client side vulnerabilities

Client Side VulnerabilitiesAka, The Perils of HTTP

Lesson 14

Overview

•Executable Content

•Client/Server Computing

•Maintaining State

Executable Content

• Sometimes called active content or mobile code• ActiveX controls and Java Applets

http://www.hamsterdance.com/• Scripts: Java Script and VBScript• Browser plug-ins that execute graphic and

audio files• All these “enrich” your web browsing

experience

Client/Server Computing

Executable Contents:• Help achieve wide-scale info

distribution• Advances client/server computing• Exploits “push” technology through

filtered sites– Relevant data pushed at pre-defined time

intervals

Client/Server Computing

• Allows ability to implement intelligent pull models– WEB client programmed to learn

user preferences

WHAT IS ACTIVE X

• MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages.

• Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines.

• These programs can do whatever you program them to do....even execute damaging code.

• ActiveX is language independent, but platform specific• They can only execute on Windows 32 machines

ActiveX CONTAINERS

• ActiveX Container: a technology used in many ActiveX applications

• ActiveX controls embedded within an ActiveX Container

• Provides sophisticated processing functions that work much like browser plug-ins

• Since Containers are designed independently they can work inconsistently (maliciously) when combined

ActiveX SCRIPTING

Common Languages: Perl, VBScript, JavaScript, JScript (MS)

• Scripting can come from within ActiveX Controls

• Scripting can come from Web server--commands sent to client for execution

• Developer decides to mark Scripting as safe

• Client decides whether to accept scripting or reject

AUTHENTICODE

• MS Technology for thwarting malicious ActiveX code from executing on Windows platforms

• Provides two checks:– Verifies who signs the ActiveX code– Verifies integrity of ActiveX code

• Digital signatures issued by several Certification Authorities (CAs) provide the functionality

• Execution of this functionality is much like PKI– Upon download signature is stripped from ActiveX code and

verified as from a valid CA– Then it is checked to see if software developer signed the code– Finally the downloaded code's hash is checked against the

regenerated hash to verify integrity

AUTHENTICODE SECURITY

• Signature provides no assurance that code will work properly

• Technology works solely on a trust model • Since advent of IE 4 the concept of security

zones emerged– Local intranet zone– Trusted sites zone– Internet zone– Restricted sites zone

• User control (or lack there) of setting security policy can be debilitating

JAVA CHARACTERISTICS

• Multi-platform (MS, Mac, UNIX) language quickly finding acceptance

• Java applets on client machines add new layers of functionality

• Originally designed to run in embedded systems

• Are you ready for the talking refrigerator?

JAVA SECURITY APPROACH

• Java Sandbox is the Java Security Model• Java Applet Sandbox constrains applets

from accessing frangible resources• Thus, Java Applet Sandbox model is

based on restricting the behavior of the applet

• Signed applets now also being used• Signed applets allow the applets to "play"

outside the sandbox

Maintaining State

• HTTP is a stateless protocol• WEB sessions are considered

connectionlessCLIENT SERVER

TCP DATA FLOW

Stateless Example

Student SERVERTCP 3-Way Handshake

SSL Connection Established

HTTP Request for Web Page

WEB PAGE SENT

END CONNECTIONREPEAT FOR EMBEDDED FILES

State Example(1)




END CONNECTION

WEB PAGE SENT + COOKIE

State Example (2)




END CONNECTION

GET COOKIE + SEND WEB PAGE

Cookies for Life

Pros:•Add state•Increases Throughput•Can Add Authentication

Cookies for Life

Cons:• Privacy issues

– Collecting WEB usage data– Profiling WEB Visitors

• Security– Improper state tracking results in security

holes– Cookie Hijacking (if client hacked)

HTTP Session Tracking

•URL Session Tracking

•Hidden Form Elements

•Cookies

HTTP Authentication

• Logon sequence generates session ID– Pass ID to browser

• URL Session Tracking– ID Passed in URL itself

• Hidden Form Elements– Within HTML Source Code

• Cookies• Session ID can be passed over HTTP or HTTPS

Authentication Examples

• URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460

• Hidden Form Elements< input Type=“hidden” Name= “Session”

Value=“101460”>

• Cookies EAZBKRBFCU101460

OTHER CLIENT SIDE VULNERABILITIES

• Browser Plug-ins– Plug-in: special software programs that are

integrated with Web Browsers– Examples: RealAudio, Shockwave

• E-Mail Attachments– The primary threat vector for viruses and

installing hacker backdoors

Other Client Side Vulnerabilities

• Browser Flaws– Allow viewing of local files– Allow posting of files to your browser– Allow moving of files

• Using HTTP as mechanism to circumvent Firewall

E-Commerce Attack Scenario

• Use IIS Unicode Exploit– Put remote listener on WEB site– Listen on Port 80– Send all Port 80 to Dr. Evil’s site– Logins and Passwords Captured– Sniffed password later used with HTTP proxy

software to access your E-BANK

E-Commerce Attack Scenario

• Man-in-the middle attack– Dr. Evil injects himself in between you

and the site– Installs HTTP Proxy Software to see

what is being transferred on port 80– Breaks tranmission path and inserts

his own commands

Summary

Picture 23 year old Geek HackerRecent Advertising Quote:

“ Today my worm will destroy:18 days of revenue

1.7 million dollars of profit4,000 lifetimes of greed.”

FEEL FREE TO GO HOME AND GET ON-LINE?

client side vulnerabilities

Documents