Chapter 6

Web Browser & Client Security

Chapter - 3 Whistleblower

Dr Rudi Rusdiah
T1005
Sabtu, 1 April 2017
 Web Browser & Client Security
Internet started as academic information exchange enabler
Web Browser area of concerned: Privacy & Security (Confidentiality, Integrity
& Availability). Disclosure (Penyingkapan)
Inadvertent disclosure Security breakdown in Confidentiality on WebServer
Privacy violation Diclosure of personal information.
The convenience & productivity of Web Browsers user providing info to
strangers.
Web 1.0 Web browser : 1. Render HTML code & download image file. Most
of the risk in input & buffering vulnerability on Web Server.
2. Run Common Gateway Interface (CGI) Script on WebServer
3. Run Script Java Script or Visual Basic Script (VB Script) on Webbrowser
4. Run executable Java & Active X on Web Browser host
5. Launch various plugins audio players, movie players
Tight integration between Web browser & O/S MS Internet Explorer also
hast most security risk Ms has emphasis convinient over security.
Dont use out of the box config. It should be re configure to enhanced security.
Convenient =&= Popular =&= Productivity become prime target of hackers.
More Critical & Sensitive Works & Apps Banking, Credit Card, Purchase &
Shipping Data interest to attackers.
Hackers will focus on popular largest source of potential Target.
 Web Browser (WB) & Client Security
Early WB Vulnerable. WB had evolved include customized apps. Security threat.
Web browser features convenient & productive &but more vulnerable & not
secured must be customized for more security. But most user are not familiar,
done by sysadmin.
Web Browser Risks:
1. Web Server (WS) not secure: Limit User entry& data transmit to WS &Data base
2. Browser runs malcode => scripts or executables.
3. Attacker eavesdrop on network traffic, thus must used SSL (Secure Socket Layer)
to encrypt data transmitted.
4. Attacker employ Man-in-the-middle attack. Sessionless Web base apps..
Hijacking & replay (phishing). Session hijacking = traffic between browser &
server is observed & captured by a network sniffer. Hijacker then modify the
captured traffic to allow middleman to take place as client. Replay attack some
aspect of the session may be modified ie: Transfer bank fund. The modified
sessison is then fed back on the the network as a result WebServer is fooled
that the replayed transaction is legitimate action by authorized user security
problem.
Issue favor against attacker reduce user risk: 1. Attacker cannot choose the time &
place, user may contact server at random time.
2. The Attacker do not know the victims.
3. Browsers vary (Firefox, Netscape, or Internet Explorer.
 How WebBrowser(WB)&WebServer(WS)works
Http (Hyper Text Transfer Protocol)- Apps Layer protocol enable WB to request
WebPages to WS. The WS response:
- HTML (HyperText Markup Langguage) code Code interpreted by WB to
diplay in various form & orientations. The Code is placeholder for script ,
links to images or executables interprets by(WB).
- Images: WB interpret a link in a downloaded page & send a request to WS.
Image is returned in a file format &render the file-type(gif, jpeg, jpg, bmp,
tiff).
- Script embedded in HTML Code. WB extract the script & run the script
Java , Perl, Visual Basic Script.
- Executables (Exec) : WB download Exec, is a security risk because the
WebServer is managed by strangers to the WB user.
- HTTP is a Stateless protocol Each WB request & WS return in a separate
TCP connections. WS & WB work in concert to give the user a feel of
continuity during session.
- Session = whole series of transactions ( requests & responses) that are tied
together in user respose.
HTTP command
WB (Web- WS (Web-
Browser) Server)
HTML Code
 Cookies
Cookie is an info storage device (ASCII) created by a Web site (Server) on the local systems about
the user visiting the site. When a new request is made, the server can ask the Browser to
check if it has any cookies, & the Browser pass to the server.
Content of cookies under control of Ws & contain profile of your present & past surfing habit.
Ie: When a user fill a Form with Name & email Address, the info is seent to the Ws & also store
in the cookies for future use.
Persistent cookies survive reboot & last for fairly long period in cookies.txt can be edited by
sysadmin, may contain sensitive data. If in the future a PC is compromised, an attacker can
use this sensitive data. Because cookies can be modified, it can be used in hijacking or replay
attack. Other are non persisten cookies.
Originally cookies track users during their session on a Website to retain info about user
between visits.
However long persistent cookies build up on a user PC can comprise user detailed history of the
user activity on the Internet. Some marketing company attempted to exploit user behavior,
