Types of Web-Based Client-Side Attacks
While my research is primarily concerned with drive-by-download attacks, I thought I try to summarize other web-based client-side attacks that are out there, many of which are being researched, neglected and would provide for some cutting edge research opportunities. I will categorize the attacks based on their impact on confidentiality, availability, and integrity.
Confidentiality impact
Attacks described in this section all are concerned with accessing some confidential information on the client side. I look at cookie, history, file, and clipboard stealing attacks as well as attacks that are able to obtain information about protected internal network topology and phishing.
Cookies are pieces of data that is being sent by the server to be stored on the client for retrieval at a later time. Cookies are primarily used to allow for tracking of the client across multiple request/response cycles. Cookies, according to the same origin security policy, can only be retrieved by the server that sets them. As a result, web servers are not able to read cookies from other domains. Cookies themselves are not likely to represent an attack vector on the web client. However, they are a high value target for attackers, as a cookie with its purpose of identifying the client would help with attempts hijack a session and impersonate a client. Web mail clients, for instance, utilize cookies to identify a user at a later time, so the user does not have to provide their credentials each time they would like to access their mail. If an attacker can access the cookie, unauthorized access to the mail account could be obtained as demonstrated recently Perry at Defcon and Graham with SideJacking with Hamster.
The browser history and the browser cache are other confidential pieces of information attackers can gain access to. As a user visits web pages, the browser records these web pages in its cache and browser history. If an attacker can gain access to the cache or browser history, information, such as what email service or bank a user uses, can be inferred and used in subsequent attacks, such as phishing and cookie stealing attacks. Cache and browser history can be obtained via browser vulnerabilities, JavaScript, CSS, inspection of visited link color and timing attacks (e.g. see Grossman’s post I know where you have been).
While cookie, cache and browser history stealing concentrates on assets that are managed by the browser, web-based client-side attacks can reach beyond the scope of the browser onto the underlying operating system. Attacks that allow a web server to access arbitrary files are examples, such as a recently described technique to exploit Microsoft’s Internet Explorer 7 Header Forwards. The clipboard is another source that should be protected. While early versions of web browsers, such as Microsoft’s Internet Explorer, allowed a web page to access the clipboard, access to the clipboard has since been restricted to only allow access if specifically granted. Exploit code that seems to get around this restriction has been observed in the wild (Clipboards hijacked in web attack). Internal network topology is another asset that should be protected, but can be accessed. Special JavaScript network and port scanners exist that allow a malicious web site to obtain information about the internal network topology, such as existence of web servers, routers, and hosts (e.g. JavaScript Port Scanner).
The last attack presented that impacts confidentiality is a social engineering attack called phishing. Social engineering attacks aim at exploiting of the natural human tendency to trust. In a phishing attack, the trust in a web site is abused to fraudulently acquire personal confidential data, such as credentials and bank account information (KYE – Phishing). These web-based client-side attacks present the user with a fraudulent web site, often promoted via SPAM Email, which appear to be from a trusted entity, such as a bank. The web site, however, is, in fact, in the control of the attacker and once the user provides personal information to the web site, the attacker will have obtained this confidential information.
Availability impact
Next, I look at attacks that impact availability. These attacks are concerned with partially or fully consuming the client resources, which reduces or leads to a complete failure of a service the client normally performs. The attacks reviewed are simple crashes, popup floods, browser hijacking, network floods, Web SPAM/junk pages and web pages that commit click fraud.
A denial-of-service is an attack that results in partial or complete consumption of resources that negatively impact a service. In the setting of a web-based client-side attack, a web page could cause the lock-up or crash of the browser or even the operating system or one if its components. Many browser vulnerabilities exist that permit a malicious web server to launch an availability impacting attack.
While the lock-ups and crashes often occur without malicious intent, there are several availability impacting attacks for which malicious intent undoubtedly exist. Pop-up floods are used in advertisement attacks (New Ad Attacks). These attacks lead to the display of many unsolicited pop-up windows. While these pop-ups load, network and computing resources are consumed, significantly reducing the availability of the client. This could even lead to browser hijacking, in which the page cannot be left and/or pop-up cannot be closed.
Since web browsers are capable to load resources from remote network locations, for instance images, a malicious web page could conceptually lead to flooding the network with traffic if a browser doesn’t manage its resources carefully. For instance, a web page that contains a million images from different domains could generate a million DNS requests, potentially overwhelming the local DNS server. A web page that contains large data chunks could potentially clog the network. If browsers are pooled to perform flooding of a network , they are referred to as Puppetnets (see Lam’s paper on Puppetnets).
Web SPAM/ junk pages are specific malicious web pages that abuse search engine functionality. A search engine is tasked with providing the user with relevant web pages for a given user queries. Web spam/ junk pages abuse the algorithm of the search engine to lead to a high ranking despite the fact that the content of the web pages are not relevant to the user. As such, these pages abuse the client’s resources by displaying non-relevant content. On top of that, these and other pages might be involved in click fraud scams in which a malicious web page could fraudulently simulate clicking of advertisements by the user.
Integrity impact
Next, attacks that impact integrity. In the context of web-based client-side attacks, a loss of integrity usually translates into the ability of an attacker to execute arbitrary code on the client machine. Cross site/domain/zone scripting, drive-by-pharming, hosting of malware, and drive-by-download attacks are described.
Cross site/domain/zone scripting is a vulnerability of web pages which allow execution of injected code in the security context of that page when the user visits such a page. The injected code could be used to steal information, but also permit execution of arbitrary code on the client if, for instance, that web page is a trusted page in the context of the web browser.
Drive-by-pharming is an web-based client-side attack that modify the DNS settings of a user’s router by merely having a user visit a malicious web page. These attacks do not impact the integrity of the client machine directly, but rather impact the integrity of network components the client relies on.
Hosting of malware is another type of attack that impacts integrity of the client. In this attack scenario, the malicious web page hosts malware and uses social engineering to entice the user to download and execute the malware. An example of such a technique is a video codec that contains malware, which is presented to be a requirement to view pornographic material (e.g. Fake Celebrity Video Sites Serving Malware) Once the user downloads and executes the malware, the malware has complete control of the machine. Attacks that do not require this user interaction, but rather are capable of pushing and executing malware without user’s notice or consent are drive-by-download attacks. These attacks usually trigger having a user merely visit a web page.