The growth of the Web and user demands for more features have spurred the creation of a new set of vulnerabilities that must be evaluated and managed. Increasingly, web browsers and other web-enabled technologies allow servers to send instructions to the client to provide multi-media and other capabilities. This is creating a problem for security professionals because these protocols offer potential weaknesses.
This section discusses the more common web-based applications such as JavaScript and applets and the vulnerabilities you should be aware of. These vulnerabilities can include mali- cious code, viruses, and exploitations.
JavaScript
JavaScript is a programming language that allows access to system resources of the system run- ning a script. A JavaScript script is a self-contained program that can be run as an executable file in many environments. These scripts can interface with all aspects of an operating system just like programming languages, such as the C language. This means that JavaScript scripts, when executed, can potentially damage systems or be used to send information to unautho- rized persons. JavaScript scripts can be downloaded from a website and executed.
Java Applets
A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they’re becoming one of the most popular tools used for website development.
Java-enabled applications can accept programmed instructions (Java scripts) from a server and control certain aspects of the client environment. Java requires you to download a virtual machine in order to run the Java applications or applets. Java scripts run on the client.
The applets run in a restricted area of memory called the sandbox. The sandbox limits the applet’s access to user areas and system resources. An applet that runs in the sandbox is con- sidered safe, meaning it won’t attempt to gain access to sensitive system areas. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations.
Attackers on client systems have exploited this weakness. From a user’s standpoint, the best defense is to make certain you only run applets from reputable sites you’re familiar with. From an administrator’s standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.
Signed Applets
Signed applets are similar to Java applets, with one key difference: A signed applet doesn’t run
in the Java sandbox, and it has higher system access capabilities. Signed applets aren’t usually downloaded from the Internet; this type of applet is typically provided by in-house or custom- programming efforts. These applets can also include a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they’re sure the provider is trusted. A signed applet from an untrustworthy pro- vider has the same security risks as an unsigned applet.
A vulnerability reveals itself when an applet is always assumed to be safe because it is signed. Being signed, it may have the ability to do things outside the realm of normal applets, such as execute programs. A disgruntled pro- grammer can create a malicious signed applet and wreak havoc until stopped.
Most web browsers have settings that can be used to control Java access. This allows clients to control resource access using Java applets or scripts.
ActiveX
ActiveX is a technology that was implemented by Microsoft to customize controls, icons, and
other features, which increases the usability of web-enabled systems. ActiveX runs on the client. It uses a method called Authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server.
ActiveX components are downloaded to the client hard disk, potentially allowing addi- tional security breaches. Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don’t understand these confirmation mes- sages when they appear, and they automatically accept the components. Automatically accept- ing an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used, because an ActiveX control contains programming instruc- tions that can contain malicious code or create vulnerabilities in a system.
It’s highly recommended that browsers be configured to not allow ActiveX to run by default without prompting the user, because of the potential security hole that could be opened.
Buffer Overflows
Buffer overflows occur when an application receives more data than it’s programmed to
of the allocated space. Termination may leave the system sending the data with temporary access to privileged levels in the attacked system, while overwriting can cause important data to be lost. This exploitation is usually a result of a programming error in the development of the software.
Buffer overflows, while less common a source of exploitation than in the past, still crop up.
The SQL Slammer worm that targeted Microsoft SQL Server 2000 was one of the most recent major attacks.
Cookies
Cookies are text files that a browser maintains on the user’s hard disk in order to provide a
persistent, customized web experience for each visit. A cookie typically contains information about the user. For example, a cookie can contain a client’s history, to improve customer ser- vice. If a bookstore wants to know your buying habits and what types of books you last viewed at the bookstore, they can load this information into a cookie on your system. The next time you return to that store, the server can read your cookie and customize what it presents to you. Cookies can also be used to timestamp a user to limit access. A financial institution may send your browser a cookie once you’ve authenticated. The server can read the cookie to determine when a session is expired.
Obviously, cookies are considered a risk because they have the potential to contain your personal information, which could get into the wrong hands. If security is your utmost con- cern, the best protection is to not allow cookies to be accepted. Almost every browser offers the option of enabling or disabling cookies. If you enable them, you can usually choose whether to accept/reject all, or only those from an originating server.
Common Gateway Interface (CGI)
CGI is an older form of scripting that was used extensively in early web systems. CGI scripts
were used to capture data from a user using simple forms. They aren’t widely used in new sys- tems and are being replaced by Java, ActiveX, and other technologies.
CGI scripts run on the web server and interact with the client browser. CGI is often frowned upon in new applications because of its security issues, but it’s still widely used in older systems. Vulnerabilities in CGI are its inherent ability to do what it is told. If a CGI script is written to wreak havoc (or carries extra code added to it by a miscreant) and it is executed, your systems will suffer. The best protection against any weaknesses is to not run applications written in CGI, but to opt for those written in the newer languages where possible.
SMTP Relay
SMTP relay is a feature designed into many e-mail servers that allows them to forward e-mail
to other e-mail servers. Initially, the SMTP relay function was intended to help bridge traffic between systems. This capability allows e-mail connections between systems across the Inter- net to be made easily.
Unfortunately, this feature has been used to generate a great deal of spam on the Internet. An e-mail system that allows this type of forwarding to occur is referred to as an open relay. Unscrupulous individuals can use open relays to send advertisements and other messages through open relay servers. SMTP relaying should be disabled on your network unless it’s lim- ited to the e-mail servers in your domain.