It can potentially allow the attacker to gain access to your account, steal sensitive information or attempt to infect your machine with other malicious software.
If eBay users had entered their details into the page, the attacker would have received the victim’s username and password and been able to access their account.
Similarly, you can defend against ad-injectors and straight up malvertising by preventing other resources like images from being loaded into your webpages.
One way to mitigate against attacks such as this on your website would be to use a feature of web browsers known as Content Security Policy (CSP). CSP with violation reporting could alert you that an attack is taking place.
With that in mind, I’ve just launched a brand new, free service over at https://report-uri.io for violation reporting of CSP and HTTP Public Key Pinning (HPKP) – another feature incorporated into browsers.
HTTP Public Key Pinning allows a host to define a whitelist of cryptographic identities that the browser should trust for the site going forwards. You provide a valid list of fingerprints for certificates the browser should accept, and any other certificates, even if they are valid, will be rejected. This will protect your visitors from man-in-the-middle attacks in the event a Certificate Authority is compromised and a rogue certificate is issued for your domain.
Deployed via a HTTP response header, CSP and HPKP can be setup with relative ease but can be quite difficult to report on.
Both CSP and HPKP greatly improve the security of your site for your visitors and any compliant browser will enforce the policies. The problem is that without reporting, you don’t know when the policies are being enforced. If you suffer an XSS attack, the CSP will force the browser to take action and block it, but without knowing about it, the host can’t work to fix the issue.
This means that the XSS threat will remain and visitors without a CSP-compliant browser will fall victim to the attack.
With violation reporting provided by https://report-uri.io you can view the violations as they occur on your site in real-time. As soon as a security threat is detected, you can begin investigating. Alongside this the service provides powerful reporting to let you identify your most frequent issues, view historic reports and track your violation counts to monitor progress on fixes or identify upward trends.
I built the service for a few different reasons but there was one main driver for me, to promote the use of CSP and HPKP. As powerful as these security policies are, their presence on the web is minimal. By drawing attention to them and making the difficult task of reporting much easier, I hope to have a positive impact on their use by removing some of the barriers to deployment.
In addition to this I enjoy keeping up to date on the latest and greatest technologies on my own personal blog. Building the site presented a great opportunity for me to get to grips with and really understand some new technologies whilst providing a public service. It was an all-round winner really and I’ve thoroughly enjoyed the road to get here.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.