Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14
Overview Executable Content Client/Server Computing Maintaining State
Executable Content Sometimes called active content or mobile code ActiveX controls and Java Applets Scripts: Java Script and VBScript Browser plug-ins that execute graphic and audio files All these “enrich” your web browsing experience
Client/Server Computing Executable Contents: Help achieve wide-scale info distribution Advances client/server computing Exploits “push” technology through filtered sites – Relevant data pushed at pre-defined time intervals
Client/Server Computing Allows ability to implement intelligent pull models – WEB client programmed to learn user preferences
WHAT IS ACTIVE X MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages. Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines. These programs can do whatever you program them to do....even execute damaging code. ActiveX is language independent, but platform specific They can only execute on Windows 32 machines
ActiveX CONTAINERS ActiveX Container: a technology used in many ActiveX applications ActiveX controls embedded within an ActiveX Container Provides sophisticated processing functions that work much like browser plug-ins Since Containers are designed independently they can work inconsistently (maliciously) when combined
ActiveX SCRIPTING Common Languages: Perl, VBScript, JavaScript, JScript (MS) Scripting can come from within ActiveX Controls Scripting can come from Web server--commands sent to client for execution Developer decides to mark Scripting as safe Client decides whether to accept scripting or reject
AUTHENTICODE MS Technology for thwarting malicious ActiveX code from executing on Windows platforms Provides two checks: –Verifies who signs the ActiveX code –Verifies integrity of ActiveX code Digital signatures issued by several Certification Authorities (CAs) provide the functionality Execution of this functionality is much like PKI –Upon download signature is stripped from ActiveX code and verified as from a valid CA –Then it is checked to see if software developer signed the code –Finally the downloaded code's hash is checked against the regenerated hash to verify integrity
AUTHENTICODE SECURITY Signature provides no assurance that code will work properly Technology works solely on a trust model Since advent of IE 4 the concept of security zones emerged –Local intranet zone –Trusted sites zone –Internet zone –Restricted sites zone User control (or lack there) of setting security policy can be debilitating
JAVA CHARACTERISTICS Multi-platform (MS, Mac, UNIX) language quickly finding acceptance Java applets on client machines add new layers of functionality Originally designed to run in embedded systems Are you ready for the talking refrigerator?
JAVA SECURITY APPROACH Java Sandbox is the Java Security Model Java Applet Sandbox constrains applets from accessing frangible resources Thus, Java Applet Sandbox model is based on restricting the behavior of the applet Signed applets now also being used Signed applets allow the applets to "play" outside the sandbox
JAVA SECURITY APPROACH Java Sandbox is the Java Security Model Java Applet Sandbox constrains applets from accessing frangible resources Thus, Java Applet Sandbox model is based on restricting the behavior of the applet Signed applets now also being used Signed applets allow the applets to "play" outside the sandbox
Maintaining State HTTP is a stateless protocol WEB sessions are considered connectionless CLIENT SERVER TCP DATA FLOW
Stateless Example Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page WEB PAGE SENT END CONNECTION REPEAT FOR EMBEDDED FILES
State Example(1) Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page END CONNECTION WEB PAGE SENT + COOKIE
State Example (2) Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page END CONNECTION GET COOKIE + SEND WEB PAGE
Cookies for Life Pros: Add state Increases Throughput Can Add Authentication
Cookies for Life Cons: Privacy issues – Collecting WEB usage data – Profiling WEB Visitors Security – Improper state tracking results in security holes – Cookie Hijacking (if client hacked)
HTTP Session Tracking URL Session Tracking Hidden Form Elements Cookies
HTTP Authentication Logon sequence generates session ID – Pass ID to browser URL Session Tracking – ID Passed in URL itself Hidden Form Elements – Within HTML Source Code Cookies Session ID can be passed over HTTP or HTTPS
Authentication Examples URL Session Tracking Hidden Form Elements Cookies EAZBKRBFCU101460
OTHER CLIENT SIDE VULNERABILITIES Browser Plug-ins –Plug-in: special software programs that are integrated with Web Browsers –Examples: RealAudio, Shockwave Attachments – The primary threat vector for viruses and installing hacker backdoors
Other Client Side Vulnerabilities Browser Flaws – Allow viewing of local files – Allow posting of files to your browser – Allow moving of files Using HTTP as mechanism to circumvent Firewall
E-Commerce Attack Scenario Use IIS Unicode Exploit – Put remote listener on WEB site – Listen on Port 80 – Send all Port 80 to Dr. Evil’s site – Logins and Passwords Captured – Sniffed password later used with HTTP proxy software to access your E-BANK
E-Commerce Attack Scenario Man-in-the middle attack – Dr. Evil injects himself in between you and the site – Installs HTTP Proxy Software to see what is being transferred on port 80 – Breaks tranmission path and inserts his own commands
Summary Picture 23 year old Geek Hacker Recent Advertising Quote: “ Today my worm will destroy: 18 days of revenue 1.7 million dollars of profit 4,000 lifetimes of greed. ” FEEL FREE TO GO HOME AND GET ON-LINE?