client side vulnerabilities
DESCRIPTION
Lesson 14. Client Side Vulnerabilities. Aka, The Perils of HTTP. Overview. Executable Content Client/Server Computing Maintaining State. Executable Content. Sometimes called active content or mobile code ActiveX controls and Java Applets http://www.hamsterdance.com/ - PowerPoint PPT PresentationTRANSCRIPT
Client Side VulnerabilitiesAka, The Perils of HTTP
Lesson 14
Overview
•Executable Content
•Client/Server Computing
•Maintaining State
Executable Content
• Sometimes called active content or mobile code• ActiveX controls and Java Applets
http://www.hamsterdance.com/• Scripts: Java Script and VBScript• Browser plug-ins that execute graphic and
audio files• All these “enrich” your web browsing
experience
Client/Server Computing
Executable Contents:• Help achieve wide-scale info
distribution• Advances client/server computing• Exploits “push” technology through
filtered sites– Relevant data pushed at pre-defined time
intervals
Client/Server Computing
• Allows ability to implement intelligent pull models– WEB client programmed to learn
user preferences
WHAT IS ACTIVE X
• MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages.
• Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines.
• These programs can do whatever you program them to do....even execute damaging code.
• ActiveX is language independent, but platform specific• They can only execute on Windows 32 machines
ActiveX CONTAINERS
• ActiveX Container: a technology used in many ActiveX applications
• ActiveX controls embedded within an ActiveX Container
• Provides sophisticated processing functions that work much like browser plug-ins
• Since Containers are designed independently they can work inconsistently (maliciously) when combined
ActiveX SCRIPTING
Common Languages: Perl, VBScript, JavaScript, JScript (MS)
• Scripting can come from within ActiveX Controls
• Scripting can come from Web server--commands sent to client for execution
• Developer decides to mark Scripting as safe
• Client decides whether to accept scripting or reject
AUTHENTICODE
• MS Technology for thwarting malicious ActiveX code from executing on Windows platforms
• Provides two checks:– Verifies who signs the ActiveX code– Verifies integrity of ActiveX code
• Digital signatures issued by several Certification Authorities (CAs) provide the functionality
• Execution of this functionality is much like PKI– Upon download signature is stripped from ActiveX code and
verified as from a valid CA– Then it is checked to see if software developer signed the code– Finally the downloaded code's hash is checked against the
regenerated hash to verify integrity
AUTHENTICODE SECURITY
• Signature provides no assurance that code will work properly
• Technology works solely on a trust model • Since advent of IE 4 the concept of security
zones emerged– Local intranet zone– Trusted sites zone– Internet zone– Restricted sites zone
• User control (or lack there) of setting security policy can be debilitating
JAVA CHARACTERISTICS
• Multi-platform (MS, Mac, UNIX) language quickly finding acceptance
• Java applets on client machines add new layers of functionality
• Originally designed to run in embedded systems
• Are you ready for the talking refrigerator?
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model• Java Applet Sandbox constrains applets
from accessing frangible resources• Thus, Java Applet Sandbox model is
based on restricting the behavior of the applet
• Signed applets now also being used• Signed applets allow the applets to "play"
outside the sandbox
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model• Java Applet Sandbox constrains applets
from accessing frangible resources• Thus, Java Applet Sandbox model is
based on restricting the behavior of the applet
• Signed applets now also being used• Signed applets allow the applets to "play"
outside the sandbox
Maintaining State
• HTTP is a stateless protocol• WEB sessions are considered
connectionlessCLIENT SERVER
TCP DATA FLOW
Stateless Example
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
WEB PAGE SENT
END CONNECTIONREPEAT FOR EMBEDDED FILES
State Example(1)
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
END CONNECTION
WEB PAGE SENT + COOKIE
State Example (2)
Student SERVERTCP 3-Way Handshake
SSL Connection Established
HTTP Request for Web Page
END CONNECTION
GET COOKIE + SEND WEB PAGE
Cookies for Life
Pros:•Add state•Increases Throughput•Can Add Authentication
Cookies for Life
Cons:• Privacy issues
– Collecting WEB usage data– Profiling WEB Visitors
• Security– Improper state tracking results in security
holes– Cookie Hijacking (if client hacked)
HTTP Session Tracking
•URL Session Tracking
•Hidden Form Elements
•Cookies
HTTP Authentication
• Logon sequence generates session ID– Pass ID to browser
• URL Session Tracking– ID Passed in URL itself
• Hidden Form Elements– Within HTML Source Code
• Cookies• Session ID can be passed over HTTP or HTTPS
Authentication Examples
• URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460
• Hidden Form Elements< input Type=“hidden” Name= “Session”
Value=“101460”>
• Cookies EAZBKRBFCU101460
OTHER CLIENT SIDE VULNERABILITIES
• Browser Plug-ins– Plug-in: special software programs that are
integrated with Web Browsers– Examples: RealAudio, Shockwave
• E-Mail Attachments– The primary threat vector for viruses and
installing hacker backdoors
Other Client Side Vulnerabilities
• Browser Flaws– Allow viewing of local files– Allow posting of files to your browser– Allow moving of files
• Using HTTP as mechanism to circumvent Firewall
E-Commerce Attack Scenario
• Use IIS Unicode Exploit– Put remote listener on WEB site– Listen on Port 80– Send all Port 80 to Dr. Evil’s site– Logins and Passwords Captured– Sniffed password later used with HTTP proxy
software to access your E-BANK
E-Commerce Attack Scenario
• Man-in-the middle attack– Dr. Evil injects himself in between you
and the site– Installs HTTP Proxy Software to see
what is being transferred on port 80– Breaks tranmission path and inserts
his own commands
Summary
Picture 23 year old Geek HackerRecent Advertising Quote:
“ Today my worm will destroy:18 days of revenue
1.7 million dollars of profit4,000 lifetimes of greed.”
FEEL FREE TO GO HOME AND GET ON-LINE?