Client Side Vulnerabilities

1
Client Side Vulnerabilities
Lesson 14

• Aka, The Perils of HTTP

2
Overview

• Executable Content
• Client/Server Computing
• Maintaining State

3
Executable Content

• Sometimes called active content or mobile code
• ActiveX controls and Java Applets
  http//www.hamsterdance.com/
• Scripts Java Script and VBScript
• Browser plug-ins that execute graphic and audio
  files
• All these enrich your web browsing experience

4
Client/Server Computing

• Executable Contents
• Help achieve wide-scale info distribution
• Advances client/server computing
• Exploits push technology through filtered sites
• Relevant data pushed at pre-defined time intervals

5
Client/Server Computing

• Allows ability to implement intelligent pull
  models
• WEB client programmed to learn user preferences

6
WHAT IS ACTIVE X

• MS Framework that allows programs encapsulated in
  units called controls to be embedded in Web
  pages.
• Web browsers that support ActiveX allow Active X
  controls (programs) to download and execute on
  their machines.
• These programs can do whatever you program them
  to do....even execute damaging code.
• ActiveX is language independent, but platform
  specific
• They can only execute on Windows 32 machines

7
ActiveX CONTAINERS

• ActiveX Container a technology used in many
  ActiveX applications
• ActiveX controls embedded within an ActiveX
  Container
• Provides sophisticated processing functions that
  work much like browser plug-ins
• Since Containers are designed independently they
  can work inconsistently (maliciously) when
  combined

8
ActiveX SCRIPTING

• Common Languages Perl, VBScript, JavaScript,
  JScript (MS)
• Scripting can come from within ActiveX Controls
• Scripting can come from Web server--commands sent
  to client for execution
• Developer decides to mark Scripting as safe
• Client decides whether to accept scripting or
  reject

9
AUTHENTICODE

• MS Technology for thwarting malicious ActiveX
  code from executing on Windows platforms
• Provides two checks
• Verifies who signs the ActiveX code
• Verifies integrity of ActiveX code
• Digital signatures issued by several
  Certification Authorities (CAs) provide the
  functionality
• Execution of this functionality is much like PKI
• Upon download signature is stripped from ActiveX
  code and verified as from a valid CA
• Then it is checked to see if software developer
  signed the code
• Finally the downloaded code's hash is checked
  against the regenerated hash to verify integrity

10
AUTHENTICODE SECURITY

• Signature provides no assurance that code will
  work properly
• Technology works solely on a trust model
• Since advent of IE 4 the concept of security
  zones emerged
• Local intranet zone
• Trusted sites zone
• Internet zone
• Restricted sites zone
• User control (or lack there) of setting security
  policy can be debilitating

11
JAVA CHARACTERISTICS

• Multi-platform (MS, Mac, UNIX) language quickly
  finding acceptance
• Java applets on client machines add new layers of
  functionality
• Originally designed to run in embedded systems
• Are you ready for the talking refrigerator?

12
JAVA SECURITY APPROACH

• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets from
  accessing frangible resources
• Thus, Java Applet Sandbox model is based on
  restricting the behavior of the applet
• Signed applets now also being used
• Signed applets allow the applets to "play"
  outside the sandbox

13
JAVA SECURITY APPROACH

• Java Sandbox is the Java Security Model
• Java Applet Sandbox constrains applets from
  accessing frangible resources
• Thus, Java Applet Sandbox model is based on
  restricting the behavior of the applet
• Signed applets now also being used
• Signed applets allow the applets to "play"
  outside the sandbox

14
Maintaining State

• HTTP is a stateless protocol
• WEB sessions are considered connectionless

15
Stateless Example
END CONNECTION
REPEAT FOR EMBEDDED FILES
16
State Example(1)
END CONNECTION
17
State Example (2)
END CONNECTION
18
Cookies for Life

• Pros
• Add state
• Increases Throughput
• Can Add Authentication

19
Cookies for Life

• Cons
• Privacy issues
• Collecting WEB usage data
• Profiling WEB Visitors
• Security
• Improper state tracking results in security holes
• Cookie Hijacking (if client hacked)

20
HTTP Session Tracking

• URL Session Tracking
• Hidden Form Elements
• Cookies

21
HTTP Authentication

• Logon sequence generates session ID
• Pass ID to browser
• URL Session Tracking
• ID Passed in URL itself
• Hidden Form Elements
• Within HTML Source Code
• Cookies
• Session ID can be passed over HTTP or HTTPS

22
Authentication Examples

• URL Session Tracking
• http//www.rbfcu.org/checking_balance.asp?ID1
  01460
• Hidden Form Elements
• lt input Typehidden Name Session
  Value101460gt
• Cookies
• EAZBKRBFCU101460

23
OTHER CLIENT SIDE VULNERABILITIES

• Browser Plug-ins
• Plug-in special software programs that are
  integrated with Web Browsers
• Examples RealAudio, Shockwave
• E-Mail Attachments
• The primary threat vector for viruses and
  installing hacker backdoors

24
Other Client Side Vulnerabilities

• Browser Flaws
• Allow viewing of local files
• Allow posting of files to your browser
• Allow moving of files
• Using HTTP as mechanism to circumvent Firewall

25
E-Commerce Attack Scenario

• Use IIS Unicode Exploit
• Put remote listener on WEB site
• Listen on Port 80
• Send all Port 80 to Dr. Evils site
• Logins and Passwords Captured
• Sniffed password later used with HTTP proxy
  software to access your E-BANK

26
E-Commerce Attack Scenario

• Man-in-the middle attack
• Dr. Evil injects himself in between you and the
  site
• Installs HTTP Proxy Software to see what is being
  transferred on port 80
• Breaks tranmission path and inserts his own
  commands

27
Summary

• Picture 23 year old Geek Hacker
• Recent Advertising Quote
• Today my worm will destroy
• 18 days of revenue
• 1.7 million dollars of profit
• 4,000 lifetimes of greed.
• FEEL FREE TO GO HOME AND GET ON-LINE?