Chapter 3 - Application and Networking Based Attac

Security+ Guide to Network
Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks
Objectives
List and explain the different types of server-side
web application attacks
Define client-side attacks
Explain how overflow attacks works
List different types of networking-based attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition
Conceptual Networked System

Network used to connect different clients and
servers together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit
Attacks on the applications in a networked
computer system can be directed toward the
server, the client, or both
Conceptual Networked Computer

System (Figure 3-1)
Server-Side Web Application Attacks

Content provided for users who are surfing the
Web is generated by a software application
running on a server
In providing web services to clients, web servers
also expose those same services to attackers
Important characteristic of server-side web
applications to create dynamic content based on
inputs from user
Server-Side Web Application Process

Clients web browser makes a request using the
Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web
application servers
Application servers run the specific web apps,
which in turn are directly connected to databases on
internal network
Information from databases retrieved and returned to
web server so dynamic information can be sent back
to the users web browser
Server-Side Web Application

Infrastructure (Figure 3-2)
Securing Web Applications

Securing server-side web applications often
considered more difficult than protecting other
systems
Traditional network security devices cannot always
block web application attacks because many
traditional network security devices ignore the
content of HTTP traffic, which is the vehicle of web
application attacks
Zero Day Attacks

Many web application attacks (as well as other
application attacks) exploit previously unknown
vulnerabilities
Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend
Common Application Attacks

Many server-side web application attacks target the
input that the applications accept from users
Common web application attacks:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal
10
Cross-Site Scripting
Not all attacks on websites are designed to steal
content or deface it
Some attacks use web server as a platform to
launch attacks on other computers that access it
Cross-site scripting (XSS) - Injects scripts into
web application server to direct attacks at
unsuspecting clients
Many web applications are designed to customize
content for user by taking what user enters and
then displaying that input back to user
11
Customized Responses (Table 3-1)
12
Cross-Site Scripting Platform

Cross-site scripting attacks occur when attacker
takes advantage of web applications that accept
user input without validation and then present back
to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment
that becomes part of an automated response
An attacker can use this vulnerability in XSS attack
by tricking valid website into feeding malicious script
to another users web browser to execute
13
Bookmark Page That Accepts User

Input (Figure 3-3)
14
Input Used In Response (Figure 3-4)
15
SQL Injection
SQL (Structured Query Language) - Used to
manipulate data stored in relational database
SQL Injection - Targets SQL servers by
introducing malicious commands
16
Forgotten Password Example

Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated
Attacker enters email field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field
= whatever or a=a
Result is all user email addresses will be displayed
17
SQL Injection Statements (Table 3-2)
18
XML (Extensible Markup Language)

Markup language - Method for adding annotations
to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML (Extensible Markup Language):

Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
19
XML Attack
XML Attack - Similar to SQL injection attack
Attacker discovers Web site that does not filter user
data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack
Attempts to exploit XML Path Language queries
20
Directory Traversal/Command
Injection
Web server users typically restricted to root
directory
Users may be able to access subdirectories but not
parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or
takes advantage of vulnerability to move from root
directory to restricted directories
Command injection - Attacker enters commands
to execute on server or view confidential files
21
Directory Traversal Attack (Figure 3-6)
22
Client-Side Application Attacks

Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client
applications:
Interacting with a compromised server
Client initiates connection with server, which could
result in an attack
23
Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server
to gain access to servers operating system
Attackers craft a zero pixel frame to avoid visual
detection
Embed an HTML document inside main document
Clients browser downloads malicious script
Instructs computer to download malware
24
HTTP Header
HTTP header consists of fields that characterize
data being transmitted
Header fields are comprised of:
Field name
Colon
Field value
Example Content-length: 49.

