E-Book, Englisch, 293 Seiten
ISBN: 978-1-59749-591-2
Verlag: Elsevier Trade Monographs
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Design and implement your own attack, and test methodologies derived from the approach and framework presented by the authorsLearn how to strengthen your network's host- and network-based defense against attackers' number one remote exploit-the client-side attackDefend your network against attacks that target your company's most vulnerable asset-the end user
Autoren/Hrsg.
Weitere Infos & Material
1;Front cover;1
2;Client-Side Attacks and Defense;2
3;Copyright;5
4;Dedication;6
5;Biography;8
6;Contents;10
7;Client-Side Attacks Defined;14
7.1;Client-Side Attacks: An Overview;16
7.1.1;Why Are Client-Side Attacks Successful?;27
7.1.2;Motivations Behind Client-Side Attacks;28
7.2;Types of Client-Side Attacks;30
7.2.1;Confidentiality Impact;30
7.2.1.1;Cookies;31
7.2.1.2;AutoComplete and Browser History;31
7.2.1.3;Clipboard Attacks;31
7.2.1.4;Social Engineering;32
7.2.1.5;Client Scanning;32
7.2.2;Integrity Impact;33
7.2.2.1;Cross-Site/Domain/Zone Scripting;33
7.2.2.2;Drive-by-Pharming;33
7.2.2.3;Malware;34
7.2.3;Availability Impact;34
7.2.3.1;Denial-of-Service (DoS);34
7.2.3.2;Pop-Ups and Pop-Unders;35
7.2.3.3;Image Flooding;36
7.3;Summary;36
8;Dissection of a Client-Side Attack;38
8.1;What Constitutes a Client-Side Attack?;38
8.1.1;Initiating an Attack: A Look at Cross-Site Scripting (XSS);40
8.1.1.1;The Net Result;46
8.1.2;The Threats of Cross-Site Scripting;47
8.1.2.1;Planning the Attack;48
8.1.3;Anatomy of Some Potential Attacks;48
8.1.3.1;Theft of Information in User Cookies;49
8.1.3.2;Sending an Unauthorized or Unknown Request;52
8.1.4;Other Client-Side Attacks;52
8.1.5;Vulnerabilities that Lead to Client-Side Attacks;59
8.2;Summary;61
8.3;Reference;61
9;Protecting Web Browsers;62
9.1;Common Functions of a Web Browser;63
9.1.1;Features of Modern Browsers;64
9.2;Microsoft Internet Explorer;65
9.2.1;Features;65
9.2.2;Security;69
9.2.3;Add-ons and Other Features;72
9.2.3.1;Known Security Flaws in Internet Explorer;74
9.3;Mozilla Firefox;75
9.3.1;Features;75
9.3.1.1;Platform Support;76
9.3.2;Security;78
9.3.3;Add-ons and Other Features;80
9.3.3.1;Known Security Flaws in Firefox;82
9.4;Google Chrome;83
9.4.1;Features;83
9.4.2;Security;85
9.4.3;Add-ons and Other Features;88
9.4.3.1;Known Security Flaws in Google Chrome;88
9.5;Apple Safari;89
9.5.1;Features;89
9.5.2;Security;91
9.5.3;Add-ons and Other Features;93
9.5.3.1;Known Security Flaws in Apple Safari;93
9.6;Opera;94
9.6.1;Features;94
9.6.2;Security;96
9.6.3;Add-ons and Other Features;96
9.6.3.1;Known Security Flaws in Opera;98
9.7;Web Browsers as a Target;99
9.7.1;Selecting a Safe Web Browser;100
9.8;Summary;102
10;Security Issues with Web Browsers;104
10.1;What is Being Exposed?;105
10.1.1;Many Features, Many Risks;105
10.1.1.1;Exploiting Confidential Information;106
10.1.1.2;JavaScript;106
10.1.1.3;Cascading Style Sheets (CSS);108
10.1.1.4;Exploiting what is Stored;109
10.1.1.4.1;Exploiting Internet Explorer (IE);109
10.1.1.4.2;Exploiting Firefox;112
10.1.1.5;Limits on Browsing History;113
10.1.2;Tabnapping;114
10.1.3;Is Private Really Private?;116
10.2;Summary;118
11;Advanced Web Attacks;120
11.1;What is Active Content?;120
11.1.1;A Mix of Active Technologies;122
11.1.1.1;Java and ActiveX Controls;122
11.2;A Closer Look at Active Content Types;123
11.2.1;Microsoft Silverlight;123
