Drive-By Compromise — When Visiting a Website Is Enough
A drive-by compromise is an attack technique where a victim’s system is compromised simply by visiting a malicious or compromised website. This SECMONS glossary entry explains how drive-by attacks work, how they relate to browser vulnerabilities and zero-days, and what defenders should monitor.
What Is a Drive-By Compromise? 🧠
A drive-by compromise occurs when a system becomes infected or exploited simply by visiting a malicious or compromised website — without requiring explicit download or execution of a visible file.
In its purest form, the user only needs to load a web page.
Drive-by compromises are frequently associated with:
- Browser vulnerabilities
- Plugin vulnerabilities
- Memory corruption flaws
- Zero-day exploits
- Exploit kits hosted on attacker-controlled infrastructure
You will commonly see this technique referenced alongside vulnerabilities under /vulnerabilities/ and mapped to exploitation status such as /glossary/exploited-in-the-wild/.
How Drive-By Attacks Work 🔎
A typical drive-by compromise flow:
- User visits a malicious or compromised site.
- The page loads hidden exploit code.
- The exploit targets a browser or rendering engine vulnerability.
- Malicious payload is executed in memory.
- Persistence or follow-on malware is deployed.
The underlying weakness often maps to categories such as:
- /glossary/use-after-free/
- /glossary/memory-corruption/
- /glossary/remote-code-execution/
- /glossary/security-feature-bypass/
These weaknesses are classified via /glossary/cwe/ and tracked through a specific /glossary/cve/ once disclosed.
Why Drive-By Compromise Is High Risk 🎯
Drive-by attacks are particularly dangerous because:
- No download prompt may appear.
- No obvious file may be saved.
- User interaction can be minimal.
- Exploitation can be automated at scale.
Attackers often embed exploit code into:
- Malvertising networks
- Compromised legitimate websites
- Watering hole attacks
- Short-lived redirect chains
In many documented incidents covered under /news/ and /research/, drive-by compromise is the initial foothold.
Drive-By vs Phishing 🔄
| Technique | Primary Trigger |
|---|---|
| Phishing | User clicks a link or opens attachment |
| Drive-By Compromise | User loads a web page |
| Exploit Kit Campaign | Automated browser exploitation |
| Credential Phishing | Fake login form harvesting |
Phishing relies on user deception.
Drive-by compromise relies on vulnerability exploitation.
Both may appear in the same attack chain.
Zero-Day and Drive-By 🔥
Drive-by compromise is frequently associated with:
- /glossary/zero-day/
- Browser sandbox escape vulnerabilities
- Memory corruption exploitation
When a browser zero-day is confirmed exploited in the wild, drive-by compromise becomes a realistic and immediate risk model.
Defensive Considerations 🛡️
To reduce exposure to drive-by compromise:
- Maintain aggressive browser patching cycles.
- Enforce automatic updates.
- Restrict risky browser extensions.
- Use network filtering for malicious domains.
- Monitor unusual outbound connections from browser processes.
- Segment privileged browsing environments.
Operational hardening steps are often detailed in:
Why SECMONS Tracks Drive-By Carefully 📌
Drive-by compromise represents a scenario where routine user activity becomes sufficient for compromise.
When reading a vulnerability description that states “triggered via crafted HTML page,” defenders should immediately consider drive-by risk models.
By linking weaknesses, vulnerabilities, and techniques together, SECMONS provides a structured understanding of how exploitation unfolds in practice.
Authoritative References 📎
- MITRE ATT&CK — Drive-by Compromise (T1189): https://attack.mitre.org/techniques/T1189/