track & capture this cookies.
Cookies store: Session ID to maintain state or carry authorization info
Time & date cookies was issue
Expiration time & date
IP address of the browser the cookies was issued to. (test authenticity of the request).
Caching (History of site visited)
When you access a web site, Browser may save pages & image in a cache (PC harddrive as
HTML files & image file), improving when page must be rendered.
The user can reload the pages without the need to be on the Net. This can be privacy
concerned, because if the PC is compromised the attacker can learn detail of users
browsing.
 Maintaining State
A sensitive data ,web-based apps 3major security issue to address in design & dev. :
- Initial Authentication usually done with user name & password. As long as strong
password & network is encrypted, the initial authentication is secure.
- Confidentiality of data usually done with encryption.
- Continuing authentication of users over an extended session Maintaining State
No need to reenter password.
- Remember user specified info (no need to input twice) from one page to next page.
- Remember decision user has made. Ie user preference on low price.
- Remember intermediate result. Ie remember Shopping cart until the user ready to
check out & purchase the item
- Remember where the Website and the user are in a conversation. As users navigate a
site, the WS needs to know where they are & how they got to that site (landing page).
- Ie: Website may require password for authentication. The server needs to know if a user
has been successfully authenticated during session before allowing access to a pages.
HTTP is session less, Ws does not carry an authentication forward to the next page. 3
Common means of continuing authorization (carrying session data forward:
Get Lines holds Universal Resource locator (URL) : http://search.yahoo.com/search?p=linux
Post Data: Send info to the browser to Webserver. Can use SSL encryption. This session
remain hidden & possible for replay session. Can be seen with network sniffer.
Cookies.
 Secure Socket Layer (SSL) protocol 1/3
Html Page & image save in Cache, so can reload view page offline store local drive.
SSL protocol provides encryption HTTP transactions & Traffic between Web Browser &
Server using Public Key Encryption to exchange a symmetrical key between client &
server. Each transaction used different key. If encryption of one transaction is
broken, the other transaction is still protected.
Benefit of encrypted Web communication:
- Communication over non secure networkreduce man in the middle attack
- Integrity of data transmitted is maintain.
- The confidentiality of Data being transmitted is ensured.
- The Website authentication can be enhanced. (use encryption key & certificates to
provide assurance that the browser is communication with proper website.
Netscape SSLv2 protocol in 1995 for ie: Ecommerce.
SSL is a low level encryption scheme used to encrypt transactions in higher level
protocol such as HTTP, Network News Transfer Protocol (NNTP), FTP.
To pass encrypted data, 2 parties must exchange common key (symmetric) using
Certificate & a handshaking: (see next slide Figure 6.2)
1.Browser Client request Certificate from Server. Certificate = set of fields & values
encrypted in a small block of ASCII Text. Encrypted integrity&avoid tampering.
Server provides Certificate from trusted CA (Certificate Authority).ie Microsoft
 Secure Socket Layer (SSL) protocol 2/3
3. Client (CB) received the certificate
&check if it is reliable CA.
Certificate Ws Public Key(Pubk)
(Ws) CB sends Challenged to Ws ensure
Web Ws has Private Key (PrivK) to
Browser match Certificate (Pubk) to
(CB)
prevent Phishing. This Challenged
Symmetrical Key (SymK) used to
encrypt SSL traffic. Only owner
(possessor) of PrivK) able to
decrypt challenge.
4. Ws response challenge with short
message encrypted with (SymK).
CA Certificate CB now assured communicating
Authority with Trusted Party & Ws has SymK
5. Both CB &Ws now share common SymK,but no other has, so communication secured
6. Now any GET or POST send to browser can be encrypted with SymK. Ws use same
SymK to decryt the Traffic. Any response from Server is encrypted & CB can decrypt.
Note: SSL handshake authenticate WS to CB & not vice versa. This made SSL still
susceptible to Man in the Middle (MitM) attack & Ws dont know MitM. & WS
 Secure Socket Layer (SSL) protocol
A proper configured Wb will warn the user of a certificate prolbem if the folloing:
3/3
1. Certificate was not signed by a recognized CA. Public domain s/w can help create fake
rogue CA & illegitimate CA.
2. Certificate is currently invalid or has expired. Legitimate Ws will keep certificate up to date
(or stolen by third party).
3. Common name on the Certificate does not match the Ws domain name.

