Chapter 10: Hacking Web Clients

Previous page
Table of content
Next page

Overview

We have focused up to this point on identifying, exploiting, and mitigating common web application security holes, with an emphasis on sever-side flaws. But what about the client side?

Historically, relatively short shrift has been given to the client end of web application security, mostly because attackers focused on plentiful server-side vulnerabilities (that usually coughed up the entire customer list anyway). As server-side security has improved, attackers have migrated to the next obvious patch of attack surface.

A simple glance at recent headlines will illustrate what a colossal calamity that web client security has become. Terms like phishing, spyware, and adware, formerly uttered only by the technorati , now make regular appearances in the mainstream media. The parade of vulnerabilities in the world's most popular web client software seems to never abate. Organized criminal elements are increasingly exploiting web client technologies to commit fraud against online consumers and businesses en masse. Many authorities have belatedly come to the collective realization that at least as many serious security vulnerabilities exist on the "other" end of the Internet telescope , and numerous other factors make them just as likely to be exploited, if not more so.

We will discuss those factors and related vulnerabilities in this chapter. Our discussion is organized around the following basic types of web client attacks:

  • Exploits   Malicious executable code is run on the web client and its host system via an overt vulnerability (including software bugs and/or misconfiguration). Absent such vulnerabilities, this approach is obviously much harder for attackers, and they typically turn to the tried-and-true fallback, social engineering (see next bullet).

  • Trickery    The use of trickery to cause the human operator of the web client software to send valuable information to the attacker, regardless of any overt vulnerabilities in the client platform. The attacker in essence "pokes" the client with some attractive message, and then the client (and/or its human operator) sends sensitive information directly to the attacker, or installs some software that the attacker then uses to pull data from the client system.

As always, we'll discuss countermeasures at critical junctures, as well as at the end of the chapter in summarized form.


Previous page
Table of content
Next page
Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127
Authors: Joel Scambray, Vincent Liu, Caleb Sima
BUY ON AMAZON
Qshell for iSeries
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Documenting Software Architectures: Views and Beyond
Twisted Network Programming Essentials
Special Edition Using Crystal Reports 10
Microsoft WSH and VBScript Programming for the Absolute Beginner
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy