Chapter 3 - Application and Networking Based Attac

Security+ Guide to Network Security Fundamentals,

Fifth Edition

Chapter 3Application and Networking-Based

Attacks

Objectives

• List and explain the different types of server-side web application attacks

• Define client-side attacks

• Explain how overflow attacks works

• List different types of networking-based attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition 2

Conceptual Networked System

• Network used to connect different clients and servers together

• Clients and servers run an operating system

• Operating system controls applications

• Applications manipulate data

• Each represents an attack vector to exploit

• Attacks on the applications in a networked computer system can be directed toward the server, the client, or both


Conceptual Networked Computer System (Figure 3-1)


Server-Side Web Application Attacks

• Content provided for users who are “surfing the Web” is generated by a software application running on a server

• In providing web services to clients, web servers also expose those same services to attackers

• Important characteristic of server-side web applications to create dynamic content based on inputs from user


Server-Side Web Application Process

• Client’s web browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server

• Server may be connected to one or more web application servers

• Application servers run the specific “web apps,” which in turn are directly connected to databases on internal network

• Information from databases retrieved and returned to web server so dynamic information can be sent back to the user’s web browser


Server-Side Web Application Infrastructure (Figure 3-2)


Securing Web Applications

• Securing server-side web applications often considered more difficult than protecting other systems

• Traditional network security devices cannot always block web application attacks because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks


Zero Day Attacks

• Many web application attacks (as well as other application attacks) exploit previously unknown vulnerabilities

• Zero day attacks - Exploit previously unknown vulnerabilities so victims have no time to prepare or defend


Common Application Attacks

• Many server-side web application attacks target the input that the applications accept from users

• Common web application attacks:– Cross-site scripting– SQL injection– XML injection– Command injection/directory traversal


Cross-Site Scripting

• Not all attacks on websites are designed to steal content or deface it

• Some attacks use web server as a platform to launch attacks on other computers that access it

• Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients

• Many web applications are designed to customize content for user by taking what user enters and then displaying that input back to user


Customized Responses (Table 3-1)


Cross-Site Scripting Platform

• Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user

• For example:– Input that the user enters for Name is not verified– Instead is automatically added to a code segment

that becomes part of an automated response– An attacker can use this vulnerability in XSS attack

by tricking valid website into feeding malicious script to another user’s web browser to execute


Bookmark Page That Accepts User Input (Figure 3-3)


Input Used In Response (Figure 3-4)


SQL Injection

• SQL (Structured Query Language) - Used to manipulate data stored in relational database

• SQL Injection - Targets SQL servers by introducing malicious commands


Forgotten Password Example

• Forgotten password example:– Attacker enters incorrectly formatted e-mail address– Response lets attacker know whether input is being

validated– Attacker enters email field in SQL statement– Statement processed by the database– Example statement:

SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’

– Result is all user email addresses will be displayed


SQL Injection Statements (Table 3-2)


XML (Extensible Markup Language)

• Markup language - Method for adding annotations to text

• Example is HTML:– Uses tags surrounded by brackets– Instructs browser to display text in specific format

• XML (Extensible Markup Language):– Carries data instead of indicating how to display it– No predefined set of tags– Users define their own tags


XML Attack

• XML Attack - Similar to SQL injection attack

• Attacker discovers Web site that does not filter user data

• Injects XML tags and data into the database

• Xpath injection:– Specific type of XML injection attack– Attempts to exploit XML Path Language queries


Directory Traversal/Command Injection

• Web server users typically restricted to root directory

• Users may be able to access subdirectories but not parallel or higher level directories

• Helps to protect sensitive files

• Directory traversal - Uses malformed input or takes advantage of vulnerability to move from root directory to restricted directories

• Command injection - Attacker enters commands to execute on server or view confidential files


Directory Traversal Attack (Figure 3-6)


Client-Side Application Attacks

• Web application attacks are server-side attacks

• Client-side attacks target vulnerabilities in client applications:– Interacting with a compromised server– Client initiates connection with server, which could

result in an attack


Drive-By Download

• Drive-by download:– Client computer compromised simply by viewing a

Web page– Attackers inject content into vulnerable Web server

to gain access to server’s operating system– Attackers craft a zero pixel frame to avoid visual

detection– Embed an HTML document inside main document– Client’s browser downloads malicious script– Instructs computer to download malware


HTTP Header

• HTTP header consists of fields that characterize data being transmitted

• Header fields are comprised of:– Field name– Colon– Field value

• Example Content-length: 49.