SSL FAQ.
Netscape:
The throughput
(hit/sec) of SSL
enable server is
20% of
unencrypted
Server.
Greatest
performance hit
when the server
& client exchange
handshake
 Web Browser Attack
Hijacking MitM attack in which the attacker take the HTTP session using network
sniffer. Attacker modifies captured traffic impersonate the client. All future traffic is
now channeled between WebServer & attackers.
After legitimate CB has authenticated to Ws
The Attacker no need to re-authenticate
Hijacker exploit weak method of maintaining
State.

Replay MitM send data is repeated (replayed)

leading to various result. After Http session is
Captured by Network Snffer.
 Web Browser Attack
Spread of malcode (virus, worm, back door) via Script embedded.
Running dangerous executable on host by browser.
Accessing host files: Sensitive personal data credit card/banking data/password
Theft of Private Information: Social Engineering attack.
Browser Parasites program that change setting in CB such as:
- Browser Plugin (parasite) add new botton or link addon. If the user click sensitive
info may be send to the plugins owner.
- Parasite Change user Start or Search Page Pay per click site earn $ from click.
- Parasite transmit all name of the site the user visit to the owner of parasite. .
Spyware Macro program from France W97M-SPY.A. if installed will hide & stay resident
in background. Steals email & address from user contact list Hacker email.
Can be manually removed by editing the registry for the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Then delete the value Spy =%winsysdir%\Spy.vbs
Then delete the files: W97M_Spy.A & VBS_SPY.A
======
Netscape: 40 bit encryption (one tooth) or 128 bit encryption (two teeth) .
 Tips VISA: Securing Network Environment
The detailed description Visa Card Holder Information Security Program (CISP) can be
found at: http://usa.visa.com/business/merchants/cisp_index.html

The program has these recommendations:

Install and maintain a working firewall to protect data.
Keep security patches up-to-date.
Protect stored data.
Encrypt data sent across public networks.
Use and regularly update antivirus software.
Restrict access on a need-to-know basis.
Assign a unique ID to each person with computer access.
Dont use vendor-supplied defaults for passwords and security parameters.
Track all access to data by unique ID.
Regularly test security systems and processes.
Implement and maintain an information security policy.
Restrict physical access to data.
 Using Secure Proxy
Proxy server provides a secure gateway for protocols. All Web browsing traffic destined
for the Internet must pass through the Web proxy. Advantages as follows:
Some of security features moved from browser to Web proxy. It is easier for
network admin to manage a proxy than hundreds of individual browsers.
The security features of proxy will work for all versions of browsers. Suppose the
security admin wants to implement a security control such as blocking all ActiveX.
It is easier on single proxy as compared to control every different version browser
Proxy improve Web-browsing performance by caching frequently used sites.
Proxies useful with children to restrict sites & prevent private data leakage

