ITIS412: Information Security

Chapter 3: Application and

Networking-Based Attacks
Conceptual Networked System
 Network used to connect different clients and servers
together
 Clients and servers run an operating system
 Operating system controls applications
 Applications manipulate data
 Each represents an attack vector to exploit
 Attacks on the applications in a networked computer
system can be directed toward the server, the client, or
both

2 ITIS 412
Conceptual Networked Computer System

3 ITIS 412
Server-Side Web Application Attacks
 Content provided for users who are “surfing the Web” is
generated by a software application running on a server
 In providing web services to clients, web servers also
expose those same services to attackers
 Important characteristic of server-side web applications
 to create dynamic content based on inputs from user

4 ITIS 412
Server-Side Web
Application Infrastructure

6 ITIS 412
Securing Web Applications
 Securing server-side web applications often considered
more difficult than protecting other systems
 Traditional network security devices cannot always block
web application attacks because many traditional network
security devices ignore the content of HTTP traffic, which
is the vehicle of web application attacks

7 ITIS 412
Zero Day Attacks
 Many web application attacks (as well as other application
attacks) exploit previously unknown vulnerabilities
 Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend

8 ITIS 412
Common Application Attacks
 Many server-side web application attacks target the input
that the applications accept from users
 Common web application attacks:
 Cross-site scripting
 SQL injection
 XML injection
 Command injection/directory traversal

9 ITIS 412
 Cross-Site Scripting
 Not all attacks on websites are designed to steal content or
deface it
 Some attacks use web server as a platform to launch attacks on
other computers that access it
 Cross-site scripting (XSS) - Injects scripts into web
application server to direct attacks at unsuspecting clients
 It typically allows attackers to hijack other users' online
accounts on the affected website.
 Many web applications are designed to customize content for
user by taking what user enters and then displaying that input
back to user
 Cross site scripting attacks can be broken down into two types:
stored and reflected.
10 ITIS 412
Cross Site Scripting (XSS) Attacks

What is Cross Site Scripting (XSS)

It is a common attack vector that injects malicious code into a

vulnerable web application.

It does not directly target the application itself. Instead, it

targets the users of the web application are the ones at risk.
One of the most frequent targets are websites that allow users

to share content, including blogs, social networks, video sharing

platforms and message boards.

11 ITIS 412
Stored XSS Attack Example
 While browsing an e-commerce website, the attacker
adds an HTML tag to be embedded in the site’s
comments section.
 The embedded tags become a permanent feature of the
page, causing the browser to analyze it with the rest of the
source code every time the page is opened.

 The HTML tag in the comment will activate a JavaScript

file, which is hosted on another site, and has the ability to
steal visitors’ session cookies.

12 ITIS 412
Stored XSS Attack

13 ITIS 412
What is Reflected Cross-site Scripting ?
 It is an attack vector that arise when data is copied from a
request and echoed into the application's immediate
response in an unsafe way.
 An attacker can use the vulnerability to construct a request
that will cause JavaScript code (supplied by the attacker)
to execute within the user's browser.
 The attacker-supplied code can perform a wide variety of
actions, such as stealing the victim's session token or login
credentials, performing arbitrary actions on the victim's
behalf, and logging their keystrokes.

14 ITIS 412
Reflected XSS Attack Example

15 ITIS 412
SQL Injection
 SQL (Structured Query Language) - Used to manipulate
data stored in relational database
 SQL Injection - Targets SQL servers by introducing
malicious commands
 SQL injection is a code injection technique, used to attack
data-driven applications, in which evil SQL statements are
inserted into an entry field for execution (e.g. to dump the
database contents to the attacker).

20 ITIS 412
SQL Injection Statements

21 ITIS 412
Forgotten Password Example
 Forgotten password example:
 Attacker enters incorrectly formatted e-mail address
 Response lets attacker know whether input is being
validated
 Attacker enters email field in SQL statement
 Statement processed by the database
 Example statement:
SELECT fieldlist FROM table WHERE
field = ‘whatever’ or ‘a’=‘a’
 Result is all user email addresses will be displayed

22 ITIS 412
XML (Extensible Markup Language)
 Markup language - Method for adding annotations (or
comments) to text
 Example is HTML:
 Uses tags surrounded by brackets
 Instructs browser to display text in specific format
 XML (Extensible Markup Language):
 Carries data instead of indicating how to display it
 No predefined set of tags
 Users define their own tags

23 ITIS 412
XML Attack

 XML Attack - Similar to SQL injection attack

 Attacker discovers Web site that does not filter user
data
 Injects XML tags and data into the database
 Xpath injection:
 Specific type of XML injection attack
 Attempts to exploit XML Path Language queries

24 ITIS 412
Directory Traversal/Command Injection
 Web server users typically restricted to root directory
 Users may be able to access subdirectories but not parallel
or higher level directories
 Helps to protect sensitive files

25 ITIS 412
Directory Traversal
 Directory Traversal is an HTTP attack which allows
attackers to access restricted directories and execute
commands outside of the web server's .
 The goal of this attack is to use an affected application to
gain unauthorized access to the file system. This attack
exploits a lack of security
 IT Uses malformed input or takes advantage of
vulnerability to move from root directory to restricted
directories

26 ITIS 412
 Directory Traversal Attack

27 ITIS 412
Command injection
 Command injection – is an attack in which the goal is execution
of arbitrary commands on the host operating system via a
vulnerable application.
 command injection attack occurs when an attacker attempts to
execute system level commands through a vulnerable web
application.

