WebApp Sec mailing list archives
Re: advice needed - secure transfer of client details
From: Ido Rosen <ido () cs uchicago edu>
Date: Sat, 30 Oct 2004 21:56:24 -0500
Have you considered providing each client workstation with a private key ("host key" like SSH) upon installation of the OS/workstation? Then, store workstation<-->public key association on the server, and have the workstation digitally sign the data it sends up? It seems to me that this would prevent the simple case in which an attacker without administrative access to the "workstation" might try to impersonate that workstation.
Ido On Oct 29, 2004, at 5:18 AM, Tim James wrote:
Hi all, This is a brain teaser. I have an application to review which supplies details from the client's workstation (derived from files on disk, hostname, IP address). It currently implements a Java applet whose job is to obtain these details and send them up to the server in an ordinary HTTP POST. This sends alarm bells ringing for me. I have developed a simple attack whereby I can replace the applet at will with my own code, which can send different details for workstation ID, hostname, IP address. This falsifies the audit trail from this point on and the server is none the wiser. So, the general problem is this :- How can a client communicate details that are only known to the client, up to a server, in a way that cannot be tampered with ? Why should a server trust the supplied values ? The data for the workstation next to me is known by everyone - why can't I create an applet to reproduce those details, and hence impersonate that workstation ? I have some ideas but none are totally satisfactory. 1) Encrypt the data This shifts the problem to one of key management. 2) Checksum the applet 3) Keep the details on the server in the first place and supply some token from the client which cannot be impersonated I would *really* appreciate a different perspective on this problem because I'm kind of stalled..... Thanks a lot TimSend instant messages to your online friends http://uk.messenger.yahoo.com
Attachment:
PGP.sig
Description: This is a digitally signed message part
Current thread:
- advice needed - secure transfer of client details Tim James (Oct 29)
- New Whitepaper - "Second-order Code Injection Attacks" WebAppSecurity [Technicalinfo.net] (Nov 01)
- Re: advice needed - secure transfer of client details Peter Conrad (Nov 01)
- Re: advice needed - secure transfer of client details Ido Rosen (Nov 01)
- Re: advice needed - secure transfer of client details focus (Nov 01)
- Re: advice needed - secure transfer of client details GuidoZ (Nov 01)
- Re: advice needed - secure transfer of client details Alex Russell (Nov 01)
- Re: advice needed - secure transfer of client details Richard Moore (Nov 05)
- <Possible follow-ups>
- RE: advice needed - secure transfer of client details Michael Silk (Nov 01)
- RE: advice needed - secure transfer of client details Scovetta, Michael V (Nov 01)
- RE: advice needed - secure transfer of client details Glenn_Everhart (Nov 05)
- re: advice needed - secure transfer of client details Tim James (Nov 05)