Browser GUI logic flaws from Rachna Dhamija on 2007-05-24 (public-wsc-wg@w3.org from May 2007)

From: Rachna Dhamija <rachna.public@gmail.com>
Date: Thu, 24 May 2007 10:53:41 -0700
To: public-wsc-wg@w3.org
Message-ID: <a175c0a10705241053q14a52cecka47f2f0dc12ee397@mail.gmail.com>

An MSR researcher presented this paper at the Oakland conference this week.
It describes scenarios where an attacker can compose DOM trees and user
action sequences to spoof the address bar and status bar.

A Systematic Approach to Uncover Security Flaws in GUI Logic
Shuo Chen, José Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang
http://research.microsoft.com/~shuochen/papers/GUILogicSecurity.pdf

Where do attacks like this fit in our threat tree?  (this may be one of the
out of scope branches.)

Rachna

Received on Thursday, 24 May 2007 17:53:48 UTC