5.2 browser and web security

Question 1

Browser security

Answer 1

• The browser is one of the most used applications, one of the most useful applications, and one of the most dangerous applications. At the simplest level, a browser downloads files from a server and then processes them. The idea of the processing is that it turns them into attractive web pages and displays them. But as we have asked for and been given more functionality out of our browsers, the capability for both good and bad have increased. Understand that most of what you download and view on the web is completely benign. But some of it is anything but.
• Part of the story here is that firewalls have improved a great deal from their early days. Assuming a proper configuration on a firewall, it is difficult to break through one and attack internal servers. But you cannot prevent what you allow. When you allow your user to surf the web, you are automatically allowing them to download web content. If some of that content is malicious, it can effectively trick the client (the browser) into asking to be compromised. The client downloads a malware trojan. At that point, the attacker can take control of the internal client and use it as a jumping off point (commonly called a pivot) to attack the rest of your network
• We also look at the security features of recent releases of some of the more common browsers. However, no matter how good the security features of your browser, if you choose to install the wrong browser addon, you can potentially defeat every security feature of the browser. Many of these add-ons now fall squarely into the category of malware. (Note: The terms browser add-on, add-in, plugin, and browser helper object are all synonymous.) You can scan all your browsers for free by going to the following link. When you do, Qualys asks to install a browser plugin. Let it do so. (This one is safe.) Thereafter, every time you visit that link, it checks to see if you have malicious or outdated plugins. You can then click a link to either disable or update the plugin

Question 2

Web communication basics

Answer 2

• First, HyperText Transfer Protocol (HTTP) is the protocol used to transfer a web page and all of its elements from the server to the web browser (or client). HTTP requires the use of Transmission Control Protocol or TCP that we learned about a few days ago. So, when a computer user opens a web browser and types a URL such as http://www.sans.org, the first thing that happens is the TCP three-step handshake. Once that is complete, the client and server have a fully established TCP session and can begin communicating.
• Next, the browser sends a command to the server. If the URL line does not specify another filename, the default command is “get index.html.” When the server receives that command, it returns a code. For example, the server hopefully returns the code 200, which technically means “OK,” or nontechnically, everything is working as expected and the server is going to return the file requested by the browser.
• Before we look at the different codes, it is essential to know two facts. The client always sends the command to the server. The server always sends a code back to the client. The server never sends commands, and the client never sends codes.
• The codes and their definitions are: * 200—Command OK: Everything is working fine. * 300—Redirect: We will look at this one on the next slide. * 400—Client error, e.g., 404 File Not Found: You asked the server for a file, and it does not have it or know where to find it. Another critical 400 series code for security practitioners is 403 Access Denied, meaning someone attempted to access a directory they do not have access to. Excessive 403 codes may indicate someone attempting unauthorized activity on a web server. * 500—Server Error: You asked the server to perform some action, it attempted to do so but failed

Question 3

300: code redirects
- picture on page 142

Answer 3

• When the client browser receives the index.html file, it begins parsing (or analyzing) the code contained in that file. At some point in the code, it references a graphics file (this might simply be a graphic on the web page, but it is also often a banner ad of some sort).
• When the browser sees the reference to the graphic, it knows it has to retrieve that graphic in order to display the web page correctly. It therefore connects back to the web server and requests the graphics file (in the slide above, we are calling it “banner1.jpg”). If the server possesses the file, it will return it to the browser as you would expect. However, if the server does not have the file, but knows that it is located on a different server, it will return a 300 Redirect code along with the address (in the slide, someplace.com) of the server that has the file. When the browser receives the 300 code and the new address, it establishes a connection to that server and retrieves the graphics file from there

Question 4

Web communication basics: the full story
- picture on page 143

Answer 4

• You open a browser and type http://www.sans.org into the URL line and press the enter key: 1. Your computer sends a DNS query to the DNS server asking for the IP address of sans.org, and the DNS server returns that IP address. 2. The web client completes the TCP three-step handshake with the sans.org web server. 3. The browser sends the “get index.html” command to the sans.org web server. 4. The sans.org server responds with a 200 code and the index.html file to the web browser. 5. The browser parses the index.html file and sees a reference to a graphics file it will require in order to display the web page. The client does another three-way handshake with the server and sends a “get banner1.jpg” command. 6. The sans.org web server sends a 300 code to the client. Along with the 300 code, the server sends the address where banner1.jpg can be obtained. In this case, that address is someplace.com. 7. The web browser sends a DNS query for someplace.com and receives that server’s IP address back. 8. The web browser initiates a TCP three-step handshake with the IP address of the someplace.com web server. 9. The web browser sends a “get banner1.jpg” to the someplace.com server. 10.The someplace.com web server sends a 200 OK code back to the web browser along with the banner1.jpg file
• 11. Meanwhile, the browser has continued parsing the index.html file and sees a reference to a second graphics file (banner2.jpg). The browser will require that file in order to properly render the web page. So, the browser sends a “get banner2.jpg” to the sans.org web server. 12. The sans.org web server replies with a 300 code and an address where banner2.jpg can be found: anotherplace.com in this case. 13. The web browser sends a DNS query to the DNS server and receives the IP address of anotherplace.com’s web server

