Computer Security and Penetration Testing Chapter 13 Programming Exploits

Objectives Describe the evolution of programming exploits Recognize vulnerabilities in ActiveX controls Identify steps to counter vulnerabilities in ActiveX controls Recognize vulnerabilities in VBScript Identify steps to counter vulnerabilities in VBScript Computer Security and Penetration Testing

Objectives (continued) Recognize vulnerabilities in HTML Identify steps to counter vulnerabilities in HTML Recognize vulnerabilities in Java and JavaScript Identify steps to counter vulnerabilities in Java and JavaScript Computer Security and Penetration Testing

C and C++ Vulnerabilities in the C and C++ Programming Languages. - Buffer over-runs - Failure to handle errors - Improper file access C and C++ Security Measures Computer Security and Penetration Testing

C and C++ Computer Security and Penetration Testing

.NET Framework Vulnerabilities in the .NET Framework - Cross-site scripting - Integer overflow Countering .NET Framework Vulnerabilities Computer Security and Penetration Testing

HTML5 Hypertext Markup Language (HTML) HTML is not a dynamic language Most basic script used to develop Web pages Uses a set of markup tags to define the structure of Web pages Browsers represent pages by interpreting these tags HTML is not a dynamic language Cannot be executed successfully except within a Web browser Computer Security and Penetration Testing

HTML5 (continued) HTML is essentially bulletproof and benign as long as it is used to display static text Arbitrary requirements for more finished and sophisticated pages Have required the development of many more tags and formatting conventions With increased complexity came increased opportunities for hackers to discover vulnerabilities Computer Security and Penetration Testing

Countering HTML5 Vulnerabilities Make sure patches are up to date Pay attention when new exploits are reported Activate the automated patch management software Turn off services and features that you Know to be vulnerable to attack Do not understand Do not use Avoid known dangerous sites by installing and updating security software Computer Security and Penetration Testing

Countering HTML5 Vulnerabilities (continued) Secure transfer of data has been made available by protocols such as Secure Sockets Layer (SSL) The way Internet Explorer handled SSL was discovered to be susceptible to a man-in-the-middle exploit Generating random encryption keys of 40 or 128 bits in length has solved this problem Computer Security and Penetration Testing

Java and JavaScript Java is a programming language that is compiled into applications or applets Java applications are stand-alone applications Run on the server or are downloaded to the client JavaScript is a scripting language that runs between <script> tags in a Web page A JavaScript cannot operate on its own, and is not compiled to run Computer Security and Penetration Testing

Java Object-oriented programming language (OOP) developed by Sun Microsystems Designed to run in a platform-independent manner using Java Runtime Environment (JRE) Installed on the client computer as its sandbox In Java, each function is modularized With this low-level modularization There is less of a chance that updating one piece of the application will break other parts Computer Security and Penetration Testing

Java (continued) Java was intended to be developed quickly with pretested parts Java applets provide functionality on the Internet Require Java-enabled browsers Java is machine-safe Can only act upon other objects within the JRE Java has no access to write, modify, or delete files on the hard drive or to modify the operating system Computer Security and Penetration Testing

JavaScript Scripting language developed by Netscape Communications Corporation Similar to VBScript in terms of implementation Almost every browser on almost every platform is JavaScript-enabled Like Java, requires a runtime environment As a script, the network bandwidth and client-side memory resource use is less than that required for the larger and more robust Java Computer Security and Penetration Testing

Security Vulnerabilities in Java Vulnerabilities of Java: Client-side malevolent applets Server-side cross-scripting Server-side address spoofing A substantial percentage of vulnerabilities are related to vulnerabilities in the JRE Which can result in applets arbitrarily giving themselves elevated privileges Computer Security and Penetration Testing

Security Vulnerabilities in Java (continued) Computer Security and Penetration Testing

Security Vulnerabilities in Java (continued) Because Java is a platform-independent technology Issues such as malevolent applets can be used against any platform that has the JRE installed Client-side attacks include: Attacks on file integrity Buffer overflow Storm attacks Denial-of-service attacks Disclosure attacks Annoyance attacks Computer Security and Penetration Testing

Vulnerabilities in JavaScript Vulnerabilities are similar to those in VBScript JavaScript vulnerabilities allow: Sending e-mail messages with information about the target computer to a client Opening and closing applications on the target computer Modifying files on the victim’s computer Main threat posed by JavaScript May be used to download components on a user’s computer without his or her knowledge Computer Security and Penetration Testing

Countering Java and JavaScript Vulnerabilities Best preventative measure for an end user Perform all updates as soon as they are available Keep virus definitions in their antivirus or security program updated Set the Internet Options Control Panel To ask for permission before running JavaScripts or downloading Java applets Check the authenticity of the validation signatures attached to applets and scripts Computer Security and Penetration Testing

Countering Java and JavaScript Vulnerabilities (continued) Check for security of links available on the signed scripts Programmers should develop and adhere to secure programming guidelines And sign their scripts Computer Security and Penetration Testing

Summary Programming exploits are the defects in various programming languages that are used to develop server-side and client-side applications ActiveX controls are stand-alone compiled applications that make it possible to link and allow interactions between various applications The design flaw in ActiveX is that it can do anything the user can do Attackers can use ActiveX to modify resources on an implementation of Windows Computer Security and Penetration Testing

Summary (continued) To safeguard against attacks, end users should install the most recent and stable version of Internet Explorer available VBScript can be used within HTML tags to produce a dynamic HTML page One of the most common exploits used on the Internet is a buffer overflow If you are administering a network, do not allow use of IE or Outlook Computer Security and Penetration Testing

Summary (continued) If you are the administrator of a Web site, run an antivirus application on your Web server to search for known bad ActiveX controls Hypertext Markup Language (HTML) is the most basic script used to develop Web pages The most effective way to counter HTML-related exploits is to keep up with the latest patches Java and JavaScript languages The best preventive measure for end users is to perform all updates as soon as they are available Computer Security and Penetration Testing