Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FYI: http://www.webappsec.org/projects/articles/020606.shtml
This brief write-up describes an attack that exploits an inherent flaw
of the client-side trust model in the context of cyber-squatting and
domain hijacking, or in general, in the context of obtaining temporary
ownership of a domain (or major parts of it, e.g. defacing the main
page). Put simply, the idea explored is to force long term caching of
malicious pages in order for them to still be in effect even when the
domain returns to its rightful owner. Various attack vectors are
discussed, as well as possible protection techniques. While previous
works hinted at the possibility of such attack, it is worthwhile to
discuss this attack in depth and to refute the common misconception that
cyber-squatting, domain hijacking and similar attacks do not have long
lasting effect.
|