Seba

I suppose you already know of the dangers of malicious Javascript and Cross-Site-Scripting (XSS), otherwise you wouldn’t read OWASP blogs, would you :-).

What worries me are the next stages. Recently XSS was the attack vector discovered in Google’s popular Desktop Search. One of the tools referenced in the research paper is the XSS proxy tool. This reminded me of the post by PDP on persistent XSS, stating “Persistent XSS is more dangerous since it allow attackers to control exploited clients for longer”.

The idea is that you can infect the victim browser with XSS that ‘phones home’ and stays persistent in the victim’s browser. You can expect XSS-based bot nets, analogous to their classic Trojan nephews.

Another result of this kind of infection, is that it only takes one XSS vulnerability within a popular web site to infect clients for a longer period of time. Even when the XSS is fixed on the web application, browsers can stay infected for longer periods of time. Sounds a lot like the Domain Contamination by Amit Klein, but then client side!

We should not think that there is no profit to make with JS Badware, this excellent paper on “Man in the Browser” attacks by Philipp Gühring shows what can be done with infected browsers. You can expect XSS-based attack kits targeting web-banking customers really soon! People do make money with attack kits, as RSA showed recently.

The different stories above sketch a grim picture of where the following battlefields of malware will be: your browser! I am curious on how the Anti-Virus companies will provide protection against these new threats. Self-modifying JavaScript (tool kits) will be coming to a browser near you soon!

This is all related to the return of the ‘fat’ client. Your client connection to online web applications is getting incredibly complex. See Ajax, see support for off-line functionality in the upcoming Firefox3, see Adobe’s FLEX and Appolo developments.

Interesting times are ahead of us …

I am realizing that currently the OWASP chapter organization is not very democratic.

Chapter leaders are not elected. Currently you only have to apply for chapter leadership and without much control you’ll be granted OWASP chapter leadership.

This is not necessarily bad, and I have no knowledge of abuse. I do however know that in some countries there are disagreements on how the OWASP chapter activities are organized. Let me know your thoughts on that (on- or offline)?

Nevertheless, I think it would be better to have an OWASP chapter leader (re)election on a regular base. But how to organize this without creating a administrative hassle?

I have also seen that some countries have OWASP ‘boards’ that organize the chapter meetings. I think this is a good thing, it spreads the workload among different people. If an election was to be organized, board election is also something to think about?

I hope this will become part of How OWASP Works.

I am looking forward to your comments. Because of the increasing amount of blog comment spamming attempts, you will now have to be registered.