Topic Last Modified: 2011-05-02

This topic describes potential threats to Lync Web App.

Session Fixation

In a session fixation attack, the attacker sets the user’s session token before the session is established between the user and the web server. By doing so, the attacker already has the session ID and does not need to determine it after the session is established. Lync Web App is designed to minimize this threat.

Session Hijacking

In session hijacking, the attacker accesses a user’s session by sniffing unencrypted traffic on the network. Lync Web App minimizes this threat by using SSL as the default communication protocol between the client and Lync Web App.

Session Riding/Double Riding

Session riding is when an attacker attempts to use an established session between a user and a web-based application to run commands while posing as the user. The attacker does so by sending the user an email message or otherwise enticing the user to visit a website specifically developed to run malicious software. The commands that can be run by the attacker include opening firewalls, deleting data, and running other commands within the internal network.

Lync Web App is designed to prevent an attacker from using this method to control a user’s Lync Web App session through a malicious website.

Cross Site Scripting (CSS, XSS, Code Insertion)

A cross-site scripting attack (sometimes referred to as a CSS, XSS, or code insertion attack) occurs when an attacker uses a web application to send malicious software, generally in the form of a script, to a target user. The target user’s browser has no way of detecting that the script should not be trusted and will run the script. When the malicious script is run, it can access cookies, session tokens, or other sensitive information that is retained by the end user’s browser. Such scripts can also rewrite the content of the HTML page.

Cross-site scripting attacks can be stored or reflected. Stored attacks are those in which the malicious script is permanently stored on the compromised web server, for example in databases, message forums, visitor logs, and comment fields. When the user accesses the web server, the user’s browser runs the script. In reflected cross-site scripting attack attacks, a user is tricked into clicking a link or submitting a specially crafted form that contains malicious software. When the user clicks the link to submit the form data, the URL, which contains the malicious software, is sent to the web server along with the user’s data. When the website displays the user’s information back to the user, the information appears to originate from a trusted source. However, the information contains the malicious software, which is then run on the user’s computer.

This vulnerability exists only in websites that do not properly validate user input. Lync Web App uses extensive user input validation to prevent this threat.

Token Threats

HTTP is a connectionless protocol, and each web page requires multiple server requests and responses to complete the page. Various methods are used to maintain session persistence between page requests during a session. One method used by the web server is to issue a token to the client browser making the request. This is the method used by Lync Web App.

After the Lync Web App successfully authenticates an internal or external user, it issues a token into a session cookie, which is returned to the client. This cookie is used for access to the server for a single session. Therefore, clients must accept cookies from the Lync Web App to function correctly. An attacker could possibly steal and reuse this token. Lync Web App mitigates the token threat by issuing only a session cookie, using SSL (when enabled) to transport the token, clearing the token when the session ends, and causing the token to expire after a period of client inactivity.

Token Ping

In a token ping, also known as a token keep-alive, an authenticated user repeatedly sends a request to the web server to prevent the session, and therefore the session token, from expiring. A token ping attack can be considered a threat because it bypasses the time-out logic built into the server. However, the threat level is low, because the user must be authenticated first.

Phishing (Password Harvesting Fishing)

Phishing uses spoofing and is a type of man-in-the-middle attack. The unauthorized attacker tries to obtain information from users by posing as an entity authorized to have the information. The attacker typically does this by tricking the user into entering a password or account number into a fake website, web form, or email message. You should educate end users about the methods that attackers use to obtain personal information.