HTTP header field names and values may be any
application-specific strings, but core set
standardized by Internet Engineering Task Force
25
HTTP Header Fields (Table 3-3)
26
Header Manipulation
HTTP header manipulation - Attack modifies
HTTP headers
HTTP header manipulation is not actual attack but
rather vehicle through which other attacks like
(XSS) can be launched.
HTTP header manipulation allows an attacker to
pass malicious instructions from own malicious
website or through an infected site to the web
browser via HTTP headers
27
HTTP Header Attacks

Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer
field to hide fact came from another site
Accept-Language Because some web applications
pass contents of field directly to database attacker
can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response
28
Cookies
Cookies - Store user-specific information on users
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store users travel itinerary
Personal information provided when visiting a site
Only Web site that created a cookie can read it
29
Types of Cookies
First-party cookie - Cookie created by Web site
user currently visiting
Third-party cookie - Site advertisers (third parties)
place cookie to record user preferences
Session cookie - Stored in RAM and expires when
browser is closed
Persistent cookie - Recorded on computers hard
drive and does not expire when browser closes
30
Locally Shared Object (LSO)

Locally shared object (LSO) or Flash cookie named after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times
data as regular cookie)
Cannot be deleted through browser's normal
configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user
deleted or blocked
31
Risks of Cookies
Cookies have security and privacy risks
First-party cookies can be stolen and used to
impersonate the user
Third-party cookies can be used to track the
browsing or buying habits of a user
When multiple websites are serviced by a single
marketing organization, cookies can be used to
track browsing habits on all clients site
32
Attachments
Attachments - Files that are coupled to email
messages
Malicious attachments commonly used to spread
viruses, Trojans, and other malware when opened
Most users routinely open any email attachment
received even if from an unknown sender
Attackers often include information in the subject
line that entices even reluctant users to open the
attachment, such as a current event
33
Session Token
User accessing secure web application needs be
verified to prevent an imposter from jumping in to
interaction
Session token - Verification through which random
string assigned to interaction between user and web
application currently being accessed (session)
Web application server assigns a unique session
token
Each subsequent request from users web browser to
web application contains session token verifying user
identity
34
Session Hijacking
Session hijacking - Attacker attempts to
impersonate the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victims computer
Eavesdropping on the transmission
Guessing the session token (successful if generation
of session tokens not truly random)
35
Session Hijacking Attack (Figure 3-7)
36
Plug-Ins and Add-Ons

Tools be added to enhance users interaction with
website through web browser
Plug-in - Third-party library (Java, Adobe Flash
player, Apple QuickTime, Adobe Acrobat Reader)
that attaches to web browser and can be embedded
inside a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality
to the web browser itself
37
Malicious Add-Ons
Attackers can create malicious add-ons to launch
attacks against users computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called
ActiveX applications
ActiveX controls can be invoked from webpages
through the use of a scripting language or directly by
HTML command
38
Impartial Overflow Attacks

Impartial attacks can target either server or client
Many these attacks designed to overflow areas of
memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.
39
Buffer Overflow Attack

Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
Data overflows into adjacent memory locations
Attacker can change return address of memory
location of code and redirect to memory address
containing malware code
40
Buffer Overflow Attack (Figure 3-8)
41
Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used
to store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum
value
42
Integer Overflow Attack

Example:
8-bit signed integer has a maximum value of 127 and
a minimum value of 128
If the value 127 is stored in a variable and 1 is added
to it, the sum exceeds the maximum value for this
integer type
Wraps around to become 128.
Integer overflow attack - Attacker changes value

of variable to something outside the range
programmer had intended by using an integer
overflow
43
Arbitrary/Remote Code Execution

Heap spray - Targeted to insert data only in certain
parts of memory
Arbitrary/remote code execution - Allows
attacker to run programs and execute commands
on different computer
Once under the attackers control, computer can
perform virtually any command from the attacker
Arbitrary/remote code execution attacks often take
advantage of malicious attachments like Microsoft
Visio file or PDF file
44
Network Attacks
Attackers place high priority on targeting networks
Exploiting single vulnerability may expose
hundreds or thousands of devices to an attacker
Types of attacks that target a network or network
process:
Denial of service
Interception
Poisoning
Attacks on access rights
45
Denial of Service (DoS)

