[WEB SECURITY] client-side "transaction monitoring" beacons

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue May 27 23:13:32 EDT 2008

There's lots of places I could do that, and there's lots of things the people on this list could say that about. Fortunately for them, I saved them an email because I care.
But seriously, the answer is no. The web app vulnerabilities that people really care about allow a single attacker to cause widespread harm, either to confidentiality, integrity, available, surety, etc. In those situations, a single attacker does a lot of damage across an entire system, user base, etc.
In this case, a single attacker can affect the system .00001%. Even if 10% of users had some unbeatable anti-tracking busta busta busta, it wouldn't affect their overall tracking statistics enough to make a serious impact. 
And honestly, I don't know if people should get worked up about this unless they're doing something insane like sending personal data in the tracking signal. It's something they can do on the server side - they're just making it easier on themselves by outsourcing the OOB request to your browser client. Wal Mart can (and I'm sure does) watch tape of you walking through the aisles and see how they could rearrange the sections to make you stay longer and buy more. Is that an invasion of privacy? Somehow I don't think so.
However, being the blame-corporate-America-first kind of guy that I am, I'm sure I could be persuaded otherwise.


From: Jeff Robertson [mailto:jeff.robertson at gmail.com]
Sent: Tue 5/27/2008 9:32 PM
To: Arshan Dabirsiaghi
Cc: Simone Onofri; Arian J. Evans; Licky Lindsay; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] client-side "transaction monitoring" beacons

On Tue, May 27, 2008 at 7:14 PM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> There's lots of ways to do it, and there's lots of ways that the people on
> this list can bypass it. Fortunately for whoever "them" is, there's not
> enough of us for them to really care.

You could take those two sentences out of context and apply them to
just about any web application vulnerability, couldn't you?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080527/3bf6bb17/attachment.html>

More information about the websecurity mailing list