Understanding the Threat

When you use your browser to connect to a web page (or a client program to connect to a web service), your browser (or the client) and the server must exchange a series of network messages. Behind the scenes, the messages do not travel directly between your computer and the remote server. Instead, to make their way across the Internet the messages often travel through myriad computers, as shown in Figure 9.1.

click to expand
Figure 9.1: To make their way across the Internet, messages often move from one computer to the next.

At any stage along the message’s path, a hacker can intercept the message, as shown in Figure 9.2.

click to expand
Figure 9.2: Hackers can intercept messages as the messages make their way across the Internet.

To better understand how messages travel (or hop) from one computer to next, consider the following tracert command that examines the path messages are traveling to reach the Jamsa Media Group website:

C:\>tracert www.jamsamediagroup.com  <Enter> Tracing route to jamsamediagroup.com [209.51.153.242] over a maximum of 30 hops:   1    10 ms    10 ms    20 ms  ip68-98-84-1.cox.net [68.98.84.1]   2    10 ms    20 ms    10 ms  ip68-2-5-65.cox.net [68.2.5.65]   3    10 ms    10 ms    20 ms  ip68-2-0-33.cox.net [68.2.0.33]   4    20 ms    20 ms    10 ms  ip68-2-0-189.cox.net [68.2.0.189]   5    10 ms    20 ms    20 ms  chnd-gew0303.rd.cox.net [68.2.14.13]   6    10 ms    20 ms    10 ms  chnd-pos0101.rd.ph.cox.net [68.1.0.168]   7    40 ms    30 ms    40 ms  dlls-pos0102.rd.dl.cox.net [68.1.0.146]   8    30 ms    30 ms    40 ms  12.119.145.125   9    30 ms    30 ms    30 ms  gbr5-p30.dlstx.net [12.123.17.50]  10    41 ms    40 ms    30 ms  tbr1-p012401.dlstx.net [12.122.12.65]  11    50 ms    50 ms    50 ms  tbr1-p012501.la2ca. net [12.122.9.145]  12    70 ms    70 ms    50 ms  tbr2-p012ip.att.net [12.122.10.37]  13    60 ms    50 ms    50 ms  ggr1-p3100. ip.att.net [12.122.11.230]  14    60 ms    60 ms    50 ms  nr1-p350.paix.ip.att.net [12.123.221.2]  15    60 ms    60 ms    50 ms  205.215.1.169  16    60 ms    60 ms    60 ms  205.215.12.1  17   141 ms   140 ms   140 ms  66.28.28.202  18   120 ms   120 ms   120 ms  205.215.2.6  19   120 ms   120 ms   121 ms  209.51.131.2  20   130 ms   111 ms   120 ms  209.51.153.242 Trace complete. 

In this case, to reach the Jamsa Media Group website, the tracert message had to travel through 20 sites in order to reach its destination.

HTTP is a plain-text protocol, which means a hacker can intercept and easily view the messages that a client and server exchange. If the message contains credit-card data, or a username and password combination, the hacker can easily read the sensitive data. Further, after intercepting a message, a hacker can change the message contents before he or she forwards the message to the recipient.

Assume, for example, that you place an order with an online store, and that a hacker intercepts your order. The hacker could change your order to have the product sent to himself instead of to you, as shown in Figure 9.3. Later, when the server sends back the order confirmation message, the hacker can intercept and change that message, so you remain unaware of the change to your order. Network programmers refer to this type of hacker attack as a man-in-the-middle attack.

click to expand
Figure 9.3: By intercepting messages between a client and server, a hacker can change the message contents without the client and server being aware of the attack.

Viewing HTTP Messages Firsthand

HTTP messages are plain-text messages that are very easy for a hacker who is monitoring messages to view as the messages make their way across the Net. Using the Distinct Network Monitor application, for example, you can view TCP/IP and HTTP messages. To begin, download and install a trial version of the Distinct Network Monitor software from www.distinct.com. Next, create the following LoginDemo web service that supports the Login method shown here, which requires a username and password parameter:

string Login(string Username, string Password)

The Login method will not actually use the username and password in any way. Instead, after the method receives the values, it will return a string containing a message that states that your login information was received.