Denial of service (DoS) - Attempts to prevent
system from performing normal functions
Distributed denial of service (DDoS) - Uses
thousands zombie computers in botnet
Ping flood attack - Ping utility used to send large
number of echo request messages and overwhelms
server
Smurf attack - Ping request with originating address
changed (spoofing) and appears as if target
computer is asking for response from all computers
on the network
46
SYN Flood Attack

SYN flood attack - Takes advantage of procedures
for establishing connection
Attacker sends SYN segments in IP packets to server
but modifies source address of each packet to
computer addresses that do not exist or cannot be
reached
Server continues to wait for a response (which is not
coming) while receiving more false requests and
keeping more lines open for responses
Server ultimately runs out of resources and can no
longer respond to legitimate requests
47
SYN Flood Attack (Figure 3-9)
48
Interception
Man-in-the-middle - Interception of legitimate
communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active
attack alters contents of transmission before sending
to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before
sending it to the recipient for use at a later time (the
man-in-the-middle replays it)
49
ARP Poisoning
ARP poisoning
Attacker modifies MAC address in ARP cache to
point to different computer
Table 3-4 ARP poisoning attack

50
Attacks From ARP Poisoning (Table 35)
Table 3-5 Attacks from ARP poisoning
51
DNS Poisoning
Domain Name System - Current basis for name
resolution to IP address
DNS poisoning - Substitutes DNS addresses to
redirect computer to another device
DNS poisoning
Two locations for DNS poisoning:
Local host table
External DNS server
52
Sample HOSTS file (Figure 3-11)
53
DNS Poisoning (Figure 3-12)
54
Attacks on Access Rights

Privilege escalation - Exploiting software
vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower
privilege uses privilege escalation to grant self
access functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted
privileges accesses the different restricted functions
of a similar user
55
Transitive Trust
Transitive - Relation with a property so that if a
relation exists been A and B, and there is also a
relation between B and C, then there is a relation
between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts
Carol, then Alice trusts Carol
56
Transitive Access
Transitive trust can result in transitive access:
System 1 can access System 2, and because
System 2 can access System 3, then System 1 can
access System 3
Intention may not be for System 1 to access
System 3, but instead for System 1 to be restricted
to accessing only System 2
Inadvertent and unauthorized access can result in
serious security risks
57
Security+ Guide to Network

Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks

Chapter 3 - Application and Networking Based Attac

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 3 - Application and Networking Based Attac

Uploaded by

Copyright:

Available Formats

Security+ Guide to Network

Security+ Guide to Network Security Fundamentals, Fifth Edition

Conceptual Networked System

Conceptual Networked Computer

Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Process

Server-Side Web Application

Security+ Guide to Network Security Fundamentals, Fifth Edition

Securing Web Applications

Security+ Guide to Network Security Fundamentals, Fifth Edition

Zero Day Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Common Application Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Customized Responses (Table 3-1)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Cross-Site Scripting Platform

Bookmark Page That Accepts User

Security+ Guide to Network Security Fundamentals, Fifth Edition

Input Used In Response (Figure 3-4)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

Forgotten Password Example

SQL Injection Statements (Table 3-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition

XML (Extensible Markup Language)

XML (Extensible Markup Language):

Security+ Guide to Network Security Fundamentals, Fifth Edition

Directory Traversal Attack (Figure 3-6)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Client-Side Application Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Example Content-length: 49.

HTTP Header Fields (Table 3-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

HTTP Header Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Only Web site that created a cookie can read it

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

Locally Shared Object (LSO)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

Session Hijacking Attack (Figure 3-7)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Plug-Ins and Add-Ons

Security+ Guide to Network Security Fundamentals, Fifth Edition

Impartial Overflow Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Buffer Overflow Attack

Security+ Guide to Network Security Fundamentals, Fifth Edition

Buffer Overflow Attack (Figure 3-8)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition

Integer Overflow Attack

Integer overflow attack - Attacker changes value

Arbitrary/Remote Code Execution

Security+ Guide to Network Security Fundamentals, Fifth Edition

Denial of Service (DoS)

SYN Flood Attack