Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Lesson 14 Client Side Vulnerabilities Aka, The Perils of HTTP Overview • Executable Content • Client/Server Computing • Maintaining State Executable Content • Sometimes called active content or mobile code • ActiveX controls and Java Applets http://www.hamsterdance.com/ • Scripts: Java Script and VBScript • Browser plug-ins that execute graphic and audio files • All these “enrich” your web browsing experience Client/Server Computing Executable Contents: • Help achieve wide-scale info distribution • Advances client/server computing • Exploits “push” technology through filtered sites – Relevant data pushed at pre-defined time intervals Client/Server Computing • Allows ability to implement intelligent pull models – WEB client programmed to learn user preferences WHAT IS ACTIVE X • MS Framework that allows programs encapsulated in units called controls to be embedded in Web pages. • Web browsers that support ActiveX allow Active X controls (programs) to download and execute on their machines. • These programs can do whatever you program them to do....even execute damaging code. • ActiveX is language independent, but platform specific • They can only execute on Windows 32 machines ActiveX CONTAINERS • ActiveX Container: a technology used in many ActiveX applications • ActiveX controls embedded within an ActiveX Container • Provides sophisticated processing functions that work much like browser plug-ins • Since Containers are designed independently they can work inconsistently (maliciously) when combined ActiveX SCRIPTING Common Languages: Perl, VBScript, JavaScript, JScript (MS) • Scripting can come from within ActiveX Controls • Scripting can come from Web server--commands sent to client for execution • Developer decides to mark Scripting as safe • Client decides whether to accept scripting or reject AUTHENTICODE • MS Technology for thwarting malicious ActiveX code from executing on Windows platforms • Provides two checks: – – Verifies who signs the ActiveX code Verifies integrity of ActiveX code • Digital signatures issued by several Certification Authorities (CAs) provide the functionality • Execution of this functionality is much like PKI – Upon download signature is stripped from ActiveX code and verified as from a valid CA – Then it is checked to see if software developer signed the code – Finally the downloaded code's hash is checked against the regenerated hash to verify integrity AUTHENTICODE SECURITY • Signature provides no assurance that code will work properly • Technology works solely on a trust model • Since advent of IE 4 the concept of security zones emerged – – – – Local intranet zone Trusted sites zone Internet zone Restricted sites zone • User control (or lack there) of setting security policy can be debilitating JAVA CHARACTERISTICS • Multi-platform (MS, Mac, UNIX) language quickly finding acceptance • Java applets on client machines add new layers of functionality • Originally designed to run in embedded systems • Are you ready for the talking refrigerator? JAVA SECURITY APPROACH • Java Sandbox is the Java Security Model • Java Applet Sandbox constrains applets from accessing frangible resources • Thus, Java Applet Sandbox model is based on restricting the behavior of the applet • Signed applets now also being used • Signed applets allow the applets to "play" outside the sandbox JAVA SECURITY APPROACH • Java Sandbox is the Java Security Model • Java Applet Sandbox constrains applets from accessing frangible resources • Thus, Java Applet Sandbox model is based on restricting the behavior of the applet • Signed applets now also being used • Signed applets allow the applets to "play" outside the sandbox Maintaining State • HTTP is a stateless protocol • WEB sessions are considered connectionless SERVER CLIENT TCP DATA FLOW Stateless Example Student TCP 3-Way Handshake SERVER SSL Connection Established HTTP Request for Web Page WEB PAGE SENT END CONNECTION REPEAT FOR EMBEDDED FILES State Example(1) Student TCP 3-Way Handshake SERVER SSL Connection Established HTTP Request for Web Page WEB PAGE SENT + COOKIE END CONNECTION State Example (2) Student TCP 3-Way Handshake SERVER SSL Connection Established HTTP Request for Web Page GET COOKIE + SEND WEB PAGE END CONNECTION Cookies for Life Pros: • Add state • Increases Throughput • Can Add Authentication Cookies for Life Cons: • Privacy issues – Collecting WEB usage data – Profiling WEB Visitors • Security – Improper state tracking results in security holes – Cookie Hijacking (if client hacked) HTTP Session Tracking • URL Session Tracking • Hidden Form Elements • Cookies HTTP Authentication • Logon sequence generates session ID – Pass ID to browser • URL Session Tracking – ID Passed in URL itself • Hidden Form Elements – Within HTML Source Code • Cookies • Session ID can be passed over HTTP or HTTPS Authentication Examples • URL Session Tracking http://www.rbfcu.org/checking_balance.asp?ID=101460 • Hidden Form Elements < input Type=“hidden” Name= “Session” Value=“101460”> • Cookies EAZBKRBFCU101460 OTHER CLIENT SIDE VULNERABILITIES • Browser Plug-ins – Plug-in: special software programs that are integrated with Web Browsers – Examples: RealAudio, Shockwave • E-Mail Attachments – The primary threat vector for viruses and installing hacker backdoors Other Client Side Vulnerabilities • Browser Flaws – Allow viewing of local files – Allow posting of files to your browser – Allow moving of files • Using HTTP as mechanism to circumvent Firewall E-Commerce Attack Scenario • Use IIS Unicode Exploit – Put remote listener on WEB site – Listen on Port 80 – Send all Port 80 to Dr. Evil’s site – Logins and Passwords Captured – Sniffed password later used with HTTP proxy software to access your E-BANK E-Commerce Attack Scenario • Man-in-the middle attack – Dr. Evil injects himself in between you and the site – Installs HTTP Proxy Software to see what is being transferred on port 80 – Breaks tranmission path and inserts his own commands Summary Picture 23 year old Geek Hacker Recent Advertising Quote: “ Today my worm will destroy: 18 days of revenue 1.7 million dollars of profit 4,000 lifetimes of greed.” FEEL FREE TO GO HOME AND GET ON-LINE?