i wonder if you could build a security framework based around a browser extension that either shimed itself into the datastream or spawned a sniffer process which watched packets on the wire or both...
can a non-virtual rootkit lie to you about a pcap call, or are you accessing the device directly?
anyway, i don't know enough about web2 attacks to know how you'd go about it, but it seems like there may be a way to do either signature or anomoly detection by watching http(s [if you're an ssl termination point / proxy]?) payloads... maybe through comparing:
- what a user is doing in the browser vs what the browser is doing out to inet
- what an os shows as active http connections and what packets are really going out across the wire
- cached site functionality to new site functionality/script tags/calls
or maybe just keywording simple functionalities and setting up some type of zoning or alerting...
1 comment:
The idea of something manipulating http packets on a client is pretty intriguing. I'm envisioning something like a firefox addon kinda like NoScript but instead of simply removing script tags, modifying the actual replies. A kit would be better, but a firefox addon would make a good PoC.
Post a Comment