Individuals wishing to attack a company's network have found a new path of least resistance-the end user. A client- side attack is one that uses the inexperience of the end user to create a foothold in the user's machine and therefore the network. Client-side attacks are everywhere and hidden in plain sight. Common hiding places are malicious Web sites and spam. A simple click of a link will allow the attacker to enter. This book presents a framework for defending your network against these attacks in an environment where it might seem impossible.
The most current attacks are discussed along with their delivery methods, such as browser exploitation, use of rich Internet applications, and file format vulnerabilities. The severity of these attacks is examined along with defences against them, including antivirus and anti-spyware, intrusion detection systems, and end-user education.
- Design and implement your own attack, and test methodologies derived from the approach and framework presented by the authors
- Learn how to strengthen your network's host- and network-based defense against attackers' number one remote exploit-the client-side attack
- Defend your network against attacks that target your company's most vulnerable asset-the end user
Client-Side Attacks and Defense offers background networks against its attackers. The book examines the forms of client-side attacks and discusses different kinds of attacks along with delivery methods including, but not limited to, browser exploitation, use of rich internet applications, and file format vulnerabilities. It also covers defenses, such as antivirus and anti-spyware, intrusion detection systems, and end-user education. The book explains how to secure Web browsers, such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, and Opera. It discusses advanced Web attacks and advanced defenses against them. Moreover, it explores attacks on messaging, Web applications, and mobiles. The book concludes with a discussion on security measures against client-side attacks, starting from the planning of security. This book will be of great value to penetration testers, security consultants, system and network administrators, and IT auditors. Design and implement your own attack, and test methodologies derived from the approach and framework presented by the authors Learn how to strengthen your network's host- and network-based defense against attackers' number one remote exploit-the client-side attack Defend your network against attacks that target your company's most vulnerable asset-the end user
Front cover 1
Client-Side Attacks and Defense 2
Copyright 5
Dedication 6
Biography 8
Contents 10
Client-Side Attacks Defined 14
Client-Side Attacks: An Overview 16
Why Are Client-Side Attacks Successful? 27
Motivations Behind Client-Side Attacks 28
Types of Client-Side Attacks 30
Confidentiality Impact 30
Cookies 31
AutoComplete and Browser History 31
Clipboard Attacks 31
Social Engineering 32
Client Scanning 32
Integrity Impact 33
Cross-Site/Domain/Zone Scripting 33
Drive-by-Pharming 33
Malware 34
Availability Impact 34
Denial-of-Service (DoS) 34
Pop-Ups and Pop-Unders 35
Image Flooding 36
Summary 36
Dissection of a Client-Side Attack 38
What Constitutes a Client-Side Attack? 38
Initiating an Attack: A Look at Cross-Site Scripting (XSS) 40
The Net Result 46
The Threats of Cross-Site Scripting 47
Planning the Attack 48
Anatomy of Some Potential Attacks 48
Theft of Information in User Cookies 49
Sending an Unauthorized or Unknown Request 52
Other Client-Side Attacks 52
Vulnerabilities that Lead to Client-Side Attacks 59
Summary 61
Reference 61
Protecting Web Browsers 62
Common Functions of a Web Browser 63
Features of Modern Browsers 64
Microsoft Internet Explorer 65
Features 65
Security 69
Add-ons and Other Features 72
Known Security Flaws in Internet Explorer 74
Mozilla Firefox 75
Features 75
Platform Support 76
Security 78
Add-ons and Other Features 80
Known Security Flaws in Firefox 82
Google Chrome 83
Features 83
Security 85
Add-ons and Other Features 88
Known Security Flaws in Google Chrome 88
Apple Safari 89
Features 89
Security 91
Add-ons and Other Features 93
Known Security Flaws in Apple Safari 93
Opera 94
