-
Notifications
You must be signed in to change notification settings - Fork 7
/
capabilities.bsinc
59 lines (40 loc) · 2.67 KB
/
capabilities.bsinc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Attacker Capabilities # {#capabilities}
These are things some attackers can do. The attackers can use them to achieve
their <a href="#goals">goals</a>. All attackers are assumed to be able to buy
domains and host sites on their domains.
## Load iframes ## {#cap-iframes}
The attacker can convince a publisher to load an iframe from the attacker's site.
## Run Javascript in a first-party context ## {#cap-first-party-js}
When a publisher wants to show ads from an ad network, many/most ad networks
require that publisher to use a `<script src="adnetwork.js">` tag instead of an
`<iframe src="adnetwork.html">`, which allows the ad network to see any
publisher data that's exposed to Javascript. This includes query parameters
(e.g. `fbclid`) and any cookies that aren't <a http-header>HttpOnly</a>.
## Modify server processing ## {#cap-run-on-server}
Some attackers can convince some publishers (perhaps by paying them) to modify
their server software. This could be used, for example, to receive [=user IDs=]
passed in a path segment instead of a query parameter, without breaking the
normal logic mapping a path to content.
## Read server logs ## {#cap-read-logs}
Servers can keep logs of requests. The attacker may be able to convince some
server operators to give them these logs or let them run queries over the logs.
## Convince the user to type an identifier ## {#cap-type-identifier}
The attacker can convince a user to type their email address, name, zip code,
etc. into two publishers' sites.
## Convince the user to open the same device in two cross-site tabs ## {#cap-same-device-same-time}
The attacker can convince a user to open the same device on two publishers'
sites that are both open at the same time in different tabs or windows.
## Convince the user to open the same read+write device in two different sites ## {#cap-same-rw-device}
A read+write device is something like a native filesystem file or directory, or
a bluetooth or USB device that can be configured to save data. The two sites
need to be given access to the same device, but they don't need to both be open
at the same time.
## Have two sites open when a browser-wide event happens ## {#cap-open-for-browser-event}
A browser-wide event is something that happens to the browser as a whole instead
of to an individual site or web page. For example, the user going idle, sensor
data changing, or the device's time zone changing, would affect all tabs at the
same time.
## Have two sites visible when a browser-wide event happens ## {#cap-visible-for-browser-event}
Unlike [[#cap-open-for-browser-event]], this capability requires both sites to be
visible (probably in two separate browser windows) at the same time during the
event.