12. Web Client Security

What We Will Cover Announcements For today's lesson, boot into Windows XP (middle button) When class is over, please shut down your computer Log Tails Overview 12.1: Java Applets 12.1.1: What is Java? 12.1.2: What is an Applet? Lab Exercise 12.1 12.2: ActiveX 12.2.1: What is ActiveX? 12.2.2: ActiveX Security Lab Exercise 12.2 12.3: JavaScript 12.3.1: What Is JavaScript? 12.3.2: JavaScript Security Lab Exercise 12.3 12.4: Cookies 12.4.1: What Is a Cookie? 12.4.2: Cookie Security Lab Exercise 12.4 Wrap Up Assignments Due Next: N/A Log Tails From Last Lab Any questions? Quiz Review WebCT back to top Introduction Just as there are server-side risks, there are client-side risks as well What better platform to demonstrate them on than Windows? back to top 12.1: Java Applets Objectives At the end of the lesson the student will be able to: Describe what applets can and can't do Describe what a hostile Java applet is Protect yourself from Java applets In this section, we will review the security issues that Java Applets pose back to top 12.1.1: What is Java? Java is a general-purpose computer programming language "Pure" object-oriented language Easy for C/C++ programmers to learn Extensive networking class-libraries Java has one strong capability missing in most other languages Java program that runs on one platform (such as Windows) Also runs on others (such as MacOS or UNIX) Without any changes or recompiling required This ability is what makes Java platform independent What makes this platform independence possible is the Java Virtual Machine (JVM) Java Virtual Machines Each computer platform must have a JVM written and installed to run Java programs Java programs are compiled to byte code and saved in .class files Any JVM can then run a .class file on the machine where Java is installed Theoretically, malicious programs, such as viruses, can now run on any machine In actuality, Java was written with security in mind Java does a number of things to make it's programs more secure Many of these added security features are used only for Java applets Does Java have any viruses? Though Java has extensive security measures, it does have viruses: Java.BeanHive Java.StrangeBrew Java applications can have viruses just like any other program However, writing a virus is more difficult because of security management Java applets run in a secure "sandbox" and are generally more secure than applications Is .NET like Java? The .NET architecture uses the Java byte code concept, but for different ends .NET compiles different languages (e.g. VB, C#, C++) to Microsoft Intermediate Language (MSIL) MSIL runs in a VM on any Microsoft Windows 2000 or later Operating Systems Thus, .NET works with many languages -- but on only one platform In contrast, Java has one language that runs on many platforms However, many language developers have written their compilers to produce Java byte code Thus, the JVM both supports many languages and runs on many platforms back to top 12.1.2: What is an Applet? Applet: a Java program that runs in a browser Cannot simply run an applet from the command line like most programs Need a Java-capable browser or applet viewer to run the applet code To run an applet, you reference it in an HTML document (similar to images) The HTML tag to do this is the <applet> tag For Example General form of an applet tag: <applet code="someapplet.class" codebase="http://www.somehost.com/applets/examples" width="500" height="200"> <param name="someName" value="someValue"> </applet> Attribute Description code Specifies the name of the class file to execute. codebase Specifies the pathname of the applet on the server. If codebase is not specified, the applet is assumed to be in the same directory as the HTML document. width Specifies the width of the applet in pixels. height Specifies the height of the applet in pixels. param Specifies a parameter passed to the applet. Applet Restrictions Sun wanted to make sure applets could not damage a client system Built strong security restrictions into applets to limit what they can do Cannot read, write or delete files on the client system Cannot run programs on the client system Can only access a few properties of the client system: Java version Name of operating system Version of operating system Characters used to separate directories, paths and lines Cannot make network connections to other servers Other than the one the applet was loaded from Even though applets cannot harm your machine, they can be annoying and hostile Some Applet Capabilities Display GUI components and graphics Send keystrokes and mouse clicks to the applet's server Make network connections to the applet's server Call public methods of other applets on the same Web page Further Information Demonstration applets: from Sun APPLETS: Sun's homepage for Applets back to top Lab Exercise 12.1 Use the next 10 minutes to complete the following. Start a text file named exercise12.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 12.1 Answer the following questions. Understand What Applets Can and Can't Do Sun Microsystems has written a few example Java applets to demonstrate what applets can and can't do. The Applet Security FAQ contains these examples and will help you answer the following questions. Visit the Applet Security FAQ and the examples it contains at the following URL: java.sun.com/sfaq/index.html#examples. What happens when an applet tries to read a file? What happens when an applet tries to write to a file? What happens when an applet tries to obtain information about you and your client system? What happens when an applet tries to run a program on your system? What happens when an applet tries to connect to another system? Understand What a Hostile Java Applet Is Run the Applet code loaded from this page. Alternatively, download the zip file 12_1_2a.zip, extract it to the local disc, and run the file "12.1.2a.html". Are you able to run the applet? Download and install the code from 12_1_2bc.zip into C:\My Documents\cis164. Extract the files into the same directory (Actions => Extract). Run the 12.1.2bc.html file. What do you see when you load this page? Note that we do not have mail servers running. Thus we cannot modify this