Threats to Communicator Web Access
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
This topic describes potential threats to Communicator Web Access.
Session Fixation
In a session fixation attack, the attacker sets the user’s session token before the session is established between the user and the Web server. By doing so, the attacker already has the session ID and does not need to determine it after the session is established. Communicator Web Access is designed to minimize this threat.
Session Hijacking
In session hijacking, the attacker accesses a user’s session by sniffing unencrypted traffic on the network. Communicator Web Access minimizes this threat by using SSL as the default communication protocol between the client and the Communicator Web Access server.
Session Riding/Double Riding
Session riding is when an attacker attempts to use an established session between a user and a Web-based application to execute commands while posing as the user. The attacker does so by sending the user an e-mail message or otherwise enticing the user to visit a Web site specifically developed to execute malicious code. The commands that can be executed by the attacker include opening firewalls, deleting data, and executing other commands within the internal network.
Communicator Web Access is designed to prevent an attacker from using this method to control a user’s Communicator Web Access session through a malicious Web site.
Cross Site Scripting (CSS, XSS, Code Insertion)
A cross-site scripting attack (sometimes referred to as a CSS, XSS, or code insertion attack) occurs when an attacker uses a Web application to send malicious code, generally in the form of a script, to a target user. The target user’s browser has no way of detecting that the script should not be trusted and will execute the script. When the malicious script is executed, it can access cookies, session tokens, or other sensitive information that is retained by the end user’s browser. Such scripts can also rewrite the content of the HTML page.
Cross-site scripting attacks can be stored or reflected. Stored attacks are those in which the malicious script is permanently stored on the compromised Web server, for example in databases, message forums, visitor logs, and comment fields. When the user accesses the Web server, the user’s browser executes the script. In reflected cross-site scripting attack attacks, a user is tricked into clicking a link or submitting a specially crafted form that contains malicious code. When the user clicks the link to submit the form data, the URL, which contains the malicious code, is sent to the Web server along with the user’s data. When the Web site displays the user’s information back to the user, the information appears to originate from a trusted source. However, the information contains the malicious code, which is then executed on the user’s computer.
This vulnerability exists only in Web sites that do not properly validate user input. Communicator Web Access uses extensive user input validation to prevent this threat.
Token Threats
HTTP is a connectionless protocol, and each Web page requires multiple server requests and responses to complete the page. Various methods are used to maintain session persistence between page requests during a session. One method used by the Web server is to issue a token to the client browser making the request. This is the method used by Communicator Web Access.
After the Communicator Web Access server successfully authenticates an internal or external user, it issues a token into a session cookie, which is returned to the client. This cookie is used for access to the server for a single session. Therefore, clients must accept cookies from the Communicator Web Access server to function correctly. An attacker could possibly steal and reuse this token. Communicator Web Access mitigates the token threat by issuing only a session cookie, using SSL (when enabled) to transport the token, clearing the token when the session ends, and causing the token to expire after a period of client inactivity.
Token Ping
In a token ping, also known as a token keep-alive, an authenticated user repeatedly sends a request to the Web server to prevent the session, and therefore the session token, from expiring. A token ping attack can be considered a threat because it bypasses the time-out logic built into the server. However, the threat level is low, because the user must be authenticated first.
Phishing (Password Harvesting Fishing)
Phishing uses spoofing and is a type of man-in-the-middle attack. The unauthorized attacker tries to obtain information from users by posing as an entity authorized to have the information. The attacker typically does this by tricking the user into entering a password or account number into a fake Web site, Web form, or e-mail message. You should educate end users about the methods that attackers use to obtain personal information.