To create the LoginDemo web service, perform these steps:

  1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

  2. Within the New Project dialog box Project Types list, click C# Projects. Then, within the Templates field, click ASP.NET Web Service. Finally, within the Location field, specify the folder within which you want to store the program and the program name LoginDemo. Select OK. Visual Studio .NET will display a page onto which you can drag and drop the service’s components.

  3. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the LoginDemo.asmx.cs program statements shown below.

    [WebMethod] public string Login(string Username, string Password) {     return "Your login information was received: " +         Username + " " + Password; }
  4. Select the Build menu Build Solution option to build the web service.

Next, create the Visual Basic .NET program in the code below, SendUsernameInfo.vb, which creates an ASP.NET page that uses the service. When you run view the page, your browser will display a form similar to that shown in Figure 9.4 that prompts you to enter username and password information. After you enter the information and click Submit, the program will call the web service, displaying the service’s result within a text box.

click to expand
Figure 9.4: Submitting username and password data to a web service

To create the program, perform these steps:

  1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

  2. Within the New Project dialog box Project Types list, click on Visual Basic Projects. Then, within the Templates field, click on ASP.NET Application. Within the Location field, type SendUsernameInfo. Select OK. Visual Studio .NET will display a form onto which you can drag and drop the program’s controls.

  3. Using the Toolbox, drag and drop the labels, text boxes, and button previously shown in Figure 9.4 onto the form.

  4. Select the Project menu Add Web Reference option. Visual Studio .NET will display the Add Web Reference dialog box.

  5. Within the Address field, type http:/Localhost/LoginDemo/Service1.asmx?WSDL and press Enter. The dialog box will load the file’s contents. Click the Add Reference button.

  6. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the SendUsernameInfo.aspx.vb program statements shown below.

    Private Sub Button1_Click(ByVal sender As System.Object, _ Ä ByVal e As System.EventArgs) Handles Button1.Click    Dim LoginObj As New localhost.Service1()    If (TextBox1.Text.Length > 0) And (TextBox2.Text.Length > 0) Then      Try         TextBox3.Text = LoginObj.Login(TextBox1.Text, TextBox2.Text)      Catch Ex As Exception         TextBox3.Text = Ex.Message      End Try    End If End Sub

The Distinct Network Monitor will only detect messages that come from outside of your network. If you run a program that uses a web service on your system (a web service you define using localhost), the network messages will never leave your system (and go out and return through the network card whose packets the monitor captures). To use the monitor to intercept messages to a web service, you must run the ASP.NET page that uses the service from a different computer. You can build the program on the same computer that you used to create the web service, but you must run the program from a different computer so the program’s requests enter through the network interface card.

When you create the program, you will not use the localhost name to reference the web service’s WSDL file as you have in the past. Instead, you will type in the IP address of the system that contains the service. To determine your IP address, you can run the ipconfig command as shown here:

C:\> ipconfig  <Enter> Windows 2000 IP Configuration Ethernet adapter Local Area Connection:         Connection-specific DNS Suffix  . : nv.cox.net         IP Address. . . . . . . . . . . . : 182.118.1.100         Subnet Mask . . . . . . . . . . . : 255.255.255.0         Default Gateway . . . . . . . . . : 182.118.1.1 C:\>

After you build the program and display the page, connect to the page from a remote computer. To do so, in this case, you would enter a URL on the remote system in the format http://182.118.1.100/SendUsernameInfo/Webform1.aspx. Then, on the PC that contains the web service, start the Distinct Network Monitor program, select the Capture menu Settings option, and select no filtering. Then, select the Capture menu Start option to begin capturing packets. As the program begins to display entries for captured packets, scroll through the list of network messages that correspond to the PC from which you are running the program. If you open the network messages that have arrived from the remote system, you will eventually find an HTTP message that contains the username and password that your program passed to the web service, as shown in Figure 9.5.

click to expand
Figure 9.5: Using a network- monitoring program to display username and password data sent by a program to a remote service (note the text highlighted in black)




. NET Web Services Solutions
.NET Web Services Solutions
ISBN: 0782141722
EAN: 2147483647
Year: 2005
Pages: 161
Authors: Kris Jamsa

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net