Read an Excerpt
Client-Side Attacks and Defense
By Robert Shimonski, Sean-Philip Oriyano Elsevier Science
Copyright © 2012 Elsevier, Inc.
All rights reserved.
ISBN: 978-1-59749-591-2
Excerpt
CHAPTER 1
Client-Side Attacks Defined
CONTENTS
Client-Side Attacks:
An Overview 3
Why Are Client-Side
Attacks Successful? 14
Motivations Behind
Client-Side Attacks 15
Types of Client-Side
Attacks 17
Confidentiality Impact 17
Cookies 18
AutoComplete and Browser
History 18
ClipboardAttacks 18
Social Engineering 19
Client Scanning 19
Integrity Impact 20
Cross-Site/Domain/Zone
Scripting 20
Drive-by-Pharming 20
Malware 21
Availability Impact 21
Denial-of-Service (DoS) 21
Pop-Ups and Pop-Unders 21
Image Flooding 23
Summary 23
INFORMATION IN THIS CHAPTER:
* Client-Side Attacks: An Overview
* Types of Client-Side Attacks
One of the bigger threats that users will face today is client-side attacks that expose the vulnerability of the end user and his or her system. Over the last five years the amount of client-side attacks has increased dramatically leading to a statement by the SANS Institute that this type of attack represents historically one of the most critical Internet security vulnerabilities in existence. In the past attackers wishing to cause harm, damage, or expose sensitive data would generally go after the servers themselves using a class of attacks known collectively as server-side attacks. These attacks were successful because in the past, the servers themselves were not as well defended as they are today. With new security advances, methodologies and processes, this is no longer the case. The server-side attack is now severely limited by security professionals putting an enhanced focus on edge security, securing the network and vendors of products writing and producing better products for safeguarding key systems. Because the attack vector has been protected, hackers and attackers had to find a new route in.
Since the server-side (and in adversely the network-side) became the focus and were better protected, the applications used on the servers and the systems in which use the applications became the new target. In sum, applications that exist on the server-side and the vulnerabilities associated with them are better understood and defended, so attackers have shifted their focus to the desktop environment and the weaknesses found there.
Whereas server-side attacks seek to compromise and breach the data and applications that are present on a server, client-side attacks specifically target the software on the desktop itself. Applications such as web browsers, media players, email clients, office suites, and other such applications are all prime targets for an attacker. This also does not encompass many of the in-house developed applications that are widely used in many organizations worldwide. Homegrown or applications built in-house add other items to the mix due to the fact that applications that fit into this category may not undergo any sort of formal security testing. It also doesn't take into account that a server system is easier to patch, protect and monitor then the many clients that attach to it as well as the even more diverse operating systems that are used. Multiply that by the amount of different applications used and you can see that the problem grows exponentially making this a difficult problem to solve. The wide and diverse range of software present on the desktop in an organization presents a large target for attackers and a major concern for the security professional. In fact for the security professional overlooking the client-side attack is an easy way to miss one of the single most dangerous mechanisms for impacting security in an organization. Figure 1.1 shows an example of a typical client-side attack.
In this book we will examine what constitutes a client-side attack, the different types of attacks, how they work, and how to defend against them in the real world. While every type of attack that is available cannot be covered in this text, we will review the most common. In advanced chapters we will highlight more complex attacks. By learning about the most common and more complex attacks, you will gain a better understanding of how these attacks work and in turn be able to protect against them more effectively in the future. It is also important to note that new security flaws are found each day as more and more applications are upgraded, rolled out and created. (see figure 1.2)
CLIENT-SIDE ATTACKS: AN OVERVIEW
While we will cover more about what constitutes a client-side attack in Chapter 2, Chapter 1 provides a basic overview. We will then move on to cover attacks in more detail in later chapters. Later chapters will explain more in depth why the client is susceptible to attacks and how the attacker is able to manipulate the system so easily, whether it be a code flaw or lack of security applied to the operating system as example. It is important for us to first take a high level look at these classes of attacks and what makes them possible. In order to better understand client-side attacks it is worthwhile where applicable to compare and contrast them with their well-known cousins known as server-side attacks (see Figure 1.3).
As mentioned previously attackers have traditionally concentrated their attacks on the server-side and the applications, data, and services hosted there. During normal operation a server-side application and the server itself will expose several types of services that will vary depending on the intended role of the server (i.e. document management or streaming video). Each service that a server exposes to the world is one more potential target that an attacker can exploit for whatever purpose they may have in mind. Even with a simple web-server that hosts static content the possibility of attack is present as there are services running that can be exploited. Add to a web-server the ability to host dynamic content such as Java Server Pages (JSP), Active Server Pages (ASP), or even Hypertext Preprocessor (PHP) and the situation gets even worse as even more services with their potential vulnerabilities are layered upon one another. These server-side scripting languages are often used provide dynamic content are generally embedded directly into the HTML code used to produce the pages you view, which also run scripts that could execute commands as an example (see Figure 1.4).
