Attacks1

Common Vulnerabilities

• Buffer Overflows• Incomplete Mediation• Command Injection Attack• Inference• Cross Site- Scripting

IFETCE/M.E CSE/NE7202-NIS/Unit 4 2

Buffer Overflows O Many languages require buffer size

declarationO C language statement: char sample[10];O Execute statement: sample[i] = ‘A’; where

i=10O Out of bounds (0-9) subscript – buffer

overflow occursO Some compilers don’t check for exceeding

boundsO Similar problem caused by pointers. No

reasonable way to define limits for pointers


Buffer OverflowsO Example

char sample[10];for (i=1; i<=10; i++) sample[i]

= ‘A’;


Buffer Overflows, cont.O Where does last ‘A’ go? Depends on what

is adjacent to ‘sample[10]’O Affects user’s data - overwrites user’s

dataO Affects users code - changes user’s

instructionO Affects OS data - overwrites OS dataO Affects OS code - changes OS instruction,

unpredictable results

O This is a case of aliasing


Buffer Overflows Security Implication

O Attacker replaces code in the system space and takes control back from the operating system

O Suppose buffer overflow affects OS code area:O Attacker code executed as if it were OS code

O Attacker might need to experiment to see what happens when he inserts A into OS code area

O Can raise attacker’s privileges (to OS privilege level) when A is an appropriate instruction

O Attacker can gain full control of OS


Buffer Overflows Security Implication

O Attacker uses the stack pointer or return register to execute other code

O Parameter passing to web serverO http://www.somesite.com/subpage/

data&parm1=(808)555-1212&parm2=2004Jan01

O What if one of the parameters is made longer?

O Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&F=P&S=&P=11029






SummaryOBuffer overflows still common

O Used by attackersO to crash systemsO to exploit systems by taking over

control

OLarge # of vulnerabilities due to buffer overflows


Incomplete Mediation O Sensitive data are in exposed,uncontrolled

conditionO Example

O URL to be generated by client’s browser to access server, e.g.: http://www.things.com/ order/final&custID=101&part=555A&qy=20&price=10&ship=boat&shipcost=5&total=205

O Instead, user edits URL directly, changing price and total cost as follows: http://www.things.com /order/final&custID=101&part=555A&qy=20&price=1&ship=boat&shipcost=5&total=25

O Security ImplicationO Easy to exploit – Things, Inc. example


Incomplete Mediation, cont.

O Unchecked data are a serious vulnerability!

O Possible solution: anticipate problemsO Don’t let client return a sensitive result (like

total) that can be easily recomputed by server

O Use drop-down boxes / choice lists for data input

O Prevent user from editing input directlyO Check validity of data values received from

client

IFETCE/M.E CSE/NE7202-NIS/Unit 4

Attacking the Web Application

O Web application:O takes input strings from the user and interprets it.O Interacts with back-end database.O Retrieve data and dynamically generates new

content.O Presents the output to the user.

O The threat – Command Injection Attack:O Unexpected input may cause problems.

10

What is code injection?• Code injection is the

exploitation of a computer bug that is caused by processing invalid data.

• Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution.

• The results of a code injection attack can be disastrous

Code Injection

Code injection can do• Arbitrarily modify values in a

database through a type of code injection called SQL injection. The impact of this can range from defacement of a web site to serious compromisation of sensitive data.

• Install malware on a computer by exploiting code injection vulnerabilities in a web browser or its plugins when the user visits a malicious site.

• Install malware or execute malevolent code on a server, by PHP or ASP Injection.

• Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX.

• Privilege escalation to Local System permissions by exploiting Shell Injection vulnerabilities in a service on Windows.

• Stealing sessions/cookies from web browsers using HTML/Script Injection (Cross-site scripting).

Code injection can do

Different types of Code injection • SQL injection

• LDAP Injection

• OS Command Injection

• Cross-Site Scripting (“XSS”)

SQL injection• SQL injection attack consists of

injection of malicious SQL

commands via input data from the

client to the application

• Affect the execution of predefined

SQL commands.

SQL injection• SQL injection consists of direct

insertion of code into user-input variables which are concatenated with SQL commands and executed.

• A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.

• When the stored strings are subsequently concatenated into a dynamic SQL commands, the malicious code is then executed.

Web Application Architecture

Web browser

Application

Database

User inputDatabase query

Application generates query based on user input

ResultWeb page

18IFETCE/M.E CSE/NE7202-NIS/Unit 4


SQLCIAs - Example

String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND

cardtype = ” + strCType + “;”;

Expected input: SELECT cardnum FROM accounts

WHERE username = ‘John’ AND cardtype = 2;

Result: Returns John’s saved credit card number.

19


Malicious input: SELECT cardnum FROM accounts

WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1;

SQLCIAs - Example

Result: Returns all saved credit card numbers.

(() )

20

String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND

cardtype = ” + strCType + “;”;


4.InferenceO Way to infer / derive sensitive data

from nonsensitive data


Direct Attack

O A user tries to determine values of sensitive fields by seeking them

O A sensitive query: O List NAME where SEX=M ^ DRUGS=1

O A less obvious query:O List NAME where (SEX=M ^

DRUGS=1) v (SEX#M ^ SEX#F) v (DORM=AYRES)


Direct Attack(Cont…)

O Do not reveal results when a small number of people make up a large proportion of a category.

O The rule of "n items over k percent" means that data should be withheld if n items represent over k percent of the result reported.


Indirect AttackO Sum - An attack by sum tries to infer a

value from a reported sum.O Count - The count can be combined with

the sum to produce some even more revealing results.

O Mean - The arithmetic mean (average) allows exact disclosure if the attacker can manipulate the subject population.

O MedianO Tracker Attacks – using additional queries

that produce small results


Indirect Attack

OSumO Show STUDENT-AID WHERE SEX=F

^ DORM=Grey

OCountO Show Count, STUDENT-AID WHERE

SEX=M ^ DORM=HolmesO List NAME where (SEX=M ^

DORM=Holmes)


Indirect Attack


ControlsO Suppression – don’t provide

sensitive dataO Concealing – don’t provide actual

values (“close to”)O Limited Response Suppression

O n-item k-percent rule eliminates low frequency elements from being displayed (may need to suppress additional rows/columns)


ControlsO Combined Results

O SumsO RangesO Rounding

O Random SampleO Random Data PerturbationO Query Analysis – “should the result

be provided”


Conclusion on the Inference Problem

O No perfect solutions to the inference problem.

O The approaches to controlling it:O Suppress obviously sensitive

informationO Track what the user knowsO Disguise the data


Cross-Site Scripting (XSS)

O Occurs any time…O Raw data from attacker is sent to an innocent user

O Raw data…O Stored in databaseO Reflected from web input (form field, hidden field,

url, etc…)O Sent directly into rich JavaScript client

O Virtually every web application has this problemO Try this in your browser –

javascript:alert(document.cookie)


XSS (Cont…)

O Allows to embed malicious code: O JavaScript (AJAX!), VBScript, ActiveX,

HTML, or Flash

O Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ...


XSS TypesO Reflected

O Link in other website / e-mail linkO Stored

O e.g. bulletin board, forumO DOM-Based


Cross-Site Scripting Illustrated

Application with stored XSS vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a malicious script into a web page that stores the data on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s browser with full access to the DOM and cookies

Custom Code

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge

Mg

mt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns


Example


Protection

OInput validationOOutput Encoding:

O< < > >O( ( ) )O# # & &

ODo not use "blacklist" validation

OSpecify the output encoding

Internet

Attacks1