Internet Browser Vulnerabilities

Document Sample
Internet Browser Vulnerabilities Powered By Docstoc
					            Web Security

              Chapter 7

7/13/2011       Web Security   1
• Protect e-mail systems
• Identify World Wide Web vulnerabilities
• Secure Web communications

  cs490ns-cotter                            2
                 How E-Mail Works

• Defined in RFC 822
• Use two Internet protocols to send and receive
     – Simple Mail Transfer Protocol (SMTP) handles
       outgoing mail and
     – Either Post Office Protocol (POP3 for the current
       version) handles incoming mail
     – Or Internet Mail Access Protocol (IMAP4 is current)
• The SMTP server on most machines uses
  sendmail to do the actual sending; this queue
  is called the sendmail queue
cs490ns-cotter                                               3
                 E-mail Architecture
                           Mail Server
     Sender                  mailboxes

                  Mail                   Remote
                  server                 Access


cs490ns-cotter                                                4
                      E-mail Architecture

Sender                                                     Recipient


                         Delivery              Protocol
                    How E-Mail Works
• Sendmail tries to resend queued messages
  periodically (about every 15 minutes)
• Downloaded messages are erased from POP3
  server (by default)
• Deleting retrieved messages from the mail
  server and storing them on a local computer
  may make it difficult to manage messages from
  multiple computers
• Internet Mail Access Protocol (current version is
  IMAP4) is a more advanced protocol that solves
  many problems
  – E-mail can remain on the e-mail server
   cs490ns-cotter                                     6
        How E-Mail Works (cont)
• E-mail attachments are often in binary format
  (word processing documents, spreadsheets,
  sound files, pictures, etc.)
  – But SMTP is text only.
• Multipurpose Internet Mail Extensions (MIME)
  – Rfc 1341, 1521, 1522
  – Non-text documents must be converted into text
    format before being transmitted
  – Three bytes from the binary file are extracted and
    converted to four text characters

  cs490ns-cotter                                         7
              E-Mail Vulnerabilities
• Several e-mail vulnerabilities can be
  exploited by attackers:
  – Malware
  – Spam
  – Hoaxes

  cs490ns-cotter                          8

• Because of its ubiquity, e-mail has
  replaced floppy disks as the primary
  carrier for malware
• E-mail is the malware transport
  mechanism of choice for two reasons:
   – Because almost all Internet users have e-
     mail, it has the broadest base for attacks
   – Malware can use e-mail to propagate itself

cs490ns-cotter                                    9
                   Malware (cont)
• A worm can enter a user‟s computer through an
  e-mail attachment and send itself to all users
  listed in the address book or attach itself as a
  reply to all unread e-mail messages
• E-mail clients can be particularly susceptible to
  macro viruses
  – A macro is a script that records the steps a user
  – A macro virus uses macros to carry out malicious

  cs490ns-cotter                                        10
• The amount of spam (unsolicited e-mail)
  that flows across the Internet is difficult to
• The US Congress passed the Controlling
  the Assault of Non-Solicited Pornography
  and Marketing Act of 2003 (CAN-SPAM) in
  late 2003

  cs490ns-cotter                               11
                   Spam (cont)
• According to a Pew Memorial Trust survey,
  almost half of the approximately 30 billion daily
  e-mail messages are spam
• Spam is having a negative impact on e-mail
   – 25% of users say the ever-increasing volume of spam
     has reduced their overall use of e-mail
   – 52% of users indicate spam has made them less
     trusting of e-mail in general
   – 70% of users say spam has made being online
     unpleasant or annoying

  cs490ns-cotter                                           12
                   E-Mail Encryption
• Two technologies used to protect e-mail
  messages as they are being transported:
  – Secure/Multipurpose Internet Mail Extensions
  – Pretty Good Privacy

  cs490ns-cotter                                   13
• Secure/Multipurpose Internet Mail
  – Initial specification 10/95 (rfc 1847)
  – V2 widely deployed 3/98 (rfc 2311)
  – V3 available 6/99 (rfc 2633)
• Protocol that adds digital signatures and
  encryption to Multipurpose Internet Mail
  Extension (MIME) messages

  cs490ns-cotter                              14
• Functionality
  – Enveloped Data (Message Privacy)
  – Signed Data (Digital Signatures, Tamper
  – Clear-signed Data (Interoperability)
  – Signed and Enveloped Data (Everything!)