Features 94
Security 96
Add-ons and Other Features 96
Known Security Flaws in Opera 98
Web Browsers as a Target 99
Selecting a Safe Web Browser 100
Summary 102
Security Issues with Web Browsers 104
What is Being Exposed? 105
Many Features, Many Risks 105
Exploiting Confidential Information 106
JavaScript 106
Cascading Style Sheets (CSS) 108
Exploiting what is Stored 109
Exploiting Internet Explorer (IE) 109
Exploiting Firefox 112
Limits on Browsing History 113
Tabnapping 114
Is Private Really Private? 116
Summary 118
Advanced Web Attacks 120
What is Active Content? 120
A Mix of Active Technologies 122
Java and ActiveX Controls 122
A Closer Look at Active Content Types 123
Microsoft Silverlight 123
ActiveX 126
Java 131
JavaScript 135
VBScript 139
HTML 5 140
Summary 141
Advanced Web Browser Defenses 142
A Mix of Protective Measures 143
A Mix of Potential Threats 144
Locking Down the Web Browser 145
A Review of Browser Features and Security Risks 145
ActiveX Related Risks 146
Securing ActiveX 146
Oracle Java Related Risks 148
Java’s Security Model 149
Securing Java 150
JavaScript Related Risks 153
Securing JavaScript 153
Adobe Flash Related Risks 157
Securing Adobe Flash 157
VBScript Related Risks 159
Securing VBScript 159
Browser-Based Defenses 159
Internet Explorer 160
Sandboxing 160
Privacy Settings 161
Automatic Crash Recovery 163
SmartScreen Filter 163
Cross-Site Scripting Filter 164
Certificate Support 164
InPrivate Browsing 164
Security zones 165
Content Advisor 167
Mozilla Firefox 168
Sandboxing 168
Crash Protection 168
Instant Web Site ID 169
Improved Phishing Prevention 169
Improved Malware Protection 169
Forget this Site 169
Clear Recent History 170
Add-ons 170
Anti-virus Integration 171
Google Chrome 172
Sandboxing 172
Safe Browsing and Content Control 172
ClickJacking Protection with X-Frame-Options 173
Reflective XSS Protection 173
CSRF Protection via Origin Header 173
Strict-Transport-Security 174
Cross-Origin Communication with PostMessage 174
Supporting the Browser 174
The Role of Anti-virus Software 174
The Role of Anti-Spyware 175
Summary 176
Messaging Attacks and Defense 178
Evolution of the Email Client 179
Present Day Messaging Clients 181
Email Client Programs 183
Mail Processing 187
Client Server Interaction 193
Sending and Receiving Mail 194
Webmail 196
Messaging Attacks and Defense 197
Spam 198
Malware 199
Malicious Code 200
Denial of Service (DoS) Attacks 200
Hoaxes 202
Phishing 203
Summary 205
Web Application Attacks 208
Understanding Web Applications 209
Types of Web Applications 213
Microsoft ActiveX 213
Security Issues with ActiveX 215
Oracle Java 216
Security Issues with Java 217
Microsoft Silverlight 219
Security Issues with Silverlight 220
JavaScript 221
Security Issues with JavaScript 222
VBScript 223
Security Issues VBScript 225
the Benefit of using Web Applications 226
Application is Never Installed Client Side or only Minimally Installed 226
Seamless and Simplified Upgrade Process 226
One Version to Rule Them All 227
Anytime, Anywhere 227
No Installation Required and no Permissions 228
Platform Agnostic 228
Platform Independence, No Platform Problems 228
Lower Resource Requirements 228
Licensing Control 228
Web Application Attacks and Defense 229
Remote Code Execution 230
SQL Injection 230
Format String Vulnerabilities 230
Cross Site Scripting 231
Username Enumeration 231
Misconfiguration 232
What’s the Target? 232
Personal Information 232
Financial Data 233
Summary 234
Mobile Attacks 236
Mobile Devices and Client-Side Attacks 237
Communication Types 239
Cellular Networking 240
Wireless Networking 240
Bluetooth 241
Types of Mobile Devices 242
Apple 242
Google 244
RIM 247
Mobile Devices Attacks 248
Snooping and Tracking 248
Malware 248
Unsafe Web Applications 249
Web Browser Exploits 249
Device Theft 251
Man in the Middle (MITM) Attacks 251
Denial of Service (DoS) Attacks 251
Social Engineering 252
Mobile Device Weaknesses 252
Web Browsers 252
Apps/Web Applications 252
Physical Security 253
Summary 253
Securing Against Client-Side Attack 256
Security Planning 257
Planning for Security 257
Securing Applications and Infrastructure 259
Web Application Security Process 259
Securing Infrastructure 261
Securing Applications 263