11.2.2;ActiveX;126
11.2.3;Java;131
11.2.4;JavaScript;135
11.2.5;VBScript;139
11.2.6;HTML 5;140
11.3;Summary;141
12;Advanced Web Browser Defenses;142
12.1;A Mix of Protective Measures;143
12.1.1;A Mix of Potential Threats;144
12.1.1.1;Locking Down the Web Browser;145
12.1.2;A Review of Browser Features and Security Risks;145
12.1.2.1;ActiveX Related Risks;146
12.1.2.1.1;Securing ActiveX;146
12.1.2.2;Oracle Java Related Risks;148
12.1.2.2.1;Java’s Security Model;149
12.1.2.2.2;Securing Java;150
12.1.2.3;JavaScript Related Risks;153
12.1.2.3.1;Securing JavaScript;153
12.1.2.4;Adobe Flash Related Risks;157
12.1.2.4.1;Securing Adobe Flash;157
12.1.2.5;VBScript Related Risks;159
12.1.2.5.1;Securing VBScript;159
12.1.3;Browser-Based Defenses;159
12.1.3.1;Internet Explorer;160
12.1.3.1.1;Sandboxing;160
12.1.3.1.2;Privacy Settings;161
12.1.3.1.3;Automatic Crash Recovery;163
12.1.3.1.4;SmartScreen Filter;163
12.1.3.1.5;Cross-Site Scripting Filter;164
12.1.3.1.6;Certificate Support;164
12.1.3.1.7;InPrivate Browsing;164
12.1.3.1.8;Security zones;165
12.1.3.1.9;Content Advisor;167
12.1.3.2;Mozilla Firefox;168
12.1.3.2.1;Sandboxing;168
12.1.3.2.2;Crash Protection;168
12.1.3.2.3;Instant Web Site ID;169
12.1.3.2.4;Improved Phishing Prevention;169
12.1.3.2.5;Improved Malware Protection;169
12.1.3.2.6;Forget this Site;169
12.1.3.2.7;Clear Recent History;170
12.1.3.2.8;Add-ons;170
12.1.3.2.9;Anti-virus Integration;171
12.1.3.3;Google Chrome;172
12.1.3.3.1;Sandboxing;172
12.1.3.3.2;Safe Browsing and Content Control;172
12.1.3.3.3;ClickJacking Protection with X-Frame-Options;173
12.1.3.3.4;Reflective XSS Protection;173
12.1.3.3.5;CSRF Protection via Origin Header;173
12.1.3.3.6;Strict-Transport-Security;174
12.1.3.3.7;Cross-Origin Communication with PostMessage;174
12.1.4;Supporting the Browser;174
12.1.4.1;The Role of Anti-virus Software;174
12.1.4.2;The Role of Anti-Spyware;175
12.2;Summary;176
13;Messaging Attacks and Defense;178
13.1;Evolution of the Email Client;179
13.1.1;Present Day Messaging Clients;181
13.1.2;Email Client Programs;183
13.1.2.1;Mail Processing;187
13.1.2.2;Client Server Interaction;193
13.1.3;Sending and Receiving Mail;194
13.1.4;Webmail;196
13.2;Messaging Attacks and Defense;197
13.2.1;Spam;198
13.2.2;Malware;199
13.2.3;Malicious Code;200
13.2.4;Denial of Service (DoS) Attacks;200
13.2.5;Hoaxes;202
13.2.6;Phishing;203
13.3;Summary;205
14;Web Application Attacks;208
14.1;Understanding Web Applications;209
14.1.1;Types of Web Applications;213
14.1.1.1;Microsoft ActiveX;213
14.1.1.1.1;Security Issues with ActiveX;215
14.1.1.2;Oracle Java;216
14.1.1.2.1;Security Issues with Java;217
14.1.1.3;Microsoft Silverlight;219
14.1.1.3.1;Security Issues with Silverlight;220
14.1.1.4;JavaScript;221
14.1.1.4.1;Security Issues with JavaScript;222
14.1.1.5;VBScript;223
14.1.1.5.1;Security Issues VBScript;225
14.1.2;the Benefit of using Web Applications;226
14.1.2.1;Application is Never Installed Client Side or only Minimally Installed;226
14.1.2.2;Seamless and Simplified Upgrade Process;226
14.1.2.3;One Version to Rule Them All;227
14.1.2.4;Anytime, Anywhere;227
14.1.2.5;No Installation Required and no Permissions;228
14.1.2.6;Platform Agnostic;228
14.1.2.7;Platform Independence, No Platform Problems;228
14.1.2.8;Lower Resource Requirements;228
14.1.2.9;Licensing Control;228
14.2;Web Application Attacks and Defense;229
14.2.1;Remote Code Execution;230
14.2.2;SQL Injection;230
