Client Side VulnerabilitiesAka, The Perils of HTTP
Lesson 14
Overview
•Executable Content
•Client/Server Computing
•Maintaining State
Executable Content
• Sometimes called active content or mobile code
• ActiveX controls and Java Applets http://www.hamsterdance.com/
• Scripts: Java Script and VBScript
• Browser plug-ins that execute graphic and audio files
• All these “enrich” your web browsing experience
Client/Server Computing
Executable Contents:• Help achieve wide-scale info
distribution• Advances client/server computing• Exploits “push” technology through
filtered sites– Relevant data pushed at pre-defined
time intervals
Client/Server Computing
• Allows ability to implement intelligent pull models– WEB client programmed to learn
user preferences
WHAT IS ACTIVE X
• MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages.
• Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines.
• These programs can do whatever you program them to do....even execute damaging code.
• ActiveX is language independent, but platform specific• They can only execute on Windows 32 machines
ActiveX CONTAINERS
• ActiveX Container: a technology used in many ActiveX applications
• ActiveX controls embedded within an ActiveX Container
• Provides sophisticated processing functions that work much like browser plug-ins
• Since Containers are designed independently they can work inconsistently (maliciously) when combined
ActiveX SCRIPTING
Common Languages: Perl, VBScript, JavaScript, JScript (MS)
• Scripting can come from within ActiveX Controls
• Scripting can come from Web server--commands sent to client for execution
• Developer decides to mark Scripting as safe
• Client decides whether to accept scripting or reject
AUTHENTICODE
• MS Technology for thwarting malicious ActiveX code from executing on Windows platforms
• Provides two checks:– Verifies who signs the ActiveX code– Verifies integrity of ActiveX code
• Digital signatures issued by several Certification Authorities (CAs) provide the functionality
• Execution of this functionality is much like PKI– Upon download signature is stripped from ActiveX code and
verified as from a valid CA– Then it is checked to see if software developer signed the code– Finally the downloaded code's hash is checked against the
regenerated hash to verify integrity
AUTHENTICODE SECURITY
• Signature provides no assurance that code will work properly
• Technology works solely on a trust model • Since advent of IE 4 the concept of security
zones emerged– Local intranet zone– Trusted sites zone– Internet zone– Restricted sites zone
• User control (or lack there) of setting security policy can be debilitating
JAVA CHARACTERISTICS
• Multi-platform (MS, Mac, UNIX) language quickly finding acceptance
• Java applets on client machines add new layers of functionality
• Originally designed to run in embedded systems
• Are you ready for the talking refrigerator?
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets from accessing frangible resources
• Thus, Java Applet Sandbox model is based on restricting the behavior of the applet
• Signed applets now also being used
• Signed applets allow the applets to "play" outside the sandbox
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets from accessing frangible resources
• Thus, Java Applet Sandbox model is based on restricting the behavior of the applet
• Signed applets now also being used
• Signed applets allow the applets to "play" outside the sandbox
Maintaining State
• HTTP is a stateless protocol
• WEB sessions are considered connectionless
CLIENT SERVER
TCP DATA FLOW
Stateless Example
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
WEB PAGE SENT
END CONNECTION
REPEAT FOR EMBEDDED FILES
State Example(1)
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
END CONNECTION
WEB PAGE SENT + COOKIE
State Example (2)
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
END CONNECTION
GET COOKIE + SEND WEB PAGE
Cookies for Life
Pros:•Add state•Increases Throughput•Can Add Authentication
Cookies for Life
Cons:
• Privacy issues– Collecting WEB usage data
– Profiling WEB Visitors
• Security– Improper state tracking results in
security holes
– Cookie Hijacking (if client hacked)
HTTP Session Tracking
•URL Session Tracking
•Hidden Form Elements
•Cookies
HTTP Authentication
• Logon sequence generates session ID– Pass ID to browser
• URL Session Tracking– ID Passed in URL itself
• Hidden Form Elements– Within HTML Source Code
• Cookies• Session ID can be passed over HTTP or HTTPS
Authentication Examples
• URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460
• Hidden Form Elements< input Type=“hidden” Name= “Session”
Value=“101460”>
• Cookies
EAZBKRBFCU101460
OTHER CLIENT SIDE VULNERABILITIES
• Browser Plug-ins– Plug-in: special software programs that are
integrated with Web Browsers– Examples: RealAudio, Shockwave
• E-Mail Attachments– The primary threat vector for viruses and
installing hacker backdoors
Other Client Side Vulnerabilities
• Browser Flaws– Allow viewing of local files
– Allow posting of files to your browser
– Allow moving of files
• Using HTTP as mechanism to circumvent Firewall
E-Commerce Attack Scenario
• Use IIS Unicode Exploit– Put remote listener on WEB site
– Listen on Port 80
– Send all Port 80 to Dr. Evil’s site
– Logins and Passwords Captured– Sniffed password later used with HTTP proxy
software to access your E-BANK
E-Commerce Attack Scenario
• Man-in-the middle attack– Dr. Evil injects himself in between you
and the site
– Installs HTTP Proxy Software to see what is being transferred on port 80
– Breaks tranmission path and inserts his own commands
Summary
Picture 23 year old Geek Hacker
Recent Advertising Quote:
“ Today my worm will destroy:18 days of revenue
1.7 million dollars of profit
4,000 lifetimes of greed.”
FEEL FREE TO GO HOME AND GET ON-LINE?