 Command injection attacks are possible when an application

passes unsafe user supplied data (forms, cookies, HTTP headers
etc.) to a system shell.

 Attacker enters commands to execute on server or view

confidential files
28 ITIS 412
Client-Side Application Attacks
 Web application attacks are server-side attacks
 Client-side attacks target vulnerabilities in client
applications:
 Interacting with a compromised server
 Client initiates connection with server, which could
result in an attack

29 ITIS 412
Drive-By Download
 Drive-by download:
 Client computer compromised simply by viewing a Web
page
 Attackers inject content into vulnerable Web server to
gain access to server’s operating system
 Attackers craft a zero pixel frame to avoid visual
detection
 Embed an HTML document inside main document
 Client’s browser downloads malicious script
 Instructs computer to download malware

30 ITIS 412
HTTP Header
 HTTP header consists of fields that characterize data
being transmitted
 Header fields are comprised of:
 Field name
 Colon
 Field value
 Example Content-length: 49.
 HTTP header field names and values may be any
application-specific strings, but core set standardized by
Internet Engineering Task Force (IETF)

31 ITIS 412
HTTP Header Fields

32 ITIS 412
Header Manipulation
 HTTP header manipulation - Attack modifies HTTP
headers
 HTTP header manipulation is not actual attack but rather
vehicle through which other attacks like (XSS) can be
launched.
 HTTP header manipulation allows an attacker to pass
malicious instructions from own malicious website or
through an infected site to the web browser via HTTP
headers

33 ITIS 412
HTTP Header Attacks
 Examples of HTTP header attacks:
 Referer - Can bypass security by modifying Referer
field to hide fact came from another site
 Accept-Language – Because some web applications
pass contents of field directly to database attacker
can inject SQL command by modifying header
 Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response

34 ITIS 412
Cookies
 Cookies - Store user-specific information on user’s
local computer
 Web sites use cookies to identify repeat visitors
 Examples of information:
 Travel Web sites may store user’s travel itinerary
 Personal information provided when visiting a site
 Only Web site that created a cookie can read it

35 ITIS 412
Types of Cookies
 First-party cookie - Cookie created by Web site user
currently visiting
 Third-party cookie - Site advertisers (third parties) place
cookie to record user preferences
 Session cookie - Stored in RAM and expires when
browser is closed
 Persistent cookie - Recorded on computer’s hard drive
and does not expire when browser closes

36 ITIS 412
Locally Shared Object (LSO)
 Locally shared object (LSO) or Flash cookie - named
after the Adobe Flash player
 Different from regular cookies:
 Store data more complex
 Store up to 100 KB of data from a website (25 times
data as regular cookie)
 Cannot be deleted through browser's normal
configuration settings
 Saved in multiple locations on hard drive
 Can be used to reinstate regular cookies that user
deleted or blocked
37 ITIS 412
Risks of Cookies
 Cookies have security and privacy risks
 First-party cookies can be stolen and used to impersonate
the user
 Third-party cookies can be used to track the browsing or
buying habits of a user
 When multiple websites are serviced by a single
marketing organization, cookies can be used to track
browsing habits on all client’s site

38 ITIS 412
Attachments
 Attachments - Files that are coupled to email messages
 Malicious attachments commonly used to spread viruses,
Trojans, and other malware when opened
 Most users routinely open any email attachment received
even if from an unknown sender
 Attackers often include information in the subject line that
entices even reluctant users to open the attachment, such
as a current event

39 ITIS 412
Session Token
 User accessing secure web app needs to be verified to
prevent an imposter from “jumping in” to interaction
 Session token - Verification through random string
assigned to interaction between user and web application
currently being accessed (session)
 Web application server assigns a unique session token
 Each subsequent request from user’s web browser to web
application contains session token verifying user identity

40 ITIS 412
Session Hijacking
 Session hijacking - Attacker attempts to impersonate the
user by using his/her session token
 Attacker can attempt to obtain session token:
 Use XSS or other attacks to steal the session token
cookie from the victim’s computer
 Eavesdropping on the transmission
 Guessing the session token (successful if generation of
session tokens not truly random)

41 ITIS 412
Session Hijacking Attack

42 ITIS 412
Plug-Ins and Add-Ons
 Tools can be added to enhance user’s interaction with
website through web browser
 Plug-in - Third-party library (Java, Adobe Flash player,
Apple QuickTime, Adobe Acrobat Reader) that attaches
to web browser and can be embedded inside a webpage
(but affects only specific page)
 Add-ons or extensions - Tools that add functionality to
the web browser itself

43 ITIS 412
Malicious Add-Ons
 Attackers can create malicious add-ons to launch attacks
against user’s computer
 ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
 ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called ActiveX
applications
 ActiveX controls can be invoked from webpages through
the use of a scripting language or directly by HTML
command

44 ITIS 412
Impartial Overflow Attacks
 “Impartial” attacks can target either server or client
 Many of these attacks designed to “overflow” areas of
memory with instructions from the attacker
 Types of attacks:
 Buffer overflow attacks
 Integer overflow attacks
 Arbitrary/remote code execution attacks.