applet to actually send us email. Otherwise, we could save a copy of the HTML document and modify the <PARAM> tags to specify your e-mail address and your hostname. What would happen if we loaded our modified HTML document (according to the book on page 432 #12.1.2b,c)? Download and install the code 12_1_2d.zip2 into C:\My Documents\cis164. Change the file extension to zip from zip2. Extract the files into the same directory (Actions => Extract). In addition, download the file whistle.au into C:\My Documents\cis164\sounds. Run the 12.1.2d.html file. What happens when you load this page? It is possible to disable Java in your browser. Netscape controls this feature under "Preferences" and Internet Explorer controls it under Tools => Internet Options => Security. Disable Java in your browser and use the Java applet draw to test the change. What happens when you load this page? Save a copy of the HTML file from Question 10 to your local machine. Edit the HTML document, removing the reference to the applet. Re-enable Java and load the edited page into your browser. What happens when you load the edited page? back to top 12.2: ActiveX Objectives At the end of the lesson the student will be able to: Describe the risks ActiveX poses Protect yourself from ActiveX ActiveX is similar to Java applets in some ways Both allow you to increase the functionality of a Web site Very different in how they work and in their approach to security back to top 12.2.1: What is ActiveX? ActiveX was developed by Microsoft as competition to applets Based on their Object Linking and Embedding (OLE) technology You use ActiveX by downloading the ActiveX equivalent of an applet ActiveX equivalent of a Java applet is called an ActiveX control Unlike Java applets, however, ActiveX controls are platform dependent Need to recompile for every platform you expect to connect to your Web site Syntax to include an ActiveX control in your Web page is similar to an applet ActiveX controls are identified using the <object> tag For Example General form of an HTML page for an ActiveX control: <HTML> <HEAD> <TITLE>ActiveX Control Example</TITLE> </HEAD> <BODY> Here is an ActiveX control... <OBJECT CLASSID="clsid:8223B920-9FE9-11AF-02AA00B06D62" CODEBASE="http://www.somehost.com/controls/examples" ID="somecontrol" WIDTH="500" HEIGHT="200"> <PARAM NAME="text" VALUE="Example"> </OBJECT> </BODY> </HTML> CLASSID uniquely identifies the component to the server CODEBASE is an optional parameter specifying the location of the files ID specifies the name of the ActiveX control WIDTH and HEIGHT specify the ... width and height in pixels You can pass parameters to the control with the PARAM tag Parameters are passed as NAME and VALUE pairs Further Information ActiveX Controls: Microsoft's ActiveX controls homepage back to top 12.2.2: ActiveX Security ActiveX controls can and are expected to be digitally signed by the author The digital signature is used by the security mechanism for ActiveX called Authenticode Authenticode is based on a binary trust model for security In the trust model, you are given the choice of whether to run a program Before the program runs, you are prompted with the name of the author You are asked whether or not you trust that author and want to run the program If you agree to let the program run, it has complete control This is different than fine-grained (or sandbox) security manager approach that Java applets use An ActiveX control is allowed to do anything a normal program could do Reading and writing to files Starting new programs Connecting to any remote machine Sending e-mail Even formatting the hard drive You either completely trust the ActiveX control or you do not One feature of Authenticode is the ability to opt-out of the consent process A user can choose to always trust content from a specific author Also can choose to always trust content from a certificate authority (e.g. Verisign) back to top Lab Exercise 12.2 Use the next 10 minutes to complete the following. Label this exercise: Lab 12.2 Note: Some of the material for this section provided by the textbook may not work as advertised in the text. I used updated material when I could find it. However, the lab material is still relevant. Though the controls used in this lab are not dangerous in our Lab environment, virus protection software often checks for these ActiveX controls. Understand the Risks ActiveX Poses Download and install the code 12_2_1a.zip into C:\My Documents\cis164. Extract the files into the same directory (Actions => Extract). Download the file Exploder.ocx (right-click and "save target as") and replace the previous file you extracted. Run the 12.2.1a.html file and allow the ActiveX control to run. You may need to change your security level to low before it will work. To do this in Internet Explorer, select Tools => Internet Options => Security. What happens after you load the page and run the ActiveX control? Download and install the code 12_2_1b.zip into C:\My Documents\cis164. Extract the files into the same directory (Actions => Extract). Run the 12.2.1b.html file and allow the ActiveX control to run. If you have difficulty, you can try the Runner Control page. What happens after you load the page and run the ActiveX control? Protect Yourself from ActiveX Modify your browser’s security level to high and reload the URLs from the first two exercises. What happens when you load a page and try to run the ActiveX control? Save a copy of the HTML file from Question 1 or 2 to your local machine. Edit the HTML document, removing the reference to the control. Load the edited page into your browser. What happens now when you load the page? Further Information ActiveX and Exploder The Exploder Control Frequently Asked Questions (FAQ) VeriSign Code Signing Digital IDs for Microsoft Authenticode back to top 12.3: JavaScript Objectives At the end of the lesson the student will be able to: Describe the risks that JavaScript poses Protect yourself from JavaScript Javascript is the most widely used client side additions on the Web JavaScript gives Web pages extra functionality to bring them to life Popping up new browser windows Scrolling a status message at the bottom of the browser Icon or font mouseover effects