Avoid using private data on a system outside users control or public sphere
(Internet / Website), there is a risk of that data being compromised. Ie:Web site
organization must do the folowing : Develop a safe web-based application.
Properly configure and maintain database security.
Harden the web servers host. Protect all Log files on Ws dont leave log open.
Secure the network on which the Web server resides.
Establish policies and procedures for handling sensitive data.
Hire responsible people and provide them adequate training.
 Web Browser Config
Cookies Tips Web browser to mitigate risk loss privacy due to cookies, as follows:
Turn off all cookies. Very few Web sites will fail if cookies are disabled completely.
Limit the Web sites that can set cookies. The browser can be set to ask the
user if any particular cookie should be accepted
Only return cookies to the originating domain Web server. The browser can refuse
to send these cookies back to any Web site
Force all cookies to be nonpersistent. Nonpersistent cookies are deleted
after they are no longer needed.
Clean out persistent cookies. Periodically, go into the browser settings and
delete any persistent cookies
.
 PLUGINS: JAVA SCRIPT & ACTIVE X 1/2
Java, JavaScript& ActiveX controls used in Web sites to make browsing convenient &
powerful. However, convenience VS.security risk. Java & ActiveX executable code
download & run. JavaScript is a scripting language .
ActiveX more dangerous than Java/JavaScript. ActiveX make system calls affect files
on your H/D. ActiveX controls: carn create new files or overwritten existing files .
Differences between Java & JavaScript.
Java language by Sun Microsystems executable Java code compiled into apps
Java applets. Java applets Browserswill download compiled Java apps & execute.
JavaScript (Jscript) series extensions to HTML language designed by Netscape Corp.
JavaScript Interpreted language executes commands on behalf of browser. The
scripts able open & close windows, manipulate form elements, adjust browser
settings, &download & execute Java applets.
ActiveX : by Microsoft distributing SW onInternet. ActiveX controls for Internet
Explorer(MsIE). ActiveX distributed as executable binaries & compiled for each target
machine & O/S. ActiveX is security risk because browser dont restrictions what ActiveX
can do. To mitigate risk of ActiveX plugins, each control can be digitally signed.
Digital signatures can be certified by a trusted certifying authority. Ie: VeriSign. User
does not know if ActiveX code is safe to execute; rather, user must assured who
providingcode. In the end, user allow signing organization to do anything they want a&
trusting the organization will act responsibly.
 PLUGINS: JAVA SCRIPT & ACTIVE X 2/2
If the browser encounters an ActiveX control that hasnt been signed), the browser
presents a dialog box warning the user that this action may not be safe.
If the user accepts ActiveX control they put their entire PC at risk.
Few users accept an unsigned control appreciate the risk involved. Digital signatures
on ActiveX controls are of little protection to an unsophisticated user.

The following steps will disable ActiveX controls on Internet Explorer:

1. From the menu bar select ViewInternet Options.
2. In the pop-up window, select the Security tab.
3. In the pull-down list of options, select Internet Zone.
4. Select the Custom security level check box.
5. Click the Settings button.
6. Scroll down to the ActiveX and Plug-ins section. Select Disable.
7. Click the OK button to close out of the window.
 PLUGINS: JAVA
Several security features built into Java When running as applets, Java scripts are
restricted with what allowed to do b ysecurity manager object. The following
security features are part of the Java design:
The security manager not allow applets to execute arbitrary system commands, to
load system libraries, or to open up system device drivers such as disk drives.
Scripts are limited to reading & writing to files in a user-designated directory.
Applets limited in network connections they can make: An applet
is only allowed to make a network connection back to server that was downloaded.
This security hole involves Javas trusting use of Domain Name System (DNS) to
confirm that it is allowed to contact a particular host. A malfeasant using his own
DNS server can create a bogus DNS entry to fool the Java system into thinking that
a script is allowed to talk to a host that it is not authorized to contact.
The security manager allows Java applets to read and write to network to read &
write to local disk but not to both. This limitation to reduce risk of an applet
spying on users private documents & transmit information back to the server.
To disable Java applets in Netscape: 1. From the menu bar select EditPreferences.
2. Select the Advanced tab from the options at the left.
3. Deselect the check box Enable Java.
4. Click the OK button at the bottom of the dialog window. The END