1996-05-09 - Java Hole: Web Graffiti & Covert Channels
Header Data
From: Chad Owen Yoshikawa <chad@CS.Berkeley.EDU>
To: www-security@ns2.rutgers.edu
Message Hash: 4f1e42905d25e63ed2cef4748644807fb7b7c034d4a08f9bd037856617bdbf21
Message ID: <199605090210.TAA00650@whenever.CS.Berkeley.EDU>
Reply To: N/A
UTC Datetime: 1996-05-09 10:52:17 UTC
Raw Date: Thu, 9 May 1996 18:52:17 +0800
Raw message
From: Chad Owen Yoshikawa <chad@CS.Berkeley.EDU>
Date: Thu, 9 May 1996 18:52:17 +0800
To: www-security@ns2.rutgers.edu
Subject: Java Hole: Web Graffiti & Covert Channels
Message-ID: <199605090210.TAA00650@whenever.CS.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: text
--------------------------------------------------------
Web Graffiti & High Bandwidth Covert Channels Using Java
--------------------------------------------------------
While developing a chat server using Java as a frontend, we've
been exploiting what we think is a new Java security hole in
Java-enabled browsers such as Netscape. The hole allows for
opening sockets to arbitrary ports on web servers that serve
Trojan-horse applets.
We've also used a known security hole (covert channels) first mentioned
in work by the SIP group at Princeton to create what we call
'Web Graffiti' - the dynamic insertion of text, graphics, applets, into
HTML pages.
Both of these attacks are three-party attacks and require Trojan-
horse applets. For a draft of a paper that is work in progress,
point your browser to:
http://whenever.CS.Berkeley.EDU/graffiti/
Chad Yoshikawa Brent Chun
chad@cs.berkeley.edu bnc@cs.berkeley.edu
Thread
Return to May 1996
Return to “Chad Owen Yoshikawa <chad@CS.Berkeley.EDU>”
1996-05-09 (Thu, 9 May 1996 18:52:17 +0800) - Java Hole: Web Graffiti & Covert Channels - Chad Owen Yoshikawa <chad@CS.Berkeley.EDU>