14.2.3;Format String Vulnerabilities;230
14.2.4;Cross Site Scripting;231
14.2.5;Username Enumeration;231
14.2.6;Misconfiguration;232
14.3;What’s the Target?;232
14.3.1;Personal Information;232
14.3.2;Financial Data;233
14.4;Summary;234
15; Mobile Attacks;236
15.1;Mobile Devices and Client-Side Attacks;237
15.1.1;Communication Types;239
15.1.1.1;Cellular Networking;240
15.1.1.2;Wireless Networking;240
15.1.1.3;Bluetooth;241
15.1.2;Types of Mobile Devices;242
15.1.2.1;Apple;242
15.1.2.2;Google;244
15.1.2.2.1;RIM;247
15.1.3;Mobile Devices Attacks;248
15.1.3.1;Snooping and Tracking;248
15.1.3.2;Malware;248
15.1.3.3;Unsafe Web Applications;249
15.1.3.4;Web Browser Exploits;249
15.1.3.5;Device Theft;251
15.1.3.6;Man in the Middle (MITM) Attacks;251
15.1.3.7;Denial of Service (DoS) Attacks;251
15.1.3.8;Social Engineering;252
15.1.4;Mobile Device Weaknesses;252
15.1.4.1;Web Browsers;252
15.1.4.2;Apps/Web Applications;252
15.1.4.3;Physical Security;253
15.2;Summary;253
16;Securing Against Client-Side Attack;256
16.1;Security Planning;257
16.1.1;Planning for Security;257
16.2;Securing Applications and Infrastructure;259
16.2.1;Web Application Security Process;259
16.2.2;Securing Infrastructure;261
16.2.3;Securing Applications;263
16.2.3.1;Security-Enabled Applications;264
16.2.4;Types of Security Used In Applications;265
16.2.5;Digital Signatures;265
16.2.6;Digital Certificates;266
16.2.7;Reviewing the Basics of PKI;267
16.2.7.1;Certificate Services;268
16.2.8;Testing Your Security Implementation;268
16.2.8.1;Application Security Implementation;270
16.3;Securing Clients;272
16.3.1;Malware Protection;272
16.3.1.1;Viruses;273
16.3.1.2;Worms;273
16.3.1.3;Macro Virus;274
16.3.1.4;Trojan Horses;275
16.3.1.4.1;Hoaxes;275
16.3.2;How to Secure Against Malicious Software;276
16.3.2.1;Anti-Virus Software;276
16.3.2.2;Updates and Patches;279
16.3.2.3;Web Browser Security;279
16.4;Summary;279
17;Index;282
17.1;A;282
17.2;B;283
17.3;C;284
17.4;D;285
17.5;E;285
17.6;F;286
17.7;G;286
17.8;H;286
17.9;I;286
17.10;J;287
17.11;K;288
17.12;M;288
17.13;N;289
17.14;O;289
17.15;P;289
17.16;Q;289
17.17;R;289
17.18;S;289
17.19;T;290
17.20;U;290
17.21;V;290
17.22;W;290
17.23;X;291
17.24;Y;291
17.25;Z;291
Chapter 2
Dissection of a Client-Side Attack
Information in this chapter:
What Constitutes a Client-Side Attack? As we have seen in chapter 1 there are many actions that can be used to attack a client system with each possessing the ability to cause harm in its own unique way. With the seemingly endless, and ever increasing, amount of web-enabled applications on everything from mobile devices to desktops the problem becomes even more of a concern for the security professional and an increasing threat for end users and enterprises world-wide. The key to defending against these attacks is an understanding of exactly how they work, specifically knowing how one occurs and identifying the components and conditions that make it possible. In this chapter we will discuss what it takes to carry out one of these attacks and what vulnerabilities make this attack possible. After we understand this attack we will explore how it affects some of the various applications that are found on the desktop. Understanding the vulnerabilities and how they are present on the various web-enabled applications will also provide you with insight into the scope of the threat and how to defend client systems. What Constitutes a Client-Side Attack?