Security-Enabled Applications 264
Types of Security Used In Applications 265
Digital Signatures 265
Digital Certificates 266
Reviewing the Basics of PKI 267
Certificate Services 268
Testing Your Security Implementation 268
Application Security Implementation 270
Securing Clients 272
Malware Protection 272
Viruses 273
Worms 273
Macro Virus 274
Trojan Horses 275
Hoaxes 275
How to Secure Against Malicious Software 276
Anti-Virus Software 276
Updates and Patches 279
Web Browser Security 279
Summary 279
Index 282
A 282
B 283
C 284
D 285
E 285
F 286
G 286
H 286
I 286
J 287
K 288
M 288
N 289
O 289
P 289
Q 289
R 289
S 289
T 290
U 290
V 290
W 290
X 291
Y 291
Z 291
Chapter 2
Dissection of a Client-Side Attack
Information in this chapter:
What Constitutes a Client-Side Attack?
As we have seen in chapter 1 there are many actions that can be used to attack a client system with each possessing the ability to cause harm in its own unique way. With the seemingly endless, and ever increasing, amount of web-enabled applications on everything from mobile devices to desktops the problem becomes even more of a concern for the security professional and an increasing threat for end users and enterprises world-wide.
The key to defending against these attacks is an understanding of exactly how they work, specifically knowing how one occurs and identifying the components and conditions that make it possible. In this chapter we will discuss what it takes to carry out one of these attacks and what vulnerabilities make this attack possible.
After we understand this attack we will explore how it affects some of the various applications that are found on the desktop. Understanding the vulnerabilities and how they are present on the various web-enabled applications will also provide you with insight into the scope of the threat and how to defend client systems.
What Constitutes a Client-Side Attack?
In the previous chapter we compared and contrasted client-side attacks with their well-known cousin the server-side attack. In the previous chapter we also introduced a sampling of the different types of client-side attacks to provide a more accurate picture of some of the tools in an attacker’s toolbox (and the attacks presented was indeed just a small sampling). Let us now take a closer look at some examples of how client-side attacks work and cover some specific instances where they could cause harm.
First, just to review and ensure you understand the differences between client-side and server-side attacks, Table 2.1 is provided to illustrate the key points that differentiate the two.
Table 2.1 Differences Between Client-Side and Server-Side Attacks
| Client-Side | Server-Side |
| Targets users (clients, desktops, desktop applications) | X |
| Targets servers | X |
| Targets applications | X | X |
| Exploits the client communication process | X |
| Exploits vulnerabilities in applications | X | X |
Again, it is important to remember that the choice between server-side and client-side attacks can be made based on a number of different reasons, not all of which are included here. A general rule of thumb to remember is that when a client-side attack takes place, it’s generally used to exploit the client. When a server-side attack takes place its purpose is to exploit the server. Depending on where the application is hosted (generally on the server), it will be a combination of server-side and client-side attacks.
Did You Know?
There really isn’t any definitive list of the types of attacks an attacker may use against a client as the only limit is the attacker’s own creativity and skills. In fact care should be taken that you do not automatically think that an attacker is limited to just the attacks discussed in this book as they may rework existing attacks, combine existing attacks, or even form hybrid attack methods to accomplish their goals. In fact it is even possible (and likely) that an attacker may combine server and client-side attacks to accomplish their attacks as needed. Understanding the most common attacks and how they work will give you the toolset needed to accurately analyze an attack and mitigate it no matter where it originates from or what the target it is.
