Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Clientless SSL VPN products break web browser domain-based security models - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Clientless SSL VPN products break web browser domain-based security models

Matt sent a note pointing to a new advisory issued by US-CERT

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed."

The complete advisory can be viewed here.

Christopher Carboni - Handler On Duty

Chris

140 Posts

Sign Up for Free or Log In to start participating in the conversation!