CYBER ATTACKS AND NEW WEB TECHNOLOGIES

Abdolmajid Shahgholi M.Tech student of Computer Networksand Information Security Jawaharlal Nehru Technological University, Hyderabad, India (from IRAN) shahgholi_a@hotmail.com Hamid Rez Barzegar M.Tech student of Computer Networksand Information Security Jawaharlal Nehru Technological University, Hyderabad, India (from IRAN) hr.barzegar@gmail.com

ABSTRACT What a tangled web we weave. New web technologies address shortcoming in web browsers but created new problems as well. Html5 is a set of powerful features aimed at moving the web applications closed to existing desktop applications in terms of user experience and features. There are some new browsers as well as Opera 11.00 that it has been released and Fire fox4 is in solid beta. It seems, they include improved support for Html5 and JavaScript. Moreover, new Web technologies such as Web Sockets, Web Workers, and Web Storage are designed to address the simple fact that people now expect the web to provide applications and multimedia. This paper presents how these technologies used to create a massive Dos network and how can be used to track people. KEY WORDS: HTML5, botnet, Web attack 3.0

A huge benefit of Web 3.0 is the move towards being able to access data from anywhere. This is mainly being driven by the heavy usage of smart phones and cloud applications. The idea here is to make sure that the user can access as much data as possible from anywhere, not just their home. Technology is trying to expand this idea in ways that allow TVs to pick up on user data, and allowing smart phones to access data on your computer. For designers like myself who typically forget their jump drives, this is an amazing and useful advancement..

Figure 1: Introduction Web 3.0 is being referred to by experts as the semantic web; semantic meaning data driven. The data will come from the user and the web will essentially adjust to meet the needs of the user. For example, if you do a lot of searching for design blogs, youll receive more advertisements related to design. Also, when you search for other things, for example, computers, the web will keep in mind that you often search for design and may pull up search queries that combine design and computers. HTML5 will be the new standard for HTML, XHTML, and the HTML DOM.The previous version of HTML came in 1999. The web has changed a lot since then.HTML5 is still a work in progress. However, most modern browsers have some HTML5 support. All in all, a lot of nice new things and technology to help us shape the future of the web. As you can see, some of these things are in the actual HTML5 specification; some others are broken out into their own specifications. Think of it as with AJAX: when that term and hype hit the world, anything that was even remotely related to JavaScript in any way was thought to be AJAX.

Now, with the nearly-complete standard for HTML5 being implemented (at least in part) in the latest or beta versions of all the major browsers, including Internet Explorer, Firefox, Safari, Chrome, and Opera, many of the advanced Web app features developers need will be available in native HTML. But with any major introduction of new features, HTML5 also brings with it potential security vulnerabilities which is not to say that HTML5 is "flawed," but that, invariably, there will be new attack vectors for hackers to exploit. Some originate from elements of the standard itself, some from implementations of the standard in each browser, and some from the care that developers do (or do not) take in building their HTML5 code.

server to reply to such requests in a way that shows its okay, but this fails to take into account two problems. The first problem is HTTP header splitting; some web applications and servers can be manipulated to create a custom. WebSocket is such a problem that currently (as of December 2010) Opera 11.00 and Firefox 4 beta 8 both ship with it disabled. The reason is WebSocket is designed to allow a web browser to make a request to a third-party site that is generated from within a JavaScript program, for example. For the last few years, Firefox and other browser vendors have been working to prevent such cross-origin requests and cross-site request forgeries.

