1. Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14

2. Overview Executable Content Client/Server Computing Maintaining State

3. Executable Content Sometimes called active content or mobile code ActiveX controls and Java Applets http://www.hamsterdance.com/ Scripts: Java Script and VBScript Browser plug-ins that execute graphic and audio files All these “enrich” your web browsing experience

4. Client/Server Computing Executable Contents: Help achieve wide-scale info distribution Advances client/server computing Exploits “push” technology through filtered sites – Relevant data pushed at pre-defined time intervals

5. Client/Server Computing Allows ability to implement intelligent pull models – WEB client programmed to learn user preferences

6. WHAT IS ACTIVE X MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages. Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines. These programs can do whatever you program them to do....even execute damaging code. ActiveX is language independent, but platform specific They can only execute on Windows 32 machines

7. ActiveX CONTAINERS ActiveX Container: a technology used in many ActiveX applications ActiveX controls embedded within an ActiveX Container Provides sophisticated processing functions that work much like browser plug-ins Since Containers are designed independently they can work inconsistently (maliciously) when combined

8. ActiveX SCRIPTING Common Languages: Perl, VBScript, JavaScript, JScript (MS) Scripting can come from within ActiveX Controls Scripting can come from Web server--commands sent to client for execution Developer decides to mark Scripting as safe Client decides whether to accept scripting or reject

9. AUTHENTICODE MS Technology for thwarting malicious ActiveX code from executing on Windows platforms Provides two checks: –Verifies who signs the ActiveX code –Verifies integrity of ActiveX code Digital signatures issued by several Certification Authorities (CAs) provide the functionality Execution of this functionality is much like PKI –Upon download signature is stripped from ActiveX code and verified as from a valid CA –Then it is checked to see if software developer signed the code –Finally the downloaded code's hash is checked against the regenerated hash to verify integrity

10. AUTHENTICODE SECURITY Signature provides no assurance that code will work properly Technology works solely on a trust model Since advent of IE 4 the concept of security zones emerged –Local intranet zone –Trusted sites zone –Internet zone –Restricted sites zone User control (or lack there) of setting security policy can be debilitating

11. JAVA CHARACTERISTICS Multi-platform (MS, Mac, UNIX) language quickly finding acceptance Java applets on client machines add new layers of functionality Originally designed to run in embedded systems Are you ready for the talking refrigerator?

12. JAVA SECURITY APPROACH Java Sandbox is the Java Security Model Java Applet Sandbox constrains applets from accessing frangible resources Thus, Java Applet Sandbox model is based on restricting the behavior of the applet Signed applets now also being used Signed applets allow the applets to "play" outside the sandbox

13. JAVA SECURITY APPROACH Java Sandbox is the Java Security Model Java Applet Sandbox constrains applets from accessing frangible resources Thus, Java Applet Sandbox model is based on restricting the behavior of the applet Signed applets now also being used Signed applets allow the applets to "play" outside the sandbox

14. Maintaining State HTTP is a stateless protocol WEB sessions are considered connectionless CLIENT SERVER TCP DATA FLOW

15. Stateless Example Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page WEB PAGE SENT END CONNECTION REPEAT FOR EMBEDDED FILES

16. State Example(1) Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page END CONNECTION WEB PAGE SENT + COOKIE

17. State Example (2) Student SERVER TCP 3-Way Handshake SSL Connection Established HTTP Request for Web Page END CONNECTION GET COOKIE + SEND WEB PAGE

18. Cookies for Life Pros: Add state Increases Throughput Can Add Authentication

19. Cookies for Life Cons: Privacy issues – Collecting WEB usage data – Profiling WEB Visitors Security – Improper state tracking results in security holes – Cookie Hijacking (if client hacked)

20. HTTP Session Tracking URL Session Tracking Hidden Form Elements Cookies

21. HTTP Authentication Logon sequence generates session ID – Pass ID to browser URL Session Tracking – ID Passed in URL itself Hidden Form Elements – Within HTML Source Code Cookies Session ID can be passed over HTTP or HTTPS

22. Authentication Examples URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460 Hidden Form Elements Cookies EAZBKRBFCU101460

23. OTHER CLIENT SIDE VULNERABILITIES Browser Plug-ins –Plug-in: special software programs that are integrated with Web Browsers –Examples: RealAudio, Shockwave E-Mail Attachments – The primary threat vector for viruses and installing hacker backdoors

24. Other Client Side Vulnerabilities Browser Flaws – Allow viewing of local files – Allow posting of files to your browser – Allow moving of files Using HTTP as mechanism to circumvent Firewall

25. E-Commerce Attack Scenario Use IIS Unicode Exploit – Put remote listener on WEB site – Listen on Port 80 – Send all Port 80 to Dr. Evil’s site – Logins and Passwords Captured – Sniffed password later used with HTTP proxy software to access your E-BANK

26. E-Commerce Attack Scenario Man-in-the middle attack – Dr. Evil injects himself in between you and the site – Installs HTTP Proxy Software to see what is being transferred on port 80 – Breaks tranmission path and inserts his own commands

27. Summary Picture 23 year old Geek Hacker Recent Advertising Quote: “ Today my worm will destroy: 18 days of revenue 1.7 million dollars of profit 4,000 lifetimes of greed. ” FEEL FREE TO GO HOME AND GET ON-LINE?