Question 5

what are cookies

Answer 5

• Many people misunderstand cookies. Wild rumors have circulated for years that cookies could install software on your computer, compromise your system, and contain images. None of this is true or accurate. In reality, cookies are just small text files placed on your computer by a web server. They can only contain a small amount of text, which in most cases is a “unique identifier.” This is how some websites can greet you by name when you visit the site, even when you have not authenticated (more on that in a moment). There are two basic types of cookies, persistent and non-persistent. Each performs a different role
• Non-persistent cookies only reside in the Random Access Memory (RAM) of your system (they are not on the hard drive). Commonly, these cookies do temporary tracking of activity, such as your progress through the checkout process at an E-commerce site.
• Persistent cookies go onto the hard disk drive of your computer. Each browser you have installed on the computer has its own, independent cookie repository. For example, if you have five browsers installed on the computer, there are five directories on the computer as well. Each directory is a cookie repository for one of those browsers (e.g., one for Internet Explorer, one for Google Chrome, one for Firefox) These persistent cookies most commonly provide long-term identity tracking

Question 6

why do we need cookies

Answer 6

• The HTTP protocol (the protocol used in web transmissions) is said to be stateless. By stateless, we mean that each transaction is an independent unit with no relation to any transactions that come before or after it. When you request a web page, your computer connects to the server, gets the page, and then closes the connection. The next time you request a page, your computer makes a new connection to the server. That server does not know or realize that you are the previous visitor. The lack of state in web communications presents a real problem for an application like E-commerce. Sites such as Amazon want to recognize their customers from one visit to the next. Those sites also require a method of tracking user activity during the same visit, such as, while a customer is going through the checkout process
• For example, you use Chrome to visit Amazon.com and log in to your account. When you do, Amazon places a cookie in the Chrome cookie repository on your local hard drive. That cookie contains a unique identifier generated by Amazon. In Amazon’s database, that unique identifier equates to your account. Once this is in place, you can close the browser, turn off your PC, and so on. But the next time you use Chrome on that same computer to visit Amazon, they read the unique identifier in the persistent cookie, look that identifier up in their database, and say hello to you on their webpage
• While you are shopping at Amazon, you click to purchase Product A. When you do, Amazon’s web server places a non-persistent cookie in the RAM of your computer. That non-persistent cookie contains a unique identifier that Amazon’s database equates to Product A. You then click to purchase Product B. Amazon places a non-persistent cookie with a code indicating Product B. Note that each time you move from one page to another on their site, Amazon is also reading the persistent cookie in Chrome’s repository to keep track of who you are
• You then click to access your shopping cart and begin the checkout process. Amazon.com reads their persistent cookie to know who you are (so they show your shopping cart info and not mine). They then read the two non-persistent cookies, get the unique codes from each, and show you Product A and Product B in your shopping cart. As you move through the rest of the checkout process, Amazon continues to place non-persistent cookies indicating where you are in the process. Once you complete the purchase, all of the non-persistent cookies are (usually) removed from RAM. The persistent cookie from Amazon.com remains in your Chrome repository. (Note: if the non-persistent cookie is not removed from RAM by the server, it will typically remain in RAM until you close the browser.
• Unfortunately, they can also be used to track surfing activity – this can infringe on privacy