Web Storage and HTML5

HTML5 introduces Web Storage, which comprises Session Storage, Local Storage, Global Storage, and Database Storage (using SQLite). HTML5 offers two new objects for storing data on the client: 1) Local Storage - stores data with no time limit. 2) Session Storage - stores data for one session. Until recently, the only reliable method for storing (and retrieving) data from a web client was cookies. Cookies are a few kilobytes in size typically, so if you want to store a large amount of data on a client (such as an image or a document), youd have to split it up across many cookies and hope that none get deleted or replace. Earlier, this was done with cookies. Cookies are not suitable for large amounts of data, because they are passed on by EVERY request to the server, making it very slow and in-effective. In HTML5, the data is NOT passed on by every server request, but used ONLY when asked for. It is possible to store large amounts of data without affecting the website's performance. Like cookies, these storage objects are generally bound to the domain they came from, which should largely prevent sites from stealing data or using Web Storage to pass data around easily. However, unlike cookies, Web Storage provides new ways to track users in a very persistent manner (e.g., you set a key called tracking with a unique string) [1] [2]. This feature cant directly be used to aid in botnet creation, but it does give attackers a way to store data and then retrieve it later.

KurT Seifrie
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale. HTTP header, which is sent back to the client (which can contain cookies, weird caching values, etc.) and could include the WebSocket reply data needed by the client. The second problem is simply that a client can make a lot of WebSocket requests (i.e., several thousand per second), turning this into a great denialof service platform [3]. With this approach, you simply get people to visit a web page that you control and, as long as that page is open, the browser will hammer away at whatever site you want taken down. Alternatively, this feature can be used for port scanning. Because the WebSocket interface takes a variable amount of time to return, depending on whether the connection fails, connects, or is refused, you can determine the port status. An example of such a scanning tool is JS-Recon [4], which you can use to port scan your local machine or your local network or to discover the private IP address of the system. Note that determining the network address of a user is made easier by the fact that most of us are behind NAT boxes using 192.168.*.* (the default for virtually all home routers) or 10.*.*.* (almost no one uses 172.16.0.0 through 172.31.255.255). Simply scanning 192.168.*.1 and 192.168.*.254 will give you a very good chance of finding the router used to provide network access. To top it off, one security vulnerability in WebSocket allows attackers to attack web-based proxies or transparent intercepting proxies because many of them dont fully understand how to handle WebSocket connections [5] yet. By poisoning the cache of a web proxy for an item such as http://www.google-analytics.com/ga.js, an attacker can send malicious code to any victim accessing a website that uses Google Analytics.

WebSocket
WebSocket is a new proposal under html 5 to provide full-duplex, bi-directional client-server interaction over single TCP connection. Making WebSocket safe for use has been attempted by requiring the

Web Workers
There are a number of bottlenecks preventing interesting applications from being ported (say, from server-heavy implementations) to client-side JavaScript. Some of these include browser compatibility, static typing, accessibility, and performance. Fortunately, the latter is quickly becoming a thing of the past as browser vendors rapidly improve the speed of their JavaScript engines. With the use of Web Workers, you can now create and destroy threads and split up the work among them. Thus, programs can be split into modules and run for a very long time and can also take advantage of multi core processors (which is basically everything except mobile phones, but dual-core mobile phones are coming). Ultimately, this means that web-based JavaScript applications will be able to behave more like traditional applications. Previously, most JavaScript programs online were not very big and did not run for long periods. Now I have a web browser open with Gmail in a tab for days at a time. The latest figure I can find lists Gmail as 443,000 lines of custom JavaScript. One thing that's remained a hindrance for JavaScript is actually the language itself. JavaScript is a single-threaded environment, meaning multiple scripts cannot run at the same time. As an example, imagine a site that needs to handle UI events, query and process large amounts of API data, and manipulate the DOM. Pretty common, right? Unfortunately all of that can't be simultaneous due to limitations in browsers' JavaScript runtime. Script execution happens within a single thread Although JavaScript is slow compared with well-written C or C++ code, it can still generate a huge number of requests on even a low-end machine, turning the system into an effective denial-of-service platform. All the attacker needs to do is keep you on their web page, which is not hard to do with forum discussion sites or online games.

makes this easier? Of course. The new history.pushState() function allows the URL in the history to be modified. Unfortunately, it will also work on the current URL, thereby allowing an attacker to rewrite the address bar which is again something most browsers have been attempting to prevent for years [6].

