1 / 27

Client Side Vulnerabilities

Lesson 14. Client Side Vulnerabilities. Aka, The Perils of HTTP. Overview. Executable Content Client/Server Computing Maintaining State. Executable Content. Sometimes called active content or mobile code ActiveX controls and Java Applets http://www.hamsterdance.com/

ceana
Download Presentation

Client Side Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 14 Client Side Vulnerabilities Aka, The Perils of HTTP

  2. Overview • Executable Content • Client/Server Computing • Maintaining State

  3. Executable Content • Sometimes called active content or mobile code • ActiveX controls and Java Applets http://www.hamsterdance.com/ • Scripts: Java Script and VBScript • Browser plug-ins that execute graphic and audio files • All these “enrich” your web browsing experience

  4. Client/Server Computing Executable Contents: • Help achieve wide-scale info distribution • Advances client/server computing • Exploits “push” technology through filtered sites • Relevant data pushed at pre-defined time intervals

  5. Client/Server Computing • Allows ability to implement intelligent pull models • WEB client programmed to learn user preferences

  6. WHAT IS ACTIVE X • MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages. • Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines. • These programs can do whatever you program them to do....even execute damaging code. • ActiveX is language independent, but platform specific • They can only execute on Windows 32 machines

  7. ActiveX CONTAINERS • ActiveX Container: a technology used in many ActiveX applications • ActiveX controls embedded within an ActiveX Container • Provides sophisticated processing functions that work much like browser plug-ins • Since Containers are designed independently they can work inconsistently (maliciously) when combined

  8. ActiveX SCRIPTING Common Languages: Perl, VBScript, JavaScript, JScript (MS) • Scripting can come from within ActiveX Controls • Scripting can come from Web server--commands sent to client for execution • Developer decides to mark Scripting as safe • Client decides whether to accept scripting or reject

  9. AUTHENTICODE • MS Technology for thwarting malicious ActiveX code from executing on Windows platforms • Provides two checks: • Verifies who signs the ActiveX code • Verifies integrity of ActiveX code • Digital signatures issued by several Certification Authorities (CAs) provide the functionality • Execution of this functionality is much like PKI • Upon download signature is stripped from ActiveX code and verified as from a valid CA • Then it is checked to see if software developer signed the code • Finally the downloaded code's hash is checked against the regenerated hash to verify integrity

  10. AUTHENTICODE SECURITY • Signature provides no assurance that code will work properly • Technology works solely on a trust model • Since advent of IE 4 the concept of security zones emerged • Local intranet zone • Trusted sites zone • Internet zone • Restricted sites zone • User control (or lack there) of setting security policy can be debilitating

  11. JAVA CHARACTERISTICS • Multi-platform (MS, Mac, UNIX) language quickly finding acceptance • Java applets on client machines add new layers of functionality • Originally designed to run in embedded systems • Are you ready for the talking refrigerator?

  12. JAVA SECURITY APPROACH • Java Sandbox is the Java Security Model • Java Applet Sandbox constrains applets from accessing frangible resources • Thus, Java Applet Sandbox model is based on restricting the behavior of the applet • Signed applets now also being used • Signed applets allow the applets to "play" outside the sandbox

  13. JAVA SECURITY APPROACH • Java Sandbox is the Java Security Model • Java Applet Sandbox constrains applets from accessing frangible resources • Thus, Java Applet Sandbox model is based on restricting the behavior of the applet • Signed applets now also being used • Signed applets allow the applets to "play" outside the sandbox

  14. CLIENT SERVER TCP DATA FLOW Maintaining State • HTTP is a stateless protocol • WEB sessions are considered connectionless

  15. TCP 3-Way Handshake SSL Connection Established SERVER Student HTTP Request for Web Page WEB PAGE SENT Stateless Example END CONNECTION REPEAT FOR EMBEDDED FILES

  16. TCP 3-Way Handshake SSL Connection Established SERVER Student HTTP Request for Web Page WEB PAGE SENT + COOKIE State Example(1) END CONNECTION

  17. TCP 3-Way Handshake SSL Connection Established SERVER Student HTTP Request for Web Page GET COOKIE + SEND WEB PAGE State Example (2) END CONNECTION

  18. Cookies for Life Pros: • Add state • Increases Throughput • Can Add Authentication

  19. Cookies for Life Cons: • Privacy issues • Collecting WEB usage data • Profiling WEB Visitors • Security • Improper state tracking results in security holes • Cookie Hijacking (if client hacked)

  20. HTTP Session Tracking • URL Session Tracking • Hidden Form Elements • Cookies

  21. HTTP Authentication • Logon sequence generates session ID • Pass ID to browser • URL Session Tracking • ID Passed in URL itself • Hidden Form Elements • Within HTML Source Code • Cookies • Session ID can be passed over HTTP or HTTPS

  22. Authentication Examples • URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460 • Hidden Form Elements < input Type=“hidden” Name= “Session” Value=“101460”> • Cookies EAZBKRBFCU101460

  23. OTHER CLIENT SIDE VULNERABILITIES • Browser Plug-ins • Plug-in: special software programs that are integrated with Web Browsers • Examples: RealAudio, Shockwave • E-Mail Attachments • The primary threat vector for viruses and installing hacker backdoors

  24. Other Client Side Vulnerabilities • Browser Flaws • Allow viewing of local files • Allow posting of files to your browser • Allow moving of files • Using HTTP as mechanism to circumvent Firewall

  25. E-Commerce Attack Scenario • Use IIS Unicode Exploit • Put remote listener on WEB site • Listen on Port 80 • Send all Port 80 to Dr. Evil’s site • Logins and Passwords Captured • Sniffed password later used with HTTP proxy software to access your E-BANK

  26. E-Commerce Attack Scenario • Man-in-the middle attack • Dr. Evil injects himself in between you and the site • Installs HTTP Proxy Software to see what is being transferred on port 80 • Breaks tranmission path and inserts his own commands

  27. Summary Picture 23 year old Geek Hacker Recent Advertising Quote: “ Today my worm will destroy: 18 days of revenue 1.7 million dollars of profit 4,000 lifetimes of greed.” FEEL FREE TO GO HOME AND GET ON-LINE?

More Related