Initiating an Attack: A Look at Cross-Site Scripting (XSS)
As mentioned in chapter 1, cross-site scripting (XSS) is one of the most commonly seen attacks found today. Although we looked at it in chapter 1, there is much more to understand about it in order to protect against it. There are multiple types of XSS. Now that we have had a chance to learn about it, let’s look deeper into it to dissect it. Reflective XSS is when an attacker initiates an attack and gets a “reflexive” response. For example, if an attacker sends a you an email or you visit a website and click on a link where you run a malicious script. The result is the script reflects back to the victims web browser. This script is run within the trust of the client-side victims system. Persistent XSS is based more on the persistent nature of cookies and the storing-nature of systems. The end results is the same, the script is run within the trust of the client-side victims system.
XSS is one of the older types of attacks that can be targeted towards a client system and the web browser specifically.
To understand XSS let us first examine the web and hosting environment that exists today and how it leads, or can lead, to the attack known as Cross-Site Scripting. In the early days of the Internet the majority of web sites were static in nature meaning that they presented one view of the information requested. In this model the format of the content was not changed nor was an interaction allowed meaning that the experience was very much unchanging. The web in its current state, as we know it today, is very much dynamic in nature meaning that the data that is requested by a client can change “shape,” form, and be interacted with by the client in their browser. This dynamic nature also means that content can be tailored to a specific user’s browser and system configuration. Dynamic means that web sites, pages and content will generate for the user when accessed or when being used by the user. Web 2.0 builds upon the principals of dynamic content as such content is generally shared across web sites, application servers and N-Tier systems.
Note
Don’t be fooled by all the dynamic content you observe on the web today and assume that all content is dynamic even though it may seem so. The web still has plenty of web pages and other content that is strictly static and utilizes no scripting, is not using shared content or other means to customize the user’s experience. Conversely don’t assume that just because a web-page doesn’t specially format a page or allow interaction it is static, some scripting may still be done in the background that you cannot observe directly. As we will learn in upcoming chapters, you can learn about the pages you are using and viewing by viewing the source code within the page which helps you understand what type of content you are using and viewing. This can be done directly from the web browser. You can also get clues from the URLs visited as some will list out CGI or other directional information that help you learn more about the content viewed and used.
Dynamic content in most web sites are added and processed in different ways depending on the way the developer designed them and the environment that is present. In most cases dynamic content is generated on the server by a process and delivered to the client in response to a request. Figure 2.1 gives a conceptual view of this interaction.
Figure 2.1 The Client Server Interaction
In Figure 2.1, we see the client/server interaction in detail:
1. The end user wants to access a web site (web content) via his or her web browser.
2. The end user visits a site over the public Internet and visits the front-end web server.
3. The web server may pull content from another server or servers, such as a database server.
4. The end user can also visit multiple sites depending on what the page is coded to do, so he or she may visit both web servers from one web page. One web server may pull content from both another web server, application server and database server in house or across the web.
5. An attacker stands ready to maliciously attack the end user, or any of the servers listed within this example.
When a browser receives any type of content from the web server it is the browsers responsibility to process the request and render the output on the user’s screen. If the response coming from the web server happens to be strictly HTML and nothing else (such as XML, JavaScript, or other) the result displayed onscreen is very straightforward and the recipient will get something that is exactly what or very close to what the designer wanted. On the other hand if dynamic content is used things get very interesting as many variables are introduced that make the situation harder to control and predict. A designer who creates a web page or site that is based on dynamic content must try to anticipate as best as possible the possible environments that may exist on the client systems that will access the content. Because of this, not all dynamic content will be rendered correctly (or safely) depending on different variables such as outdated web browsers, missing plug-ins and so on. Adding the final layer to this problem, and of the biggest concern to us, is the fact that during this process it is possible for untrusted or foreign content to be introduced into the process and therefore run at the same level of trust as all the other code on the web page. If this last little detail were to take place during client and server interaction it is very possible and likely that the untrusted code would...
| Erscheint lt. Verlag | 28.9.2012 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Informatik ► Office Programme ► Outlook | |
| ISBN-10 | 1-59749-591-3 / 1597495913 |
| ISBN-13 | 978-1-59749-591-2 / 9781597495912 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 15,4 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 4,1 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
