Transcript Lsn 14: Client Side Vulnerabilties

Lesson 14
Client Side Vulnerabilities
Aka, The Perils of HTTP
Overview
• Executable Content
• Client/Server Computing
• Maintaining State
Executable Content
• Sometimes called active content or
mobile code
• ActiveX controls and Java Applets
http://www.hamsterdance.com/
• Scripts: Java Script and VBScript
• Browser plug-ins that execute graphic
and audio files
• All these “enrich” your web browsing
experience
Client/Server Computing
Executable Contents:
• Help achieve wide-scale info
distribution
• Advances client/server
computing
• Exploits “push” technology
through filtered sites
– Relevant data pushed at pre-defined
time intervals
Client/Server Computing
• Allows ability to implement
intelligent pull models
– WEB client programmed to learn
user preferences
WHAT IS ACTIVE X
• MS Framework that allows programs encapsulated in
units called controls to be embedded in Web pages.
• Web browsers that support ActiveX allow Active X
controls (programs) to download and execute on their
machines.
• These programs can do whatever you program them to
do....even execute damaging code.
• ActiveX is language independent, but platform specific
• They can only execute on Windows 32 machines
ActiveX CONTAINERS
• ActiveX Container: a technology used in many ActiveX
applications
• ActiveX controls embedded within an ActiveX Container
• Provides sophisticated processing functions that work
much like browser plug-ins
• Since Containers are designed independently they can
work inconsistently (maliciously) when combined
ActiveX SCRIPTING
Common Languages: Perl, VBScript, JavaScript,
JScript (MS)
• Scripting can come from within ActiveX Controls
• Scripting can come from Web server--commands
sent to client for execution
• Developer decides to mark Scripting as safe
• Client decides whether to accept scripting or
reject
AUTHENTICODE
• MS Technology for thwarting malicious ActiveX code
from executing on Windows platforms
• Provides two checks:
–
–
Verifies who signs the ActiveX code
Verifies integrity of ActiveX code
• Digital signatures issued by several Certification
Authorities (CAs) provide the functionality
• Execution of this functionality is much like PKI
– Upon download signature is stripped from ActiveX code and
verified as from a valid CA
– Then it is checked to see if software developer signed the code
– Finally the downloaded code's hash is checked against the
regenerated hash to verify integrity
AUTHENTICODE SECURITY
• Signature provides no assurance that code will
work properly
• Technology works solely on a trust model
• Since advent of IE 4 the concept of security
zones emerged
–
–
–
–
Local intranet zone
Trusted sites zone
Internet zone
Restricted sites zone
• User control (or lack there) of setting security
policy can be debilitating
JAVA CHARACTERISTICS
• Multi-platform (MS, Mac, UNIX) language
quickly finding acceptance
• Java applets on client machines add new
layers of functionality
• Originally designed to run in embedded
systems
• Are you ready for the talking refrigerator?
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets
from accessing frangible resources
• Thus, Java Applet Sandbox model is
based on restricting the behavior of the
applet
• Signed applets now also being used
• Signed applets allow the applets to "play"
outside the sandbox
JAVA SECURITY APPROACH
• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets
from accessing frangible resources
• Thus, Java Applet Sandbox model is
based on restricting the behavior of the
applet
• Signed applets now also being used
• Signed applets allow the applets to "play"
outside the sandbox
Maintaining State
• HTTP is a stateless protocol
• WEB sessions are considered
connectionless
SERVER
CLIENT
TCP DATA FLOW
Stateless Example
Student
TCP 3-Way Handshake
SERVER
SSL Connection Established
HTTP Request for Web Page
WEB PAGE SENT
END CONNECTION
REPEAT FOR EMBEDDED FILES
State Example(1)
Student
TCP 3-Way Handshake
SERVER
SSL Connection Established
HTTP Request for Web Page
WEB PAGE SENT + COOKIE
END CONNECTION
State Example (2)
Student
TCP 3-Way Handshake
SERVER
SSL Connection Established
HTTP Request for Web Page
GET COOKIE + SEND WEB PAGE
END CONNECTION
Cookies for Life
Pros:
• Add state
• Increases Throughput
• Can Add Authentication
Cookies for Life
Cons:
• Privacy issues
– Collecting WEB usage data
– Profiling WEB Visitors
• Security
– Improper state tracking results in
security holes
– Cookie Hijacking (if client hacked)
HTTP Session Tracking
• URL Session Tracking
• Hidden Form Elements
• Cookies
HTTP Authentication
• Logon sequence generates session ID
– Pass ID to browser
• URL Session Tracking
– ID Passed in URL itself
• Hidden Form Elements
– Within HTML Source Code
• Cookies
• Session ID can be passed over HTTP
or HTTPS
Authentication Examples
• URL Session Tracking
http://www.rbfcu.org/checking_balance.asp?ID=101460
• Hidden Form Elements
< input Type=“hidden” Name= “Session” Value=“101460”>
• Cookies
EAZBKRBFCU101460
OTHER CLIENT SIDE VULNERABILITIES
• Browser Plug-ins
– Plug-in: special software programs that are
integrated with Web Browsers
– Examples: RealAudio, Shockwave
• E-Mail Attachments
– The primary threat vector for viruses and
installing hacker backdoors
Other Client Side Vulnerabilities
• Browser Flaws
– Allow viewing of local files
– Allow posting of files to your browser
– Allow moving of files
• Using HTTP as mechanism to
circumvent Firewall
E-Commerce Attack Scenario
• Use IIS Unicode Exploit
– Put remote listener on WEB site
– Listen on Port 80
– Send all Port 80 to Dr. Evil’s site
– Logins and Passwords Captured
– Sniffed password later used with HTTP proxy
software to access your E-BANK
E-Commerce Attack Scenario
• Man-in-the middle attack
– Dr. Evil injects himself in between you
and the site
– Installs HTTP Proxy Software to see what
is being transferred on port 80
– Breaks tranmission path and inserts his
own commands
Summary
Picture 23 year old Geek Hacker
Recent Advertising Quote:
“
Today my worm will destroy:
18 days of revenue
1.7 million dollars of profit
4,000 lifetimes of greed.”
FEEL FREE TO GO HOME AND GET ON-LINE?