he will certainly miss writing the proper code for a browser that he does not know exists!

Imagine this: A spy agency downloads Mozilla source (or makes a browser of their own, for that matter). Now, this browser would not work the same way as regular ones. The regular browsers allow the programmer to dictate how it should behave. However, this browser would be fully under the control of the user. If the user wishes, it would validate some data, and skip others - to mention the tip of an iceberg. It could do session substitution, and in a jiffy have access to all your mails. It could pose as literally anyone, provided knowledge of ongoing sessions are available to it. To what extent are the web servers security-aware? No one has an account of that - or am I wrong?

For the techies, let's do a session - What features would you put in a hacker's browser?

No comments:

Post a Comment