Friday, December 7, 2012

Client and Server Side Threats in Era of Web 2.0/HTML5

Client Side Software Threats

In the beginning of the evolution client side components were very thin and they were designed to render simple HTML pages but over years demand for better interaction started to drive browser development. In current state browsers are running with thick JavaScript engine, Ajax support, Flash & Silverlight plugins etc. At the same time heavy demand for cross domain interaction of application is required as well and cocktail of rich client running with cross domain access is perfect mix for next generation attacks targeted to end user’s identity. Here is a list of few evolving threats and risks.
 Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF)  - Cross site scripting is one of the dangerous attack vectors for traditional as well as Web 2.0 applications. An attacker can inject a malicious script at the browser end and its execution can compromise the client’s identity. We have already witnessed several different worms and viruses leveraging XSS to exploit browsers and application layer.
CSRF is another client side attacking vector, if application running on server side accepts incoming request without checking HTTP referrer or its intent then it is possible for an attacker to force browser to generate HTTP request without end client’s consent. This attack vector can prove lethal and end up compromising end user’s identity.
 Cross domain attacks & client side controls - Browsers are not supporting cross domain calls from Ajax as such. At the same time there are various cross domain calls are blocked in the browser security model which is based on same origin policies (SOP). But in this new application era where Web Services are emerging as driving force lot of applications are providing callback mechanisms for their services. Malicious code execution in the browser in this cross domain framework can lead to security crisis in browser security model.
Thick browser side components are using various different security controls to guard application layer. These client side components are designed to protect browser for malicious attacks or validating outgoing content from browser to web server. These controls can be bypassed by well-crafted attacks and bypassing validations can lead to expansion of attack surface.
De-compilation attacks & Framework issues – Applications may be using some of the components which can be decompiled like Flash, ActiveX, Applet or Ajax Scripts. An attacker can decompile the code and obtain internal information. This de-compilation process can lead to sensitive information and logic.
There are several different frameworks and toolkit out there which are providing extra support for applications for Ajax and Flash. These frameworks are having their own security concerns and issues. Framework running with publicly known vulnerabilities can make application insecure and these holes can be leveraged by attackers. Ajax frameworks like Dojo, Prototype, GWT etc. are few examples. Some of these frameworks are loaded on both client and server ends and vulnerability can lead to severe impact on application.
These are few important issues on client side. There are some other interesting areas like business logic disclosure, HTTP response splitting, local privacy issues, Intranet scanning, DOM content stealing, Widget injections, state bypass with Ajax, secret disclosure and DNS pinning. Above threats can compromise client side of components and access to browser’s sensitive information. At the same time we are seeing rise on server side of vectors as well.

Server Side Software Threats

Over the evolution, there are several new technologies and components are added on application or web servers along with technologies and user defined code. Poorly written source code or misconfigured deployment environment opens up several security aspects on security. It is interesting to see that these opening are not just compromising the application only but can create hazard for entire network. Following are some higher level threats.
Traditional application resources – Application resources like Active Server Pages or Java Server pages can be one of the powerful attack points with both traditional as well as Web 2.0 applications sine these resources may contain vulnerability. These traditional pages can be programmed in such a way that they can support various different structures like Name-Value pairs, JSON or XML. Hence, it is possible to manipulate name-value pairs and various other structures to locate possible vulnerabilities.
Web Services resources or SOA components – Web 2.0 application contain Web Services running on the server to support various XML driven services like SOAP, REST or XML-RPC. These resources are very separate and with specific entry points. These resources are one of the targets for abuse and one can launch set of attacks against them.
Networked resources – Next generation applications are running with Internet as platform so one application is linked with another application with bridge. An attacker can identify this bridge and launch attack through another site to abuse functionality. Since bridge is trusted it may be running with lower security controls and can be compromised easily.
Here is the list of server side application attack vectors in various groups;
Authentication - Bruteforce and Authentication logic
Authorization – Predictable, Client side exposure, Extra header injections and Secret paths
Malicious payload injections - SQL injections, LDAP injections, XPATH injections, OS command injection, File system access injection, large buffer injection and Integer overflow
 Application layer logic hacks - Denial of Services, Uploading content, Client side code exposure
 Session based attacks - Sniffing, Session cleaning and Predictable session.
Confidential information leakage - WSDL leaks, Error leaks, Directory indexing, Backup files, Ajax errors, DHTML code, XML-RPC forcing, SOAP faults
 Logging and Auditing – DoS, Logging bypass, Poor auditing
Next generation applications will need better security against new technologies and associated threats. We have seen evolution and possible threats in this blog entry, this is just a scratch on the surface. Attackers are evolving their techniques and exploiting whatever little opening they get on the surface. Objective for us is to how we can protect our applications against it.