Tuesday, June 2, 2009

Client Fingerprinting

At my current job, I do a lot of programming with Flash (Flex, actually), as well as asp.net and similar platforms. I am constantly working on and debugging the web-apps I manage and develop. I have a debug flash player installed on most of the browsers I surf the web with, as well as numerous browser add-ons/extensions that help with development. I've been wondering lately if I should be more careful about the signature my browser creates.

A few weeks ago, I had a rather disconcerting thought that attackers might specifically target web developers for client side attacks. Who else would be a better target? Of all employees in a company, developers are probably given the most rights/permissions when they actually don't need them to get the job done. Also, developers require access to databases and test and production systems and are given more leeway than most.

One might ask: "Why would a developer as a potential target be preferred over someone else, such as a network admin, who also has access to critical systems?"
  • First, typical web developers are easily distinguished from normal traffic on a web site through information that is available from the browser, whereas system admins usually don't carry such an obvious signature when surfing the web.
  • Second, occasional erratic computer/browser behavior is something developers are accustomed to and is something those who work with the developers could easily explain away and dismiss.
  • Third, many web developers are not focused as much as they should be on the security of their apps, let alone their own personal security when they develop web applications.
  • Fourth, sites commonly visited by web-developers are easily identified. Sites (forums especially) that contain walkthroughs and tutorials for certain technologies and practices would most certainly be visited frequently by developers.
By targetting web developers, attackers would be able to focus their efforts on clients who have a greater potential for a good pay-off.

There are several applications that need special "debug" versions of a program to be installed in order for the developer to debug his applications. The foremost in my mind is the Flash Debug player. The Flash Debug player is very easily detected. It obviously has more functionality than the normal player, possibly additional functionality that has not been tested as well as the normal Flash Player's basic functionalities. The Flash Debug Player allows a debugger to connect to the loaded swf and step through the execution line by line. What were to happen if a malicious swf with additional debug information were loaded into a debugger? Although not very likely, it is something to think about, especially when several apps found online automatically display the "Connect to Remote Debugger" dialog when a Flash Debug player is installed. Also, since a debug flash player is so easily detected, it would be yet another easily obtained signature that would flag a user as being a developer.

Here are some common and basic "signatures" that I have come up with that should flag a user as being a web developer:
  • Firebug Extension/Add-on
  • Debug Flash Player
  • Web Developer Extension/Add-on
  • User Agent Switcher Extension/Add-on
  • Tamper Data Extension/Add-on
  • Codetech Extension/Add-on
  • Greasemonkey Extension/Add-on
  • Colorzilla Extension/Add-on
  • MeasureIt Extension/Add-on
  • Hundreds of others...
As to whether or not all of these can be detected on the client side still remains to be seen, although many of them already can be. (Firebug can for sure -- POC - open up gmail and turn on Firebug. Gmail should tell you that firebug slows Gmail down).

Also note that the general idea of fingerprinting clients through readily available information can be used not only to detect the presence of a web-developer, but also possibly to determine how "savvy" the user is with computer technologies, and to detect other "classes" of users (network admin, n00b, old person [?], hacker, teacher, designer, etc.).

Knowledge is power.

No comments:

Post a Comment