Ch03 Updates

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION
Chapter 3 Application and Network Attacks
Objectives
2
List and explain the different types of Web application attacks Define client-side attacks Explain how a buffer overflow attack works List different types of denial of service attacks Describe interception and poisoning attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
Application Attacks
3
Attacks that target applications

Category
continues to grow Web application attacks Client-side attacks Buffer overflow attacks Zero day attacks
Exploit
previously unknown vulnerabilities Victims have no time to prepare or defend
Web Application Attacks

4
Web applications an essential element of organizations today Approach to securing Web applications
Hardening
the Web server
Hardening
the web server operating system, and system services from other attacks, e.g. DDOs, BUT do not prevent attacks against application server.
Protecting
Network
the network
security devices can block the traditional attacks but not the Web app server, simply they ignore the content of the HTTP traffic
Figure 3-1 Web application infrastructure

Cengage Learning 2012
Web Application Attacks (contd.)
Common Web application attacks

Cross-site
scripting ( or recently called, Java scripting injections) SQL injection XML injection Command injection / directory traversal
Solution can be done by

The
Strategies to secure the web app is in writing a good source code.
Figure 3-2 Web application security

Cross-Site Scripting (XSS)

8
Injecting scripts into a Web application server

Directs
attacks at clients, not direct attack on the web app server to deface it.
Figure 3-3 XSS attacks

Cross-Site Scripting (contd.)

9
When victim visits injected Web site:
Malicious instructions sent to victims browser
Browser cannot distinguish between valid code and malicious script
The web browser execute any code sent from the web site in the form of JS, HTML , Adobe Flash
Requirements of the targeted Web site

Accepts user input without validation Uses input in a response without encoding it
Some XSS attacks designed to steal information:
Retained by the browser
10
Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response
Cross-Site Scripting (contd.)

11
For the example below, a web application that allows friends to share their favorite Bookmarks User enter their Name, a description and a URL of a bookmark.

Then uses a personalized Thank you screen The Name the user input is part of the code segment Attacker can use this in an XSS attack Attacker can enter a malicious code into the Name field Then that command can be executed in the victim machine when a victim is tricked in clicking to malicious link page Example of the malicious link is : http://fakesite.com/login.asp?serviceName=fakesite.comacce ss&templatename=pro_sel.forte&source=fakeimg.srcc=htt p://www.attacker_site.com/ this link to attacker web page
12
Figure 3-5 Input used as response

SQL Injection
13
Targets SQL servers by injecting commands SQL (Structured Query Language)
Used to manipulate data stored in relational database
Example is a forgotten password needed to be retrieved by just validating email address
Forgotten password example

Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being validated The message could be displayed as Server failure or Email address unknown
SQL Injection
14
Request for Forgotten password
User Name Last name Current Email Address Braden.thomas@fakema il.com
SQL Injection (contd.)

15
Forgotten password example (contd.)
Forgotten pw is stored in a variable $EMAIL

SELECT fieldlist FROM table WHERE field =$EMAIL Where : database query to only display a information when the condition is true
Attacker enters email field in SQL statement, where all the emails will be listed. Statement processed by the database Instead of entering a user name the attacker will send a statement as
SELECT fieldlist FROM table WHERE field = whatever or a=a
Result: All user email addresses will be displayed

16
Instead of entering a username, the attacker will enter whatever or a=a, so the statement will look like

SELECT fieldlist FROM table WHERE field = whatever or a=a whatever: can be any meaningless Or either of the conditions is true a=a: the statement is always true Therfore the statement will be read as SELECT fieldlist FROM table Last all users email will then be displayed

17
Table 3-1 SQL injection statements
XML Injection
18
Markup language
Method
for adding annotations to text
HTML
Uses
tags surrounded by brackets Instructs browser to display text in specific format
XML
Carries
data instead of indicating how to display it No predefined set of tags

Users
define their own tags
XML Injection (contd.)

