client side vulnerabilities aka, the perils of http lesson 14

Client Side VulnerabilitiesAka, The Perils of HTTP

Lesson 14

Overview

•Executable Content

•Client/Server Computing

•Maintaining State

Executable Content

• Sometimes called active content or mobile code

• ActiveX controls and Java Applets http://www.hamsterdance.com/

• Scripts: Java Script and VBScript

• Browser plug-ins that execute graphic and audio files

• All these “enrich” your web browsing experience

Client/Server Computing

Executable Contents:• Help achieve wide-scale info

distribution• Advances client/server computing• Exploits “push” technology through

filtered sites– Relevant data pushed at pre-defined

time intervals

Client/Server Computing

• Allows ability to implement intelligent pull models– WEB client programmed to learn

user preferences

WHAT IS ACTIVE X

• MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages.

• Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines.

• These programs can do whatever you program them to do....even execute damaging code.

• ActiveX is language independent, but platform specific• They can only execute on Windows 32 machines

ActiveX CONTAINERS

• ActiveX Container: a technology used in many ActiveX applications

• ActiveX controls embedded within an ActiveX Container

• Provides sophisticated processing functions that work much like browser plug-ins

• Since Containers are designed independently they can work inconsistently (maliciously) when combined

ActiveX SCRIPTING

Common Languages: Perl, VBScript, JavaScript, JScript (MS)

• Scripting can come from within ActiveX Controls

• Scripting can come from Web server--commands sent to client for execution

• Developer decides to mark Scripting as safe

• Client decides whether to accept scripting or reject

AUTHENTICODE

• MS Technology for thwarting malicious ActiveX code from executing on Windows platforms

• Provides two checks:– Verifies who signs the ActiveX code– Verifies integrity of ActiveX code

• Digital signatures issued by several Certification Authorities (CAs) provide the functionality

• Execution of this functionality is much like PKI– Upon download signature is stripped from ActiveX code and

verified as from a valid CA– Then it is checked to see if software developer signed the code– Finally the downloaded code's hash is checked against the

regenerated hash to verify integrity

AUTHENTICODE SECURITY

• Signature provides no assurance that code will work properly

• Technology works solely on a trust model • Since advent of IE 4 the concept of security

zones emerged– Local intranet zone– Trusted sites zone– Internet zone– Restricted sites zone

• User control (or lack there) of setting security policy can be debilitating

JAVA CHARACTERISTICS

• Multi-platform (MS, Mac, UNIX) language quickly finding acceptance

• Java applets on client machines add new layers of functionality

• Originally designed to run in embedded systems

• Are you ready for the talking refrigerator?

JAVA SECURITY APPROACH

• Java Sandbox is the Java Security Model

• Java Applet Sandbox constrains applets from accessing frangible resources

• Thus, Java Applet Sandbox model is based on restricting the behavior of the applet

• Signed applets now also being used

• Signed applets allow the applets to "play" outside the sandbox

Maintaining State

• HTTP is a stateless protocol

• WEB sessions are considered connectionless

CLIENT SERVER

TCP DATA FLOW

Stateless Example

Student SERVERTCP 3-Way Handshake

SSL Connection Established

HTTP Request for Web Page

WEB PAGE SENT

END CONNECTION

REPEAT FOR EMBEDDED FILES

State Example(1)




END CONNECTION

WEB PAGE SENT + COOKIE

State Example (2)




END CONNECTION

GET COOKIE + SEND WEB PAGE

Cookies for Life

Pros:•Add state•Increases Throughput•Can Add Authentication

Cookies for Life

Cons:

• Privacy issues– Collecting WEB usage data

– Profiling WEB Visitors

• Security– Improper state tracking results in

security holes

– Cookie Hijacking (if client hacked)

HTTP Session Tracking

•URL Session Tracking

•Hidden Form Elements

•Cookies

HTTP Authentication

• Logon sequence generates session ID– Pass ID to browser

• URL Session Tracking– ID Passed in URL itself

• Hidden Form Elements– Within HTML Source Code

• Cookies• Session ID can be passed over HTTP or HTTPS

Authentication Examples

• URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460

• Hidden Form Elements< input Type=“hidden” Name= “Session”

Value=“101460”>

• Cookies

EAZBKRBFCU101460

OTHER CLIENT SIDE VULNERABILITIES

• Browser Plug-ins– Plug-in: special software programs that are

integrated with Web Browsers– Examples: RealAudio, Shockwave

• E-Mail Attachments– The primary threat vector for viruses and

installing hacker backdoors

Other Client Side Vulnerabilities

• Browser Flaws– Allow viewing of local files

– Allow posting of files to your browser

– Allow moving of files

• Using HTTP as mechanism to circumvent Firewall

E-Commerce Attack Scenario

• Use IIS Unicode Exploit– Put remote listener on WEB site

– Listen on Port 80

– Send all Port 80 to Dr. Evil’s site

– Logins and Passwords Captured– Sniffed password later used with HTTP proxy

software to access your E-BANK

E-Commerce Attack Scenario

• Man-in-the middle attack– Dr. Evil injects himself in between you

and the site

– Installs HTTP Proxy Software to see what is being transferred on port 80

– Breaks tranmission path and inserts his own commands

Summary

Picture 23 year old Geek Hacker

Recent Advertising Quote:

“ Today my worm will destroy:18 days of revenue

1.7 million dollars of profit

4,000 lifetimes of greed.”

FEEL FREE TO GO HOME AND GET ON-LINE?

client side vulnerabilities aka, the perils of http lesson 14

Documents

activex controlsscripting

malicious activex code

java applets http

acceptancejava applets

appletsigned applets

usedsigned applets

java applet sandbox

java script