Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website.
In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.Upon finding a vulnerable version, exploit code is delivered to the browser.The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.A user visits a website that is used to host the adversary controlled content.There are several known examples of this occurring.
This kind of targeted attack is referred to a strategic web compromise or watering hole attack. Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. forum posts, comments, and other user controllable web content). Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g.Malicious ads are paid for and served through legitimate ad providers.A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.Multiple ways of delivering exploit code to a browser exist, including: With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.