Miscellaneous WWW Programming Vulnerabilities/Attacks

Miscellaneous WWW Programming Vulnerabilities/Attacks
Other than XSS and XSRF

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Session Fixation

The Nature of the Vulnerability:
- A session ID is created by the user and accepted by the server
The Nature of the Attack:
- The attacker sends a URL (including the ID) to the user who clicks on it and authenticates her/himself (validating the ID)
- The attacker uses the ID until the user logs out (invalidating the ID)
Mitigation:
- Don't create session IDs on the client
- Don't re-use session IDs

Clickjacking/User Interface Redress

The Nature of the Vulnerability:
- A trusted HTML document that can be displayed in a frame under a malicious document
The Nature of the Attack:
- A malicious document displays the trusted document in a frame under itself tricking the user into clicking on malicious links rather than trusted links
Mitigation:
- Use the X-Frame-Options HTTP header to control the display of a document in a frame
- Use a client-side script that breaks the document out of a frame
Notes:
- This same kind of attack can be accomplished without frames using CSS and is difficult to mitigate
- This attack is closely related to site impersonation/forgery

Magic URLs

The Nature of the Vulnerability:
- URLs that contain secret/private information
The Nature of the Attack:
- The attacker gains access to the URL (e.g., through the user-agent's history)
Mitigation:
- Do not include secret/private information in URLs
- Use strong encryption

Predictable Cookies

The Nature of the Vulnerability:
- Cookies are generated in a systematic way
The Nature of the Attack:
- The attacker makes multiple requests to obtain multiple cookies, identifies the pattern, and creates a fraudulent cookie
Mitigation:
- Use strong encryption