[WEB SECURITY] client-side "transaction monitoring" beacons

Licky Lindsay noontar at gmail.com
Tue May 27 08:49:53 EDT 2008


Anyone familiar with these things?

The basic idea is to hide a zero-pixel image in the customer's website
with the src attribute pointing at the the security vendor's site.
This causes end-user's IP address and probably other info (as
collected by the javascript or passed on the URL by the customer site)
to be sent to the security vendor. There they can be logged analyzed
for odd behavior.

One example of vendors selling these things is RSA.  There are others.

Now, am I crazy, or is this emperor completely nude? This solution
trusts the *client* to send this info. All it takes it for the .. uhm,
"hacker" (it's hard to apply that term for such a trivial exercise) to
configure his browser to block images from domains other than the web
page currently being viewed, and voila he's invisible to the
"transaction monitoring". You don't even have to use any plugins or
proxies!

To be fair to the vendors, I think these are sold as starter options,
quick ways to get something at all running, before moving up to more
serious forms of integration that involve direct server-to-server
calls. But to my mind that only makes it slightly better, if at all.

Do people buy this stuff? Why?

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list