45 ITIS 412
Buffer Overflow Attack
 Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
 Data overflows into adjacent memory locations
 Attacker can change “return address” of memory
location of code and redirect to memory address
containing malware code

46 ITIS 412
Buffer Overflow Attack

47 ITIS 412
Integer Overflow
 Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used to
store it
 When overflow occurs, the interpreted value then
wraps around from maximum value to minimum
value

48 ITIS 412
Integer Overflow Attack
 Example:
 8-bit signed integer has a maximum value of 127 and a
minimum value of ‒128
 If the value 127 is stored in a variable and 1 is added to
it, the sum exceeds the maximum value for this integer
type
 Wraps around to become ‒128.
 Integer overflow attack - Attacker changes value of
variable to something outside the range the
programmer had intended by using an integer
overflow
49 ITIS 412
Arbitrary/Remote Code Execution
 Arbitrary/remote code execution - Allows attacker to
run programs and execute commands on different
computer
 Once under the attacker’s control, computer can perform
virtually any command from the attacker
 Arbitrary/remote code execution attacks often take
advantage of malicious attachments like Microsoft Visio
file or PDF file

50 ITIS 412
Network Attacks
 Attackers place high priority on targeting networks
 Exploiting single vulnerability may expose hundreds
or thousands of devices to an attacker
 Types of attacks that target a network or network
process:
 Denial of service
 Interception
 Poisoning
 Attacks on access rights

51 ITIS 412
Denial of Service (DoS)
 Denial of service (DoS) - Attempts to prevent system
from performing normal functions
 Distributed denial of service (DDoS) - Uses thousands
zombie computers in botnet
 Ping flood attack - Ping utility used to send large number
of echo request messages and overwhelms server
 Smurf attack - Ping request with originating address
changed (spoofing) and appears as if target computer is
asking for response from all computers on the network

52 ITIS 412
SYN Flood Attack
 SYN flood attack - Takes advantage of procedures for
establishing connection
 Attacker sends SYN segments in IP packets to server but
modifies source address of each packet to computer
addresses that do not exist or cannot be reached
 Server continues to wait for a response (which is not
coming) while receiving more false requests and keeping
more lines open for responses
 Server ultimately runs out of resources and can no longer
respond to legitimate requests

53 ITIS 412
 SYN Flood Attack

54 ITIS 412
Interception
 Man-in-the-middle - Interception of legitimate
communication
 Forging a fictitious response to the sender
 Passive attack records transmitted data, active attack alters
contents of transmission before sending to recipient
 Replay - Similar to passive man-in-the-middle attack
 Replay makes a copy of the transmission before sending it
to the recipient for use at a later time (the man-in-the-
middle replays it)

55 ITIS 412
ARP Poisoning
 ARP poisoning
 Attacker modifies MAC address in ARP cache to
point to different computer

56 ITIS 412
Attacks From ARP Poisoning

57 ITIS 412
DNS Poisoning
 Domain Name System - Current basis for name
resolution to IP address
 DNS poisoning - Substitutes DNS addresses to
redirect computer to another device
 Two locations for DNS poisoning:
 Local host table
 External DNS server

58 ITIS 412
 Sample
HOSTS
file

59 ITIS 412
 DNS Poisoning

60 ITIS 412
Attacks on Access Rights
 Privilege escalation - Exploiting software
vulnerability to gain access to restricted data
 Two types of privilege escalation:
 Vertical privilege escalation exist - User with lower
privilege uses privilege escalation to grant self access
functions reserved for higher-privilege users
 Horizontal privilege escalation - User with restricted
privileges accesses the different restricted functions of a
similar user

61 ITIS 412
Transitive Trust
 Transitive - Relation with a property so that if a
relation exists been A and B, and there is also a
relation between B and C, then there is a relation
between A and C
 Transitive trust - If Alice trusts Bob, and Bob trusts
Carol, then Alice trusts Carol

62 ITIS 412
Transitive Access
 Transitive trust can result in transitive access: System 1
can access System 2, and because System 2 can access
System 3, then System 1 can access System 3
 Intention may not be for System 1 to access System 3, but
instead for System 1 to be restricted to accessing only
System 2
 Inadvertent and unauthorized access can result in serious
security risks

63 ITIS 412