Types of Web-Based Client-Side Attacks
by Christian Seifert - Tuesday, 9 September 2008.
While my research is primarily concerned with drive-by-download attacks, I thought I try to summarize other web-based client-side attacks that are out there, many of which are being researched, neglected and would provide for some cutting edge research opportunities. I will categorize the attacks based on their impact on confidentiality, availability, and integrity.

Confidentiality impact

Attacks described in this section all are concerned with accessing some confidential information on the client side. I look at cookie, history, file, and clipboard stealing attacks as well as attacks that are able to obtain information about protected internal network topology and phishing.

Cookies are pieces of data that is being sent by the server to be stored on the client for retrieval at a later time. Cookies are primarily used to allow for tracking of the client across multiple request/response cycles. Cookies, according to the same origin security policy, can only be retrieved by the server that sets them. As a result, web servers are not able to read cookies from other domains. Cookies themselves are not likely to represent an attack vector on the web client. However, they are a high value target for attackers, as a cookie with its purpose of identifying the client would help with attempts hijack a session and impersonate a client. Web mail clients, for instance, utilize cookies to identify a user at a later time, so the user does not have to provide their credentials each time they would like to access their mail. If an attacker can access the cookie, unauthorized access to the mail account could be obtained as demonstrated recently Perry at Defcon and Graham with SideJacking with Hamster.

The browser history and the browser cache are other confidential pieces of information attackers can gain access to. As a user visits web pages, the browser records these web pages in its cache and browser history. If an attacker can gain access to the cache or browser history, information, such as what email service or bank a user uses, can be inferred and used in subsequent attacks, such as phishing and cookie stealing attacks. Cache and browser history can be obtained via browser vulnerabilities, JavaScript, CSS, inspection of visited link color and timing attacks (e.g. see Grossman's post I know where you have been).

While cookie, cache and browser history stealing concentrates on assets that are managed by the browser, web-based client-side attacks can reach beyond the scope of the browser onto the underlying operating system. Attacks that allow a web server to access arbitrary files are examples, such as a recently described technique to exploit Microsoft's Internet Explorer 7 Header Forwards. The clipboard is another source that should be protected. While early versions of web browsers, such as Microsoft's Internet Explorer, allowed a web page to access the clipboard, access to the clipboard has since been restricted to only allow access if specifically granted. Exploit code that seems to get around this restriction has been observed in the wild (Clipboards hijacked in web attack). Internal network topology is another asset that should be protected, but can be accessed. Special JavaScript network and port scanners exist that allow a malicious web site to obtain information about the internal network topology, such as existence of web servers, routers, and hosts (e.g. JavaScript Port Scanner).


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th