• HTTP header field names and values may be any application-specific strings, but core set standardized by Internet Engineering Task Force


HTTP Header Fields (Table 3-3)


Header Manipulation

• HTTP header manipulation - Attack modifies HTTP headers

• HTTP header manipulation is not actual attack but rather vehicle through which other attacks like (XSS) can be launched.

• HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers


HTTP Header Attacks

• Examples of HTTP header attacks:– Referer - Can bypass security by modifying Referer

field to hide fact came from another site– Accept-Language – Because some web applications

pass contents of field directly to database attacker can inject SQL command by modifying header

– Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response


Cookies

• Cookies - Store user-specific information on user’s local computer

• Web sites use cookies to identify repeat visitors

• Examples of information:– Travel Web sites may store user’s travel itinerary– Personal information provided when visiting a site

• Only Web site that created a cookie can read it


Types of Cookies

• First-party cookie - Cookie created by Web site user currently visiting

• Third-party cookie - Site advertisers (third parties) place cookie to record user preferences

• Session cookie - Stored in RAM and expires when browser is closed

• Persistent cookie - Recorded on computer’s hard drive and does not expire when browser closes


Locally Shared Object (LSO)

• Locally shared object (LSO) or Flash cookie - named after the Adobe Flash player

• Different from regular cookies:– Store data more complex– Store up to 100 KB of data from a website (25 times

data as regular cookie)– Cannot be deleted through browser's normal

configuration settings– Saved in multiple locations on hard drive– Can be used to reinstate regular cookies that user

deleted or blockedSecurity+ Guide to Network Security Fundamentals, Fifth Edition 31

Risks of Cookies

• Cookies have security and privacy risks

• First-party cookies can be stolen and used to impersonate the user

• Third-party cookies can be used to track the browsing or buying habits of a user

• When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all client’s site


Attachments

• Attachments - Files that are coupled to email messages

• Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened

• Most users routinely open any email attachment received even if from an unknown sender

• Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event


Session Token

• User accessing secure web application needs be verified to prevent an imposter from “jumping in” to interaction

• Session token - Verification through which random string assigned to interaction between user and web application currently being accessed (session)

• Web application server assigns a unique session token

• Each subsequent request from user’s web browser to web application contains session token verifying user identity


Session Hijacking

• Session hijacking - Attacker attempts to impersonate the user by using er session token

• Attacker can attempt to obtain session token:– Use XSS or other attacks to steal the session token

cookie from the victim’s computer – Eavesdropping on the transmission– Guessing the session token (successful if generation

of session tokens not truly random)


Session Hijacking Attack (Figure 3-7)


Plug-Ins and Add-Ons

• Tools be added to enhance user’s interaction with website through web browser– Plug-in - Third-party library (Java, Adobe Flash

player, Apple QuickTime, Adobe Acrobat Reader) that attaches to web browser and can be embedded inside a webpage (but affects only specific page)

– Add-ons or extensions - Tools that add functionality to the web browser itself


Malicious Add-Ons

• Attackers can create malicious add-ons to launch attacks against user’s computer

• ActiveX - Set of rules for how applications under the Microsoft Windows operating system should share information

• ActiveX controls (add-ons) - Specific way of implementing ActiveX and are sometimes called ActiveX applications

• ActiveX controls can be invoked from webpages through the use of a scripting language or directly by HTML command


Impartial Overflow Attacks

• “Impartial” attacks can target either server or client

• Many these attacks designed to “overflow” areas of memory with instructions from the attacker

• Types of attacks:– Buffer overflow attacks– Integer overflow attacks– Arbitrary/remote code execution attacks.