The list of potential vulnerabilities available on a server and its services is a long one, but some of the more common ones are:
* Malicious HTTP requests: This includes improperly formed or what are known as illegal arguments in an HTTP request. These are generally executed to trick an end user into thinking they are accessing legitimate code, which in reality malicious code (malcode) is being "smuggled" into the equation. HTTP Request Smuggling (or HRS) is used between a client and an application server and commonly executed when there is a proxy system in between.
* Buffer overflows: Vulnerabilities of this type are common in software and regularly exploited by savvy attackers. These are generally executed to produce a Denial-of-Service (DoS) attack to prevent legitimate connections from taking place by flooding buffers with bogus requests.
* Scripting errors and attacks: As will be introduced Chapter 2, scripting errors take advantage of handling or coding errors to enact an attack against a client. This can be done via scripting languages such as JavaScript, VBScript, Flash scripting, and others. Cross-site scripting (XSS) is commonly used to bypass security controls by injecting the harmful content on the client-side or end user's web browser.
* CGI errors and attacks: CGI or Common Gateway Interface programs run on the server, but through clever manipulation on the attacker's part it is possible to target and compromise a client. These are commonly used to run scripts that are harmful to the client accessing the server.
* Unchecked user input: Malicious actions of this type take place when information that is gained does not undergo any rigorous validation to ensure that it is true and correct.
* Misconfiguration: Misconfigured software that does not have basic steps done to ensure that it is configured to be safe and secure regularly lead to a high number of security incidents with both server and client-side environments. Typically this problem can be the result of improper training or ignorance on the system owner's behalf leading to problems later.
* Default settings: Leaving the settings in place that come with software when it is "shipped from the factory" has been shown to lead to security incidents as attackers can easily determine and take advantage of well-known and documented defaults in software. Today as more and more security flaws take the spotlight, leaving a system or application wide-open is no longer common practice, however older software or operating system or newer ones made to be "user friendly" generally do not have tight security implemented within them.
* Revealing error messages: Error messages can be both frustrating for a user and provide a great deal of information for an attacker. Under the right conditions an error message should indicate that something unexpected has occurred while at the same time not revealing useful details to an aggressor. Under the wrong conditions an error message can easily reveal information about the configuration of a system and give an attacker pieces of information that will yield a better picture of the how vulnerable a system is.
* Design and code flaws: Design flaws are those defects that were created unintentionally during the design process of an application. These flaws exist due to an oversight during the design process or surface due to unanticipated uses of the application. Many times, the software vendor will release service packs, hotfixes, security patches and upgrades of the code to fix these design flaws but generally only after then are exploited.
Understanding the server-side attack is essential to protecting against a client-side attack because although this book covers how to secure the client, not understanding the role of the server will prevent you from understanding the entire picture of how the attack is actually generated and what you need to do to prevent it. Server-side attacks have a long history of causing problems and concerns for system administrators and companies alike. In the right hands a server-side exploit can deliver a wealth of information and control of a system to an attacker for whatever use they may have in mind. Defenses and techniques have improved dramatically over the years to protect the server from attack, but these attacks still have their place in the hacker's arsenal (see Figure 1.5).
When an attacker targets client-side applications they are specifically looking for ways to force a client to process malicious code or data from a server based application. In this way a client-side application can provide information from a malicious server that results in some action taking place that is unintended or unexpected by the end user. It is also commonly hidden from the user. This also shows the key to client-side attacks which is to target those applications that interact with a server in some way. If this interaction is not present attacks of this type cannot take place. (see figure 1.6)
Let's examine one well-known type of client-side attack known as Cross-site scripting (XSS) and how it can be used to obtain information or alter a victim's experience. XSS is a special form of input validation attack that, unlike other forms of input validation, targets the user of a specific application or site and not the application or site itself. An attack of this type may be used to install software such as a Trojan horse on a victim's system with the intent of gathering information or performing some other malicious purpose. In the case of a Trojan, for example, installation may take place when a user clicks on a link or even visits a suspect site which in turn uses a language such as JavaScript to initiate the installation. If staged correctly the software can get installed on a system stealthily preventing the user from even being aware of what is occurring. The user may not even have to click on a link, the installation of software in this case could happen just by the very act of loading a web page (see Figure 1.7).
(Continues...)
Excerpted from Client-Side Attacks and Defense by Robert Shimonski. Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