In the previous chapter we compared and contrasted client-side attacks with their well-known cousin the server-side attack. In the previous chapter we also introduced a sampling of the different types of client-side attacks to provide a more accurate picture of some of the tools in an attacker’s toolbox (and the attacks presented was indeed just a small sampling). Let us now take a closer look at some examples of how client-side attacks work and cover some specific instances where they could cause harm. First, just to review and ensure you understand the differences between client-side and server-side attacks, Table 2.1 is provided to illustrate the key points that differentiate the two. Table 2.1 Differences Between Client-Side and Server-Side Attacks Client-Side Server-Side Targets users (clients, desktops, desktop applications) X Targets servers X Targets applications X X Exploits the client communication process X Exploits vulnerabilities in applications X X Again, it is important to remember that the choice between server-side and client-side attacks can be made based on a number of different reasons, not all of which are included here. A general rule of thumb to remember is that when a client-side attack takes place, it’s generally used to exploit the client. When a server-side attack takes place its purpose is to exploit the server. Depending on where the application is hosted (generally on the server), it will be a combination of server-side and client-side attacks. Did You Know? There really isn’t any definitive list of the types of attacks an attacker may use against a client as the only limit is the attacker’s own creativity and skills. In fact care should be taken that you do not automatically think that an attacker is limited to just the attacks discussed in this book as they may rework existing attacks, combine existing attacks, or even form hybrid attack methods to accomplish their goals. In fact it is even possible (and likely) that an attacker may combine server and client-side attacks to accomplish their attacks as needed. Understanding the most common attacks and how they work will give you the toolset needed to accurately analyze an attack and mitigate it no matter where it originates from or what the target it is. Initiating an Attack: A Look at Cross-Site Scripting (XSS)
As mentioned in chapter 1, cross-site scripting (XSS) is one of the most commonly seen attacks found today. Although we looked at it in chapter 1, there is much more to understand about it in order to protect against it. There are multiple types of XSS. Now that we have had a chance to learn about it, let’s look deeper into it to dissect it. Reflective XSS is when an attacker initiates an attack and gets a “reflexive” response. For example, if an attacker sends a you an email or you visit a website and click on a link where you run a malicious script. The result is the script reflects back to the victims web browser. This script is run within the trust of the client-side victims system. Persistent XSS is based more on the persistent nature of cookies and the storing-nature of systems. The end results is the same, the script is run within the trust of the client-side victims system. XSS is one of the older types of attacks that can be targeted towards a client system and the web browser specifically. To understand XSS let us first examine the web and hosting environment that exists today and how it leads, or can lead, to the attack known as Cross-Site Scripting. In the early days of the Internet the majority of web sites were static in nature meaning that they presented one view of the information requested. In this model the format of the content was not changed nor was an interaction allowed meaning that the experience was very much unchanging. The web in its current state, as we know it today, is very much dynamic in nature meaning that the data that is requested by a client can change “shape,” form, and be interacted with by the client in their browser. This dynamic nature also means that content can be tailored to a specific user’s browser and system configuration. Dynamic means that web sites, pages and content will generate for the user when accessed or when being used by the user. Web 2.0 builds upon the principals of dynamic content as such content is generally shared across web sites, application servers and N-Tier systems. Note Don’t be fooled by all the dynamic content you observe on the web today and assume that all content is dynamic even though it may seem so. The web still has plenty of web pages and other content that is strictly static and utilizes no scripting, is not using shared content or other means to customize the user’s experience. Conversely don’t assume that just because a web-page doesn’t specially format a page or allow interaction it is static, some scripting may still be done in the background that you cannot observe directly. As we will learn in upcoming chapters, you can learn about the pages you are using and viewing by viewing the source code within the page which helps you understand what type of content you are using and viewing. This can be done directly from the web browser. You can also get clues from the URLs visited as some will list out CGI or other directional information that help you learn more about the content viewed and used. Dynamic content in most web sites are added and processed in different ways depending on the way the developer designed them and the environment that is present. In most cases dynamic content is generated on the server by a process and delivered to the client in response to a request. Figure 2.1 gives a conceptual view of this interaction. Figure 2.1 The Client Server Interaction In Figure 2.1, we see the client/server interaction in detail: 1. The end user wants to access a web site (web content) via his or her web browser. 2. The end user visits a site over the public Internet and visits the front-end web server. 3. The web server may pull content from another server or servers, such as a database server. 4. The end user can also visit multiple sites depending on what the page is coded to do, so he or she may visit both web servers from one web page. One web server may pull content from both another web server, application server and database server in house or across the web. 5. An attacker stands ready to maliciously attack the end user, or any of the servers listed within this example. When a browser receives any type of content from the web server it is the browsers responsibility to process the request and render the output on the user’s screen. If the response coming from the web server happens to be strictly HTML and nothing else (such as XML, JavaScript, or other) the result displayed onscreen is very straightforward and the recipient will get something that is exactly what or very close to what the designer wanted. On the other hand if dynamic content is used things get very interesting as many variables are introduced that make the situation harder to control and predict. A designer who creates a web page or site that is based on dynamic content must try to anticipate as best as possible the possible environments that may exist on the client systems that will access the content. Because of this, not all dynamic content will be rendered correctly (or safely) depending on different variables such as outdated web browsers, missing plug-ins and so on. Adding the final layer to this problem, and of the biggest concern to us, is the fact that during this process it is possible for untrusted or foreign content to be introduced into the process and therefore run at the same level of trust as all the other code on the web page. If this last little detail were to take place during client and server interaction it is very possible and likely that the untrusted code would...
