i wonder if you could build a security framework based around a browser extension that either shimed itself into the datastream or spawned a sniffer process which watched packets on the wire or both...
can a non-virtual rootkit lie to you about a pcap call, or are you accessing the device directly?
anyway, i don't know enough about web2 attacks to know how you'd go about it, but it seems like there may be a way to do either signature or anomoly detection by watching http(s [if you're an ssl termination point / proxy]?) payloads... maybe through comparing:
what a user is doing in the browser vs what the browser is doing out to inet
what an os shows as active http connections and what packets are really going out across the wire
cached site functionality to new site functionality/script tags/calls
or maybe just keywording simple functionalities and setting up some type of zoning or alerting...
1 comment:
The idea of something manipulating http packets on a client is pretty intriguing. I'm envisioning something like a firefox addon kinda like NoScript but instead of simply removing script tags, modifying the actual replies. A kit would be better, but a firefox addon would make a good PoC.
Post a Comment