  cs490ns-cotter                              15
   Pretty Good Privacy (PGP)
• Functions much like S/MIME by encrypting
  messages using digital signatures
• A user can sign an e-mail message without
  encrypting it, verifying the sender but not
  preventing anyone from seeing the contents
• Originally released as freeWare. Now
  available as a commercial product
   – GNU Privacy Guard (GPG) available for free.
   – Two versions are generally INcompatible.

cs490ns-cotter                                     16
                   PGP (cont)
• Stores private keys on a local “keyring” file
  – Uses a passphrase to encrypt the keyring on
    the local computer
• Passphrase:
  – A longer and more secure version of a
  – Typically composed of multiple words
  – More secure against dictionary attacks

  cs490ns-cotter                                  17
                   PGP Encryption
• Message Compression
  – Reduces patterns and enhances resistance to
• Session key (a one-time-only secret key –
  128 bit number)
  – This key is a number generated from random
    movements of the mouse and keystrokes

  cs490ns-cotter                                  18
                   PGP Services
• Digital Signature
  – Uses DSS / SHA or RSA / SHA
  – SHA-1 used to create message digest. RSA / DSS
    used to encrypt digest using sender‟s private key
• Message Encryption
  – Session Key generated.
  – Message encrypted with CAST-128 / IDEA / 3DES
  – Session key encrypted using D-H or RSA and
    recipient‟s public key
• Compression
  – Uses zip algorithm
  cs490ns-cotter                                        19
                     PGP Encryption
                                Mt m                     4#*l,
         Meet me
         for lunch   compress   fr lnch        encrypt   $@2ug
         Tuesday                Tsdy                     D86qL

                                          Public Key
                                          Session Key

   cs490ns-cotter                                                20
              WWW Vulnerabilities
• WWW Phishing
• Mobile Code
  – Javascript, Java, ActiveX/COM
• Cookies
• SQL Injection
• Dynamic content can also be used by attackers
  – Sometimes called repurposed programming (using
    programming tools in ways more harmful than
    originally intended)

  cs490ns-cotter                                     21
• Hypertext markup language (HTML)
      – Describes the content and formatting of Web pages
      – Rendered within browser window
• HTML features
      – Static document description language
      – Supports linking to other pages and embedding images by
      – User input sent to server via forms
• HTML extensions
      – Additional media content (e.g., PDF, video) supported through
      – Embedding programs in supported languages (e.g., JavaScript,
        Java) provides dynamic content that interacts with the user,
        modifies the browser user interface, and can access the client
        computer environment
7/13/2011                       Web Security                             22
• Forged web pages created to
  fraudulently acquire sensitive
• User typically solicited to access
  phished page from spam email
• Most targeted sites
      – Financial services (e.g., Citibank)
      – Payment services (e.g., PayPal)
      – Auctions (e..g, eBay)
• 45K unique phishing sites
  detected monthly in 2009
  [APWG Phishing Trends Reports]
• Methods to avoid detection
      – Misspelled URL
      – URL obfuscation
      – Removed or forged address bar
7/13/2011                            Web Security   23
            Phishing Example

