Client Side Vulnerabilities - PowerPoint PPT Presentation

About This Presentation
Title:

Client Side Vulnerabilities

Description:

Java Sandbox is the Java Security Model. Java Applet Sandbox constrains ... Thus, Java Applet Sandbox model is based on restricting the behavior of the applet ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 28
Provided by: Kauf
Category:

less

Transcript and Presenter's Notes

Title: Client Side Vulnerabilities


1
Client Side Vulnerabilities
Lesson 14
  • Aka, The Perils of HTTP

2
Overview
  • Executable Content
  • Client/Server Computing
  • Maintaining State

3
Executable Content
  • Sometimes called active content or mobile code
  • ActiveX controls and Java Applets
    http//www.hamsterdance.com/
  • Scripts Java Script and VBScript
  • Browser plug-ins that execute graphic and audio
    files
  • All these enrich your web browsing experience

4
Client/Server Computing
  • Executable Contents
  • Help achieve wide-scale info distribution
  • Advances client/server computing
  • Exploits push technology through filtered sites
  • Relevant data pushed at pre-defined time intervals

5
Client/Server Computing
  • Allows ability to implement intelligent pull
    models
  • WEB client programmed to learn user preferences

6
WHAT IS ACTIVE X
  • MS Framework that allows programs encapsulated in
    units called controls to be embedded in Web
    pages.
  • Web browsers that support ActiveX allow Active X
    controls (programs) to download and execute on
    their machines.
  • These programs can do whatever you program them
    to do....even execute damaging code.
  • ActiveX is language independent, but platform
    specific
  • They can only execute on Windows 32 machines

7
ActiveX CONTAINERS
  • ActiveX Container a technology used in many
    ActiveX applications
  • ActiveX controls embedded within an ActiveX
    Container
  • Provides sophisticated processing functions that
    work much like browser plug-ins
  • Since Containers are designed independently they
    can work inconsistently (maliciously) when
    combined

8
ActiveX SCRIPTING
  • Common Languages Perl, VBScript, JavaScript,
    JScript (MS)
  • Scripting can come from within ActiveX Controls
  • Scripting can come from Web server--commands sent
    to client for execution
  • Developer decides to mark Scripting as safe
  • Client decides whether to accept scripting or
    reject

9
AUTHENTICODE
  • MS Technology for thwarting malicious ActiveX
    code from executing on Windows platforms
  • Provides two checks
  • Verifies who signs the ActiveX code
  • Verifies integrity of ActiveX code
  • Digital signatures issued by several
    Certification Authorities (CAs) provide the
    functionality
  • Execution of this functionality is much like PKI
  • Upon download signature is stripped from ActiveX
    code and verified as from a valid CA
  • Then it is checked to see if software developer
    signed the code
  • Finally the downloaded code's hash is checked
    against the regenerated hash to verify integrity

10
AUTHENTICODE SECURITY
  • Signature provides no assurance that code will
    work properly
  • Technology works solely on a trust model
  • Since advent of IE 4 the concept of security
    zones emerged
  • Local intranet zone
  • Trusted sites zone
  • Internet zone
  • Restricted sites zone
  • User control (or lack there) of setting security
    policy can be debilitating

11
JAVA CHARACTERISTICS
  • Multi-platform (MS, Mac, UNIX) language quickly
    finding acceptance
  • Java applets on client machines add new layers of
    functionality
  • Originally designed to run in embedded systems
  • Are you ready for the talking refrigerator?

12
JAVA SECURITY APPROACH
  • Java Sandbox is the Java Security Model
  • Java Applet Sandbox constrains applets from
    accessing frangible resources
  • Thus, Java Applet Sandbox model is based on
    restricting the behavior of the applet
  • Signed applets now also being used
  • Signed applets allow the applets to "play"
    outside the sandbox

13
JAVA SECURITY APPROACH
  • Java Sandbox is the Java Security Model
  • Java Applet Sandbox constrains applets from
    accessing frangible resources
  • Thus, Java Applet Sandbox model is based on
    restricting the behavior of the applet
  • Signed applets now also being used
  • Signed applets allow the applets to "play"
    outside the sandbox

14
Maintaining State
  • HTTP is a stateless protocol
  • WEB sessions are considered connectionless

15
Stateless Example
END CONNECTION
REPEAT FOR EMBEDDED FILES
16
State Example(1)
END CONNECTION
17
State Example (2)
END CONNECTION
18
Cookies for Life
  • Pros
  • Add state
  • Increases Throughput
  • Can Add Authentication

19
Cookies for Life
  • Cons
  • Privacy issues
  • Collecting WEB usage data
  • Profiling WEB Visitors
  • Security
  • Improper state tracking results in security holes
  • Cookie Hijacking (if client hacked)

20
HTTP Session Tracking
  • URL Session Tracking
  • Hidden Form Elements
  • Cookies

21
HTTP Authentication
  • Logon sequence generates session ID
  • Pass ID to browser
  • URL Session Tracking
  • ID Passed in URL itself
  • Hidden Form Elements
  • Within HTML Source Code
  • Cookies
  • Session ID can be passed over HTTP or HTTPS

22
Authentication Examples
  • URL Session Tracking
  • http//www.rbfcu.org/checking_balance.asp?ID1
    01460
  • Hidden Form Elements
  • lt input Typehidden Name Session
    Value101460gt
  • Cookies
  • EAZBKRBFCU101460

23
OTHER CLIENT SIDE VULNERABILITIES
  • Browser Plug-ins
  • Plug-in special software programs that are
    integrated with Web Browsers
  • Examples RealAudio, Shockwave
  • E-Mail Attachments
  • The primary threat vector for viruses and
    installing hacker backdoors

24
Other Client Side Vulnerabilities
  • Browser Flaws
  • Allow viewing of local files
  • Allow posting of files to your browser
  • Allow moving of files
  • Using HTTP as mechanism to circumvent Firewall

25
E-Commerce Attack Scenario
  • Use IIS Unicode Exploit
  • Put remote listener on WEB site
  • Listen on Port 80
  • Send all Port 80 to Dr. Evils site
  • Logins and Passwords Captured
  • Sniffed password later used with HTTP proxy
    software to access your E-BANK

26
E-Commerce Attack Scenario
  • Man-in-the middle attack
  • Dr. Evil injects himself in between you and the
    site
  • Installs HTTP Proxy Software to see what is being
    transferred on port 80
  • Breaks tranmission path and inserts his own
    commands

27
Summary
  • Picture 23 year old Geek Hacker
  • Recent Advertising Quote
  • Today my worm will destroy
  • 18 days of revenue
  • 1.7 million dollars of profit
  • 4,000 lifetimes of greed.
  • FEEL FREE TO GO HOME AND GET ON-LINE?
Write a Comment
User Comments (0)
About PowerShow.com