[WEB SECURITY] client-side "transaction monitoring" beacons

Hoffman, Billy billy.hoffman at hp.com
Tue May 27 15:55:42 EDT 2008


This is also the basis of most modern web analytics. JavaScript is used to collect information and a throw away request (usually with an javaScript Image object, no reason to pollute the DOM) is made to a 3rd party with collected data in the URL. If JavaScript is disabled a simple <NOSCRIPT><IMG SRC></NOSCRIPT> does the same thing, though at that point you are relying on Referer header which could get stripped by various privacy tools.

Billy

----Original Message-----
From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of Arian J. Evans
Sent: Tuesday, May 27, 2008 2:28 PM
To: Licky Lindsay
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] client-side "transaction monitoring" beacons

This has been going on for + 10 years.

A great example is a lot of open source portal or plugin-projects
(like many of the PHP and Python photo-gallery software packages)
suck in a clear gif or some other benign content. They often put
this tag in an obscure header or footer, or include. Something
that might not be easily flagged and refactored in casual
review of source.

This is so they can track who installs, uses, or in some cases
steals their software.

It's a pretty basic, and very old, tracking technique.


--
--
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.



On Tue, May 27, 2008 at 5:49 AM, Licky Lindsay <noontar at gmail.com> wrote:
> Anyone familiar with these things?
>
> The basic idea is to hide a zero-pixel image in the customer's website
> with the src attribute pointing at the the security vendor's site.
> This causes end-user's IP address and probably other info (as
> collected by the javascript or passed on the URL by the customer site)
> to be sent to the security vendor. There they can be logged analyzed
> for odd behavior.
>
> One example of vendors selling these things is RSA.  There are others.
>
> Now, am I crazy, or is this emperor completely nude? This solution
> trusts the *client* to send this info. All it takes it for the .. uhm,
> "hacker" (it's hard to apply that term for such a trivial exercise) to
> configure his browser to block images from domains other than the web
> page currently being viewed, and voila he's invisible to the
> "transaction monitoring". You don't even have to use any plugins or
> proxies!
>
> To be fair to the vendors, I think these are sold as starter options,
> quick ways to get something at all running, before moving up to more
> serious forms of integration that involve direct server-to-server
> calls. But to my mind that only makes it slightly better, if at all.
>
> Do people buy this stuff? Why?
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list