7/13/2011               Web Security          24
                    URL Obfuscation
•   Properties of page in previous slide
     – Actual URL different from spoofed URL
       displayed in address bar
•   URL escape character attack
     – Old versions of Internet Explorer did not
       display anything past the Esc or null
     – Displayed vs. actual site
•   Unicode attack
     – Domains names with Unicode
       characters can be registered
     – Identical, or very similar, graphic
       rendering for some characters
     – E.g., Cyrillic and Latin “a”
     – Phishing attack on
     – Current version of browsers display
       Punycode, an ASCII-encoded version
       of Unicode:
7/13/2011                              Web Security                                  25
                  Mobile Code
• What is mobile code?
      – Executable program
      – Sent via a computer network
      – Executed at the destination
• Examples
      – JavaScript
      – ActiveX
      – Java Plugins
      – Integrated Java Virtual Machines

7/13/2011                Web Security      26
• Scripting language interpreted by the browser
• Code enclosed within <script> … </script> tags
• Defining functions:
      <script type="text/javascript">
         function hello() { alert("Hello world!"); }
• Event handlers embedded in HTML
      <img src="picture.gif" onMouseOver="javascript:hello()">
• Built-in functions can change content of window
• Click-jacking attack
      <a onMouseUp="′′)"
      href="">Trust me!</a>

7/13/2011                            Web Security                27
                    ActiveX vs. Java
ActiveX Control                          Java Applet
• Windows-only technology                • Platform-independent via
  runs in Internet Explorer                browser plugin
• Binary code executed on                • Java code running within
  behalf of browser                        browser
• Can access user files                  • Sandboxed execution
• Support for signed code                • Support for signed code
• An installed control can               • Applet runs only on site
  be run by any site (up to                where it is embedded
  IE7)                                   • Applets deemed trusted
• IE configuration options                 by user can escape
      – Allow, deny, prompt                sandbox
      – Administrator approval
7/13/2011                        Web Security                     28
  Embedding an ActiveX Control
    <HTML> <HEAD>
    <TITLE> Draw a Square </TITLE>
    <BODY> Here is an example ActiveX reference:
         CLASSID="clsid:0342D101-2EE9-1BAF-34565634EB71" >
     <PARAM NAME="Version" VALUE=45445">
     <PARAM NAME="ExtentX" VALUE="3001">
     <PARAM NAME="ExtentY" VALUE="2445">
    </BODY> </HTML>

7/13/2011                      Web Security                    29
             Authenticode in ActiveX
• This signed ActiveX
  control ask the user for
  permission to run
     – If approved, the
       control will run with the
       same privileges as the
• The “Always trust
  content from …”
  checkbox automatically
  accepts controls by the
  same publisher
     – Probably a bad idea            Malicious Mobile Code, by R. Grimes, O‟Reilly
 7/13/2011                         Web Security                                   30
                 ActiveX Security

cs490ns-cotter                      31
            Classic ActiveX Exploits
• Exploder and Runner controls designed by Fred McLain
      – Exploder was an ActiveX control for which he purchased a
        VeriSign digital signature
      – The control would power down the machine
      – Runner was a control that simply opened up a DOS prompt
        While harmless, the control easily could have executed format C:
        or some other malicious command
• Quicken exploit by a German hacking club
      – Intuit‟s Quicken is personal financial management tool
      – Can be configured to auto-login to bank and credit car sites
      – The control that would search the computer for Quicken and
        execute a transaction that transfers user funds to their account

7/13/2011                         Web Security                             32
• Cookies are a small bit of information stored on a
  computer associated with a specific server
    – When you access a specific website, it might store information as
      a cookie
    – Every time you revisit that server, the cookie is re-sent to the
    – Effectively used to hold state information over sessions
• Cookies can hold any type of information
    – Can also hold sensitive information
       • This includes passwords, credit card information, social
         security number, etc.
       • Session cookies, non-persistent cookies, persistent cookies
    – Almost every large website uses cookies

