WebApp Sec mailing list archives

Re: advice needed - secure transfer of client details

From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 29 Oct 2004 22:09:38 -0400

Hello Tim,

At first read, something along the lines of SSL jumps into my head. I
really can't imagine it's safe to be sending such data over the wire,
regardless if it's spoofed or not! Too easy to listen in, then really
mess with something.

Beyond that, it kinda depends on the environment. You never mentioned
what OS the workstations were running (java is cross platform). You
also never mentioned what OS the server is running. Details such as
these would help limit the posibilities of "other ways". Drop us soem
more info and hopefully you'll get some more specific responses. =)

--
Peace. ~G


On Fri, 29 Oct 2004 11:18:25 +0100 (BST), Tim James <jimtames () yahoo com> wrote:

Hi all,

This is a brain teaser. I have an application to
review which supplies details from the client's
workstation (derived from files on disk, hostname, IP
address). It currently implements a Java applet whose
job is to obtain these details and send them up to the
server in an ordinary HTTP POST.

This sends alarm bells ringing for me. I have
developed a simple attack whereby I can replace the
applet at will with my own code, which can send
different details for workstation ID, hostname, IP
address. This falsifies the audit trail from this
point on and the server is none the wiser.

So, the general problem is this :-

How can a client communicate details that are only
known to the client, up to a server, in a way that
cannot be tampered with ? Why should a server trust
the supplied values ? The data for the workstation
next to me is known by everyone - why can't I create
an applet to reproduce those details, and hence
impersonate that workstation ?

I have some ideas but none are totally satisfactory.

1) Encrypt the data
This shifts the problem to one of key management.
2) Checksum the applet
3) Keep the details on the server in the first place
and supply some token from the client which cannot be
impersonated

I would *really* appreciate a different perspective on
this problem because I'm kind of stalled.....

Thanks a lot

Tim

Send instant messages to your online friends http://uk.messenger.yahoo.com

Current thread:

advice needed - secure transfer of client details Tim James (Oct 29)
- New Whitepaper - "Second-order Code Injection Attacks" WebAppSecurity [Technicalinfo.net] (Nov 01)
- Re: advice needed - secure transfer of client details Peter Conrad (Nov 01)
- Re: advice needed - secure transfer of client details Ido Rosen (Nov 01)
- Re: advice needed - secure transfer of client details focus (Nov 01)
- Re: advice needed - secure transfer of client details GuidoZ (Nov 01)
- Re: advice needed - secure transfer of client details Alex Russell (Nov 01)
- Re: advice needed - secure transfer of client details Richard Moore (Nov 05)
- <Possible follow-ups>
- RE: advice needed - secure transfer of client details Michael Silk (Nov 01)
- RE: advice needed - secure transfer of client details Scovetta, Michael V (Nov 01)
- RE: advice needed - secure transfer of client details Glenn_Everhart (Nov 05)
- re: advice needed - secure transfer of client details Tim James (Nov 05)