Question 7

web advertising and cookies

Answer 7

• To understand how the cookie works with web advertising, you have to first understand the redirects that we covered a few pages back. Many (almost all) of the banner ad providers place a cookie in the browser’s cookie repository. That cookie often contains a numeric value that indicates to the banner ad provider that you had visited a particular site (sans.org in the example above). If you look at the slide, three different banner ad providers are sending both banner ads and cookies to the browsing system. Each of the cookies indicate to that banner ad provider that this individual visited sans.org. This sounds pretty innocent, until you extrapolate out over time what is happening
• Let’s say that in the course of an hour, the person sitting on the computer above visits 100 different websites of interest to them. At each of those websites, those three banner ad providers provided the banner graphics, placed cookies indicating that individual was at that site, AND read all the other cookies they had placed indicating all the other sites the person visited. At the end of the hour, those three banner ad providers would know every web page this individual has visited in that time.
• What would the banner ad providers do with that information? Sell it to advertisers! So, if those 100 sites all dealt with Cyber Security, then the individual doing the browsing would start seeing banner ads on other websites dealing with Cyber Security, would start receiving junk mail dealing with Cyber Security, and even start getting calls from telemarketers dealing with Cyber Security-related things. Yes, in case you have not noticed yet, since you signed up for this class at https://www.sans.org, you will now start seeing banner ads about a company called SANS. We use this method of advertising as well

Question 8

Leaking browser information

Answer 8

• When you click a link on a web page (or enter a URL in the browser window), your browser transmits information to the site you are contacting. To begin, your IP address (the IP address of your proxy or Network Address Translation [NAT] device) gets sent with every packet. This exchange is a part of the normal TCP/IP communication, and it can be used as part of a larger information-gathering effort. To get more insight into what can take place, browse to the http://mybrowserinfo.com/ and click “See Detailed Location and Browser Information”1 to see the large amount of information that a web server can get about you, your system, and your environment. Among the information gathered (and why it is important) is the following:
• Whether your system accepts cookies. This information tells the servers whether they can store information that can trace your movements around the site or around the web. * The website you were on just before you got to mybrowserinfo.com. * Your browser type and operating system. Someone can use these facts to launch specific attacks against your system. * Whether you have JavaScript, VBScript, or Java enabled. Perhaps attackers can get malicious code to execute on your system. * Your screen dimensions and color depth. Websites can use this information for displaying pop-up ads

Question 9

Browser security features
- private browsing
- intelligent tracking prevention
- do not track
- secure installation
- password storage

Answer 9

• Browsers are getting better and security features. First the browsers :
  o Internet explorer is a dead product, it’s replacement is Microsoft edge
  o Firefox is put out by the non-profit organization Mozilla – privacy advocate and security features
  o Chrome comes from Google – sometimes referred to as the anti-privacy company. While Chrome does have some good security features, from a privacy perspective, it is pretty poor
  o Opera uses the same browsing engine as edge and crhome – it is often considered to be a really high-end broser – it is a built-in VPN client
  o Safari from Apple only runs on the Mac platform. For a long time, it was not well maintained, but that has changed in recent years. Both security and privacy features are strong now
• Private Browsing: Every browser supports this, but every browser has a different name for it. InPrivate Browsing, Private Browsing, Incognito, etc., they all add up to the same thing. When you surf normally in a browser, everything you do in that browser is written to your hard drive. The list of all sites you visit is in the browser history and all files/images downloaded are in the browser cache. When you surf in Private Browsing mode, all of that information is maintained in the computers Random Access Memory (RAM). When you close the browser, the information goes away. It does not hide your identity though, it does not make you private from websites
• Intelligent Tracking Prevention: A feature that first appeared in Safari is now showing up in more browsers. Web sites have a legitimate need to monetize their sites. You have a legitimate need to protect your privacy. We have already explained how browsing puts these two needs at odds with each other. Intelligent tracking prevention is a new (and perhaps not yet fully developed) approach that controls how the cookies used in tracking work. It allows sites to place cookies in order to monetize, but controls who can read those cookies later to prevent tracking. You do have to be careful with this feature. It can make some sites not work correctly. Once the browser makers have time to work on this feature, we think it will improve.
• Do Not Track: All browsers now send web sites a polite request asking that they not track you. Inside the U.S., this author has never come across a website that honors the request. There may be sites in other countries that honor this request, especially since many other countries have much better privacy laws.
• Secure Installation: Let’s say you have a large organization with 35,000 users. You would like to roll out a new browser and have the setting on all thirty-five thousand computers be the same. Browsers (and other software) that support secure installation routines allow for this. You set the browser up on a computer and configure it as needed. Then create an installation routine that will install the browser software with those configuration settings as many times as needed. Note that in some cases, you may have to have an “enterprise version” to get this feature.
• Password Storage: Do NOT use this feature. Every modern browser stores passwords it remembers in an encrypted form. But anyone who can access the computer and open the browser can see them all! Firefox does allow password protecting of the password storage. Use a good password manager instead! So for example, if you install a browser extension, i twill be a able to access all the unecrypted versions of your password