7/13/2011                       Web Security                           33
                   More on Cookies
• Cookies are stored on your computer and can be
    – However, many sites require that you enable cookies in order to use the
    – Their storage on your computer naturally lends itself to exploits (Think
      about how ActiveX could exploit cookies...)
    – You can (and probably should) clear your cookies on a regular basis
    – Most browsers will also have ways to turn off cookies, exclude certain
      sites from adding cookies, and accept only certain sites' cookies
• Cookies expire
    – The expiration is set by the sites' session by default, which is chosen by
      the server
    – This means that cookies will probably stick around for a while

7/13/2011                           Web Security                               34
            SQL Injection Attack
• Many web applications take user input from a
• Often this user input is used literally in the
  construction of a SQL query submitted to a
  database. For example:
      SELECT user FROM table
       WHERE name = „user_input‟;
• An SQL injection attack involves placing SQL
  statements in the user input

7/13/2011               Web Security           35
             SQL Syntax
SELECT column_name(s) or *
FROM table_name
WHERE column_name operator value

• SELECT statement is used to select data
  FROM one or more tables in a database
• Result-set is stored in a result table
• WHERE clause is used to filter records

7/13/2011        Storage Confidentiality    36
             Login Authentication Query

• Standard query to authenticate users:
     select * from users where user='$usern' AND pwd='$password'
• Classic SQL injection attacks
     – Server side code sets variables $username and $passwd from
        user input to web form
     – Variables passed to SQL query
     select * from users where user='$username' AND pwd='$passwd'
• Special strings can be entered by attacker
     select * from users where user='M' OR '1=1' AND pwd='M' OR '1=1'
• Result: access obtained without password

7/13/2011                      Web Security                         37
Securing Web Communications
• Most common secure connection uses the
  Secure Sockets Layer/Transport Layer
  Security protocol
• One implementation is the Hypertext
  Transport Protocol over Secure Sockets

 cs490ns-cotter                            38
                  SSL / TLS
• SSL protocol developed by Netscape to
  securely transmit documents over the
  – Uses private key to encrypt data transferred
    over the SSL connection
  – Version 3.0 is most widely supported version
  – Personal Communications Technology
    (PCT), developed by Microsoft, is similar to
 cs490ns-cotter                                39
                   SSL / TLS

• TLS protocol guarantees privacy and data
  integrity between applications
  communicating over the Internet
  – An extension of SSL; they are often referred
    to as SSL/TLS
• SSL/TLS protocol is made up of two layers

  cs490ns-cotter                                   40
                    SSL / TLS
• TLS Handshake Protocol allows authentication
  between server and client and negotiation of an
  encryption algorithm and cryptographic keys before
  any data is transmitted
• FORTEZZA is a US government security standard
  that satisfies the Defense Messaging System
  security architecture
  – Has cryptographic mechanism that provides message
    confidentiality, integrity, authentication, and access
    control to messages, components, and even systems

   cs490ns-cotter                                            41
• One common use of SSL is to secure Web HTTP
  communication between a browser and a Web
  – This version is “plain” HTTP sent over SSL/TLS and
    named Hypertext Transport Protocol over SSL
• Generally designated HTTPS, which is the
  extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection
  between a client and a server over which any
  amount of data can be sent security, HTTPS is
  designed to transmit individual messages securely
   cs490ns-cotter                                        42
  – RFCs 2311-2315
  – RFC 2015, 2440, 3156
  – Cryptography and Network Security –
• openPGP
  – RFC 4880
  – RFC 2246
 cs490ns-cotter                           43
• Protecting basic communication systems is a
  key to resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a
  variety of attacks
• A Java applet is a separate program stored on
  the Web server and downloaded onto the user‟s
  computer along with the HTML code

  cs490ns-cotter                               44
• ActiveX controls present serious security
  concerns because of the functions that a
  control can execute
• A cookie is a computer file that contains user-
  specific information
• CGI is a set of rules that describe how a Web
  server communicates with other software on
  the server
• The popularity of IM has made this a tool that
  many organizations are now using with e-mail
cs490ns-cotter                                      45