Work as Payment
The ability to execute long-running processes and make requests to arbitrary websites leads to an interesting possibility: compute time as a micropayment system. However, all of the use cases I can think of essentially involve spam or some other unwanted activity, such as denial-of-service attacks against sites. One example of this is d0z.me [7], a URL-shortening service. You simply type in the URL you want shortened (as usual) and the URL you want to attack. When a user clicks on the d0z.me URL, the program redirects the user to the long URL. However, it will embed the site within an IFRAME, while another IFRAME constantly reloads the site thats being attacked. This approach, combined with social network sites like Reddit, could easily result in a few hundred or thousand people attacking a site.

One Last Kick at HTML

Because most sites are getting better at dealing with distributed denial-of-service attacks, attackers will need to invest more time in creating more involved attacks. Instead of simply sending a request for the front page, for example, they can fill out a contact form and hit submit, thereby flooding the support account or the sales account with junk. HTML5 offers a drag-and-drop interface. This, combined with interactive content, such as a game, could allow the attacker to get clients to fill out the form (in the background, of course) and submit it repeatedly.

Easy XSS history.pushState()

history.pushState() was introduced in HTML5 and its meant for modifying history entries.By using pushState() were allowed to alter the visible URL in address bar without reloading the document itself. The harmful part is that we can conceal the real location and replace it with anything we want. Although the hostname cant be replaced, we can completely change the pathname. A lot of these attacks work much better when combined with XSS attacks (injecting hostile content into trusted websites), so is there a new HTML5 component that

Conclusion
Web 2.0 and Web 3.0 are two buzz words that we feel are overused and misunderstood in our industry.

There is no mystery to Web 2.0 or Web 3.0. It is simply the development of technology and website functionality that has emerged and will continue to grow and develop as a result of the increased penetration in Broadband usage. Impact Web Development combines your website's design with both usability and functionality. We use the latest best-coding practices to provide secure systems to meet all your needs and make your site dynamic to keep your clients on it longer. From Powerpointesque transitions, to having content appear and disappear as the user makes choices, to intelligently determining which form fields aren't needed and having them disappear, our 21st century websites and their Web 2.0 designs are sure to make your client's web experiences pleasant and entertaining. Some Internet experts believe the next generation of the Web -- Web 3.0 -- will make tasks like your search for movies and food faster and easier. Instead of multiple searches, you might type a complex sentence or two in your Web 3.0 browser, and the Web will do the rest. In our example, you could type "I want to see a funny movie and then eat at a good Mexican restaurant. What are my options?" The Web 3.0 browser will analyze your response, search the Internet for all possible answers, and then organize the results for you. As usual, the guys developing new web technologies didnt give much thought to security problems, which is bad if youre a regular user, but great if youre a bad guy [8] [9] or you can do cool things with HTML5 (like building a distributed password cracker) [10].

[3] Performing DDoS Attacks with HTML5: http://blog.andlabs.org/2010/12/performingddosatt ackswithht ml5.html [4] JS-Recon port scanner: http://www.andlabs.org/tools/jsrecon.html [5] WebSocket: https://developer.mozilla.org/en/WebSockets [6] History.pushState (): http://samuli.hakoniemi.net/howtoconcealxssinj ectioninhtml5/ [7] D0z.me: http://it.slashdot.org/story/10/12/20/2248219/D0zme mdashtheEvilURLShortener [8] Attacking with HTML5: http://www.slideshare.net/clubhack/attackingwithh tml5lavakumar [9] HTML5 Security Cheatsheet Project: http://code.google.com/p/html5security/ [10] Douglas Crockford on JavaScript and HTML5: http://www.webmonkey.com/2010/05/douglas

References
[1] Evercookie: http://samy.pl/evercookie/ [2] Nevercookie: http://www.anonymizer.com/learningcenter/#lc_labs