Question 10

Active content - making the web more interactive

Answer 10

• In the old days, web servers basically delivered static (or slowly changing) information to users. The basic operation was an endless round of: 1. The browser requests a page of text. 2. The server sends the page of text. 3. Go to step 1. That process worked well for a while, but soon users started wanting more interaction from their servers, and web developers wanted to give it to them. Enter active content and a distributed processing model. Active content is a term for program code that is embedded in the contents of a web page. When a web browser accesses the page, the embedded code automatically downloads and executes on the user’s workstation. Other terms sometimes used to describe active content include executable content, active code, or mobile code
• Common forms : JavaScript and HTML5

Question 11

Javascript and HTLM5

Answer 11

• The most popular web scripting language by far is JavaScript. It is a very lightweight scripting language, meaning that it does not require a lot of computing power to provide a ton of functionality. Despite lightweight, it is extremely powerful. Released in 1997, it has been around for a long time and powers a significant majority of websites. In fact, as of June 2021, it powered 97.3% of all websites. Highly interactive sites such as Gmail, YouTube, Facebook, Amazon, and a long list of others all use JavaScript.
• The newer technology in this space is HTML5, which came out in 2014. It is a much more powerful version of the Hypertext Markup Language (HTML) code used to create web pages. Part of the reason it is so much more powerful is that it incorporates JavaScript into its functionality. So in other words, instead of JavaScript being an add-on to the web page, it is part of the core code used to create the web page. As of June 2021, 78.5% of all websites utilize HTML. All of the websites mentioned in the last paragraph utilize HTML5.

Question 12

Java

Answer 12

• Java and JavaScript might sound similar, but they are two very different technologies. In fact, other than the fact that they both have “java” in their name, and are both types of computer code, they are not similar at all. Java is a programming environment that relies on the Java Virtual Machine (JVM) for its applications to run. Because Java applications run in a JVM, they are cross-platform, meaning the same application can run on Windows, Mac, Linux, etc. without modification. This makes Java very useful to both the IT community and to the Hacker community. Attacks can also potentially run cross-platform. In fact, since early 2013, Java is the most attacked software in the world
• When a person attends their very first programming class, almost without exception, the class begins by showing them to write Java code. Unfortunately, those courses usually show students how to write insecure Java code. That code then runs on a Java platform that is rife with insecurities. This creates a perfect storm of bad things happening!

Question 13

Secure coding

Answer 13

• One of the biggest problems in security today is insecure coding practices. When companies develop software for their web applications in particular, insecure coding is a huge problem. In fact, if you look at the most common non-malware-based attacks today, four of the five most common can be traced back to this issue. (The most common non-malware attacks are spear phishing, drive-by download, cross-site scripting, buffer overflow, and input validation attacks. Only spear phishing does not find its roots in improper coding practices.
• Fixing this problem requires first and foremost that we start training programmers to write more secure code. Unfortunately, this is not happening on any kind of large scale. A primary place we need to improve our coding practices is in proper error handling. A simple example of where this is not done well would be a website’s shopping cart allowing a visitor to put a negative value in the quantity field when ordering a product. The result of allowing that can be a credit on the credit card instead of a charge. Proper input validation is the fix for this. If the input does not make sense (a negative number for the quantity?), then reject the input.
• Next, we need to improve our code review practices. Unfortunately, in many organizations, getting the code in place quickly takes precedence. Code reviews take time and companies don’t want to spend that time. Lastly, we need to ensure that all trapdoor functions are removed before the software is released. Trapdoors are a common testing technique. They are essentially backdoors into the functionality of the code that programmers use to test functionality. Doing this is a common and accepted practice in programming
• The problem arises when the trapdoor is not removed, and the code is released for use. If the trapdoor is discovered, it becomes a backdoor into the software. There have been many examples of this through the years.

Question 14

Fuzzing

Answer 14

• Fuzzers are tools that can help programmers develop more secure code. They rapidly send invalid inputs to the software and see what happens. Does the software handle invalid input correctly, or does it crash, or does it cause the software to behave incorrectly? Hackers are using fuzzers every day to discover zero-day exploits. In fact, this has become incredibly common
• A “zero-day exploit” is a newly discovered exploit that has not been communicated to the public or to vendors. In other words, only the attackers know it exists. Therefore, we are defenseless against a zero-day exploit. If developers used the fuzzer to test the software, perhaps they could find that zero-day exploit and fix the problem before anyone else has a chance to discover it. Some organizations are now doing this on a regular basis. But many still are not.