Buffer Overflow Attack

• Buffer overflow attack - Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer

• Data overflows into adjacent memory locations

• Attacker can change “return address” of memory location of code and redirect to memory address containing malware code


Buffer Overflow Attack (Figure 3-8)


Integer Overflow

• Integer overflow - Condition occurs when result of arithmetic operation (addition or multiplication) exceeds the maximum size of the integer type used to store it

• When overflow occurs, the interpreted value then wraps around from maximum value to minimum value


Integer Overflow Attack

• Example:– 8-bit signed integer has a maximum value of 127

and a minimum value of ‒128– If the value 127 is stored in a variable and 1 is added

to it, the sum exceeds the maximum value for this integer type

– Wraps around to become ‒128.

• Integer overflow attack - Attacker changes value of variable to something outside the range programmer had intended by using an integer overflow


Arbitrary/Remote Code Execution

• Heap spray - Targeted to insert data only in certain parts of memory

• Arbitrary/remote code execution - Allows attacker to run programs and execute commands on different computer

• Once under the attacker’s control, computer can perform virtually any command from the attacker

• Arbitrary/remote code execution attacks often take advantage of malicious attachments like Microsoft Visio file or PDF file


Network Attacks

• Attackers place high priority on targeting networks

• Exploiting single vulnerability may expose hundreds or thousands of devices to an attacker

• Types of attacks that target a network or network process:– Denial of service– Interception– Poisoning– Attacks on access rights


Denial of Service (DoS)

• Denial of service (DoS) - Attempts to prevent system from performing normal functions

• Distributed denial of service (DDoS) - Uses thousands zombie computers in botnet

• Ping flood attack - Ping utility used to send large number of echo request messages and overwhelms server

• Smurf attack - Ping request with originating address changed (spoofing) and appears as if target computer is asking for response from all computers on the network


SYN Flood Attack

• SYN flood attack - Takes advantage of procedures for establishing connection

• Attacker sends SYN segments in IP packets to server but modifies source address of each packet to computer addresses that do not exist or cannot be reached

• Server continues to wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses

• Server ultimately runs out of resources and can no longer respond to legitimate requests


SYN Flood Attack (Figure 3-9)


Interception

• Man-in-the-middle - Interception of legitimate communication

• Forging a fictitious response to the sender

• Passive attack records transmitted data, active attack alters contents of transmission before sending to recipient

• Replay - Similar to passive man-in-the-middle attack

• Replay makes a copy of the transmission before sending it to the recipient for use at a later time (the man-in-the-middle replays it)


ARP Poisoning

• ARP poisoning– Attacker modifies MAC address in ARP cache to

point to different computer


Table 3-4 ARP poisoning attack

Attacks From ARP Poisoning (Table 3-5)


Table 3-5 Attacks from ARP poisoning

DNS Poisoning

• Domain Name System - Current basis for name resolution to IP address

• DNS poisoning - Substitutes DNS addresses to redirect computer to another device

• DNS poisoning

• Two locations for DNS poisoning:– Local host table– External DNS server


Sample HOSTS file (Figure 3-11)


DNS Poisoning (Figure 3-12)


Attacks on Access Rights

• Privilege escalation - Exploiting software vulnerability to gain access to restricted data

• Two types of privilege escalation:– Vertical privilege escalation exist - User with lower

privilege uses privilege escalation to grant self access functions reserved for higher-privilege users

– Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user


Transitive Trust

• Transitive - Relation with a property so that if a relation exists been A and B, and there is also a relation between B and C, then there is a relation between A and C

• Transitive trust - If Alice trusts Bob, and Bob trusts Carol, then Alice trusts Carol


Transitive Access

• Transitive trust can result in transitive access: System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3

• Intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2

• Inadvertent and unauthorized access can result in serious security risks


Security+ Guide to Network Security Fundamentals,

Fifth Edition

Chapter 3Application and Networking-Based

Attacks

Documents

Chapter 3 - Application and Networking Based Attac