19
XML attack
Similar
to SQL injection attack Attacker discovers Web site that does not filter user data Injects XML tags and data into the database
Xpath injection
Specific
type of XML injection attack Attempts to exploit XML Path Language queries
Command Injection / Directory Traversal

20
Web server users typically restricted to root directory Users may be able to access subdirectories:
But
not parallel or higher level directories
Sensitive files to protect from unauthorized user access

Cmd.exe
can be used to enter text-based commands Passwd (Linux) contains user account information
Command Injection / Directory Traversal (contd.)

21
Directory traversal attack

Takes
advantage of software vulnerability Attacker moves from root directory to restricted directories
Command injection attack

Attacker
enters commands to execute on a server
Client-Side Attacks
22
Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications
Interacting
with a compromised server Client initiates connection with server, which could result in an attack
Client-Side Attacks (contd.)

23
Drive-by download
Client
computer compromised simply by viewing a Web page Attackers inject content into vulnerable Web server
Gain
access to servers operating system
Attackers
craft a zero pixel frame to avoid visual
detection Embed an HTML document inside main document Clients browser downloads malicious script Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fourth Edition

24
Header manipulation
HTTP
header contains fields that characterize data being transmitted Headers can originate from a Web browser
Browsers
do not normally allow this Attackers short program can allow modification
Examples of header manipulation

Referer Accept-language

25
Referer field indicates site that generated the Web page

Attacker
can modify this field to hide fact it came from another site Modified Web page hosted from attackers computer
Accept-language
Some
Web applications pass contents of this field directly to database Attacker could inject SQL command by modifying this header

26
Cookies and Attachments

Cookies
store user-specific information on users local computer
Web sites use cookies to identify repeat visitors Examples of information stored in a cookie
Travel
Web sites may store users travel itinerary Personal information provided when visiting a site
Only the Web site that created a cookie can read it


27
First-party cookie
Cookie
created by Web site user is currently
visiting
Third-party cookie
Site
advertisers place a cookie to record user preferences in RAM and expires when browser is
Session cookie
Stored
closed

28
Persistent cookie
Recorded
on computers hard drive Does not expire when browser closes
Secure cookie
Used
only when browser visits server over secure connection Always encrypted

29
Flash cookie
Uses
more memory than traditional cookie Cannot be deleted through browser configuration settings See Project 3-6 to change Flash cookie settings
Cookies pose security and privacy risks

May
be stolen and used to impersonate user Used to tailor advertising Can be exploited by attackers

30
Session hijacking
Attacker
attempts to impersonate user by stealing or guessing session token
Malicious add-ons
Browser
extensions provide multimedia or interactive Web content Active X add-ons have several security concerns
31
Figure 3-7 Session hijacking


32
Buffer overflow attacks

Process
attempts to store data in RAM beyond boundaries of fixed-length storage buffer Data overflows into adjacent memory locations May cause computer to stop functioning Attacker can change return address
Redirects
to memory address containing malware
code
33
Figure 3-8 Buffer overflow attack

Network Attacks
34
Denial of service (DoS)

Attempts
to prevent system from performing normal functions Ping flood attack

Ping
utility used to send large number of echo request messages Overwhelms Web server
Smurf
Ping
attack
request with originating address changed Appears as if target computer is asking for response from all computers on the network
Network Attacks
35
Denial of service (DoS) (contd.)

SYN
flood attack
Takes
advantage of procedures for establishing a connection
Distributed denial of service (DDoS)

Attacker
uses many zombie computers in a botnet to flood a device with requests Virtually impossible to identify and block source of attack
36
Figure 3-9 SYN flood attack

Interception
37
Man-in-the-middle
Interception
of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of transmission before sending to recipient
Replay attacks
Similar
to passive man-in-the-middle attack
Interception (contd.)
38
Replay attacks (contd.)

