6 Web Browser and client security, web security, server security

Hiteishi Diwanji

Web threat : A web threat uses the world wide web and compromises authenticity, integrity, confidentiality, nonrepudiation, availability.

Web threats are push or pull based threats, depends on how data is delivered.
Threats related to Push collect information or inject malware by attracting a user to surf malicious website also called spoofed website using spam or apply phishing technique or other fraudulent means.
Attacks related to Push are materialized by phishing, DNS poisoning. The user thinks that the data is from the source that is trustworthy.
Web threats pertaining to Pull are driven-by downloads. They can affect any website visitor. Legitimate websites are infected by Cyber attackers and these website pass malware to visitors unintentionally or lead users to malicious websites by altering the search results. When the page gets loaded, the user’s browser passively runs a malware downloader in a hidden HTML frame (IFRAME) that does not need any user interaction.

Web Site Vulnerabilities:

Web Site Defacement:

· Web site code is downloadable.

· Attacker can see full hypertext document.

· Attacker can view comments in code.

2. Buffer Overflows for(index=0; index<=4;index++) bufferSpace[i]=‘X’; bufferSpace[5]=‘Z’;

(i) ‘Z’ overflows in data space assigned to user. This results in overwriting present variable value.

(ii) ‘Z’ is written in user’s program area, overwrites instruction

(iii) ‘Z’ is written in system’s data area

(iv) ‘Z’ is written in system’s instruction area.

3. Dot – Dot – Slash ‘..’ indicates predecessor directory and ../.. refers to the grandparent of the directory currently used. The url asks for the file autoexec.nt from server, and then attacker performs modification or deletion. http://site.com/webhits.htw?CiWebHits&File=../../../../winnt/system32/autoexec.nt

4. Errors in Application Code Browser that the user uses reply to the server with full context, user can modify the context http://www.Books-fr-all.com/buysell.asp?i1=459012&p1=1399&i2=36521&p2=1199

The attacker can edit URL that appears in the address window of browser and will change 1399 and 1199 to 199. Now 2 books only cause 398 instead of 2598.

5. Server – side include Server side include <!-#exec cmd=“/usr/bin/telnet &”-> opens a Telnet session. An attacker may execute commands such as chmod.

Client Level Threats:Cross site scripting attacks

Attacker

Inject HTML data into Web content
Trick the user into visiting the XSS vulnerable website
Cause the injected HTML data to execute on that user’s browser

Countermeasures:

Educate Users

Educate for threat of XSS. View web content only from sources they trust.

Implement browser security Disable the use of JavaScript or Active scripting for untrusted zones such as internet zone.

Unpatched Web clients

Patching desktop software like web browsers so that security requirements are met.

Countermeasures – Client Level Threats

Educate developers

Validate all input that could potentially be used as part of dynamically generated Web responses.

Encode URL

HTML forms transmit data which may have special character such as “/”, “.”, “#“. These characters may have special meaning or these characters are not valid characters or they may get altered during transmission.URL encoding transforms data.

HTML Encoding
Use innerText property

Web server threats:

Repudiation – Log all activities to determine how the attacker intruded.
Information disclosure – Server header exposure, Directory browsing
Elevation of privileges – Unpatched Web servers, Unknown vulnerabilities, Nonessential services, Canonicalization attacks
Canonicalization attacks – http://TestSite/cmd%252eexe is equivalent to http://TestSite/cmd.exe %252e double decodes to .

If security is on noncanonicalized forms of input data attackers might be able to bypass some security feature.

Denial of service

Threats in Active or Mobile Code:

Active or mobile code gets executed on client side once pushed to client.
Cookies
Scripts
Auto Exec by Type
Bots – Bots are pieces of malicious code which can be controlled remotely. Network of bots is called botnet.

Privacy on Web:

A user browses the web sites, push messages or feedbacks, chat on web without showing up the identity means user stays anonymous. Cookies, adware, spybots, malicious code can trap the identity.

HTML Encoding
Use innerText property

Web server threats:

Repudiation – Log all activities to determine how the attacker intruded.
Information disclosure – Server header exposure, Directory browsing
Elevation of privileges – Unpatched Web servers, Unknown vulnerabilities, Nonessential services, Canonicalization attacks
Canonicalization attacks – http://TestSite/cmd%252eexe is equivalent to http://TestSite/cmd.exe %252e double decodes to .

If security is on noncanonicalized forms of input data attackers might be able to bypass some security feature.

Denial of service

Threats in Active or Mobile Code:

Active or mobile code gets executed on client side once pushed to client.
Cookies
Scripts
Auto Exec by Type
Bots – Bots are pieces of malicious code which can be controlled remotely. Network of bots is called botnet.

Privacy on Web:

A user browses the web sites, push messages or feedbacks, chat on web without showing up the identity means user stays anonymous. Cookies, adware, spybots, malicious code can trap the identity.

you can view video on Web Browser and client security, web security, server security

Suggested Reading:

Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
www.snort.org
https://nmap.org