JavaScript really does enhance Web pages Unfortunately, the added functionality does not come without risk back to top 12.3.1: What Is JavaScript? JavaScript is not Java and has nothing to do with Java Java is a programming language developed by Sun Microsystems JavaScript is an interpreted scripting language developed by Netscape Javascript cannot run by itself, but only runs within a Web page To add JavaScript functionality to a Web page is fairly easy Define a function within a <script> tag in the header of an HTML document You can then reference the script’s functions in the rest of your page For Example Here is a simple HTML document that contains some JavaScript code Loading this page pop's up an alert box displaying "Beware of crackers" <HTML> <HEAD> <TITLE>JavaScript Example</TITLE> <SCRIPT LANGUAGE="JavaScript"> function beware() { alert("Beware of crackers") } </SCRIPT> </HEAD> <BODY onload="beware()"> Just a reminder... </BODY> </HTML> Try it here. back to top 12.3.2: JavaScript Security JavaScript’s main purpose is to enhance Web pages Thus many of the browser’s functions can be controlled via a JavaScript Almost anything that the browser can do is controllable by JavaScript As long as the page containing the script remains open, a script will continue to run JavaScript is limited in functionality such that it could not possibly format your hard drive Though its functionality is limited, Javascript does have risks back to top Lab Exercise 12.3 Use the next 10 minutes to complete the following. Label this exercise: Lab 12.3 Understand the Risks that JavaScript Poses Javascript has the ability to remember where you have been. To see an example of this, load the URL by clicking here. What happens when you load this page? Note: we are skipping Lab question 12.3.1b because the software is not available. Javascript can also make a browser window useless. To see this, load the example by clicking here. Wait a few moments and then try closing the window. What happens when you load this page? Protect Yourself from JavaScript It is possible to disable JavaScript in your browser. Netscape controls this feature under "Preferences" and Internet Explorer controls it under "Internet Options." Select "Security" for both browsers. Disable JavaScript (Active Scripting in IE) in your browser and reload the URL from the prior exercise (here). What happens when you load this page? View the source code by following this link. Why do you think it would be difficult to strip out Javascript embedded in the page? back to top 12.4: Cookies Objectives At the end of the lesson the student will be able to: Describe the risk that cookies pose Protect yourself from cookies There has been debate about whether or not cookies pose security risks Prior to their introduction, Web surfing was relatively anonymous However, with a cookie-enabled browser, a Web server can send you information on its own Server can later obtain this information without the client's explicit approval What information does the server send? What danger does it expose us to if we store it on our machines? back to top 12.4.1: What Is a Cookie? The previous client-side technologies we discussed were executable code In contrast, a cookie is nothing more than data A cookie is not a program and it is not executable It is like the data you send to a server in an online form The difference here is that a server is sending the data to the client When a client requests a document, the server sends some extra data The data it sends back is called a cookie Later, when the client makes additional connections to the server, it will send the cookie back The client still keeps a copy of the cookie, however, for future connections Storing some data on the client host is all the cookie is doing Without a cookie, a server has no idea who is connecting to it For Example A cookie can act as a reminder to the server about the client's preferences For instance, a client may fill out a form the they wanted blue page backgrounds The server could store that information in a cookie The next time the client returns, the browser sends a cookie like the following Content-type: text/html Set-Cookie: colorpref=blue <HTML> <HEAD> <TITLE>Thank You</TITLE> </HEAD> <BODY> Your data was received successfully. </BODY> </HTML> The server can see that the colorpref is set to blue Allows the server to set all page backgrounds to blue (if programmed) back to top 12.4.2: Cookie Security Since a cookie is nothing more than raw data, it cannot do some things Cannot read or write a file Cannot steal your password Cannot format your hard disk Cannot send e-mail Practically impossible to transmit a virus Cookies offer no real security risk to the machine Security risk of cookies is to the user's privacy back to top Lab Exercise 12.4 Use the next 10 minutes to complete the following. Label this exercise: Lab 12.4 Understand the Risk That Cookies Pose Note: we will skip some questions from the textbook because the supporting programs are not available. In addition, the instructor has added some material. Load the test page by clicking here. Click a few of the links and then press the sixth link labeled "Where have I been?" What happens after you click on the sixth link? What security issue is occurring in this demonstration? Close your browser completely and then restart your browser. What happens now after you click on the sixth link? Protect Yourself from Cookies Browsers that accept cookies also allow you to reject them automatically or warn you before accepting them. For IE, select Tools => Internet Options => Privacy => and have your browser warn you before accepting any cookies. Load the same test page by clicking here. Click one of the links." What happens as you click the links on the page? Reject the cookie from being set and then click the link on the sixth link. What is displayed after clicking the sixth link? Click on one of the links and this time accept the cookie from being set. What is displayed after clicking the sixth link? Further Information CookieCentral.com back to top Wrap Up When class is over, please shut down your computer => Logout => Shut Down Due Next: N/A You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:44 PM