Attacker
Uses
makes copy of transmission

capturing logon credentials
copy at a later time
Example:
More sophisticated replay attacks

Attacker
captures network devices message to
server Later sends original, valid message to server Establishes trust relationship between attacker and server
Poisoning
39
ARP poisoning
Attacker
modifies MAC address in ARP cache to point to different computer
Table 3-3 ARP poisoning attack

Poisoning (contd.)
40
Table 3-4 Attacks from ARP poisoning
Poisoning (contd.)
41
DNS poisoning
Domain
Name System is current basis for name resolution to IP address DNS poisoning substitutes DNS addresses to redirect computer to another device
Two locations for DNS poisoning

Local
host table External DNS server
42
Figure 3-12 DNS poisoning

Attacks on Access Rights

43
Privilege escalation
Exploiting
software vulnerability to gain access to restricted data Lower privilege user accesses functions restricted to higher privilege users User with restricted privilege accesses different restricted privilege of a similar user
44
Attacks on Access Rights (contd.)
Transitive access
Attack
involving a third party to gain access rights Has to do with whose credentials should be used when accessing services
Different
users have different access rights
Summary
45
Web application flaws are exploited through normal communication channels XSS attack uses Web sites that accept user input without validating it
Uses
server to launch attacks on computers that access it
Client-side attack targets vulnerabilities in client applications

Client
interacts with compromised server
Summary (contd.)
46
Session hijacking
Attacker
steals session token and impersonates
user
Buffer overflow attack

Attempts
to compromise computer by pushing data into inappropriate memory locations
Denial of service attack attempts to overwhelm system so that it cannot perform normal functions In ARP and DNS poisoning, valid addresses are replaced with fraudulent addresses Security+ Guide to Network Security Fundamentals, Fourth Edition Access rights and privileges may also be

Ch03 Updates

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch03 Updates

Uploaded by

Copyright:

Available Formats

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION

Chapter 3 Application and Network Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

Attacks that target applications

previously unknown vulnerabilities Victims have no time to prepare or defend

Security+ Guide to Network Security Fundamentals, Fourth Edition

Web Application Attacks

the Web server

Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 3-1 Web application infrastructure

Security+ Guide to Network Security Fundamentals, Fourth Edition

Web Application Attacks (contd.)

Common Web application attacks

Solution can be done by

Strategies to secure the web app is in writing a good source code.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 3-2 Web application security

Security+ Guide to Network Security Fundamentals, Fourth Edition

Cross-Site Scripting (XSS)

Injecting scripts into a Web application server

Figure 3-3 XSS attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

Cross-Site Scripting (contd.)

When victim visits injected Web site:

Malicious instructions sent to victims browser

Browser cannot distinguish between valid code and malicious script

Requirements of the targeted Web site

Some XSS attacks designed to steal information:

Retained by the browser

Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition

Cross-Site Scripting (contd.)

Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 3-5 Input used as response

Security+ Guide to Network Security Fundamentals, Fourth Edition

Targets SQL servers by injecting commands SQL (Structured Query Language)

Used to manipulate data stored in relational database

Example is a forgotten password needed to be retrieved by just validating email address

Forgotten password example

Security+ Guide to Network Security Fundamentals, Fourth Edition

Request for Forgotten password

User Name Last name Current Email Address Braden.thomas@fakema il.com

Security+ Guide to Network Security Fundamentals, Fourth Edition

SQL Injection (contd.)

Forgotten password example (contd.)

Forgotten pw is stored in a variable $EMAIL

SELECT fieldlist FROM table WHERE field = whatever or a=a

Result: All user email addresses will be displayed

Security+ Guide to Network Security Fundamentals, Fourth Edition

SQL Injection (contd.)

Security+ Guide to Network Security Fundamentals, Fourth Edition

SQL Injection (contd.)

Table 3-1 SQL injection statements

Security+ Guide to Network Security Fundamentals, Fourth Edition

for adding annotations to text

tags surrounded by brackets Instructs browser to display text in specific format

data instead of indicating how to display it No predefined set of tags

define their own tags

Security+ Guide to Network Security Fundamentals, Fourth Edition

XML Injection (contd.)

Security+ Guide to Network Security Fundamentals, Fourth Edition

Command Injection / Directory Traversal

not parallel or higher level directories