Security+ Guide to Network Security Fundamentals, Fourth...

Security+ Guide to Network

Security Fundamentals,

Fourth Edition

Chapter 3

Application and Network Attacks

Objectives

• List and explain the different types of Web

application attacks

• Define client-side attacks

• Explain how a buffer overflow attack works

• List different types of denial of service attacks

• Describe interception and poisoning attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Application Attacks

• Attacks that target applications

– Category continues to grow

– Web application attacks

– Client-side attacks

– Buffer overflow attacks

• Zero day attacks

– Exploit previously unknown vulnerabilities

– Victims have no time to prepare or defend


Web Application Attacks

• Web applications an essential element of

organizations today

• Approach to securing Web applications

– Hardening the Web server

– Protecting the network



Figure 3-1 Web application infrastructure © Cengage Learning 2012

Web Application Attacks (cont’d.)

• Common Web application attacks

– Cross-site scripting

– SQL injection

– XML injection

– Command injection / directory traversal



Figure 3-2 Web application security © Cengage Learning 2012

Cross-Site Scripting (XSS)

• Injecting scripts into a Web application server

– Directs attacks at clients


Figure 3-3 XSS attacks © Cengage Learning 2012

Cross-Site Scripting (cont’d.)

• When victim visits injected Web site:

– Malicious instructions sent to victim’s browser

• Browser cannot distinguish between valid code and

malicious script

• Requirements of the targeted Web site

– Accepts user input without validation

– Uses input in a response without encoding it

• Some XSS attacks designed to steal information:

– Retained by the browser



Figure 3-4 Bookmark page that accepts user input

without validating and provides unencoded response © Cengage Learning 2012


Figure 3-5 Input used as response © Cengage Learning 2012

SQL Injection

• Targets SQL servers by injecting commands

• SQL (Structured Query Language)

– Used to manipulate data stored in relational

database

• Forgotten password example

– Attacker enters incorrectly formatted e-mail address

– Response lets attacker know whether input is being

validated


SQL Injection (cont’d.)

• Forgotten password example (cont’d.)

– Attacker enters email field in SQL statement

– Statement processed by the database

– Example statement:

SELECT fieldlist FROM table WHERE field

= ‘whatever’ or ‘a’=‘a’

– Result: All user email addresses will be displayed



Table 3-1 SQL injection statements

SQL Injection (cont’d.)

XML Injection

• Markup language

– Method for adding annotations to text

• HTML

– Uses tags surrounded by brackets

– Instructs browser to display text in specific format

• XML

– Carries data instead of indicating how to display it

– No predefined set of tags

• Users define their own tags


XML Injection (cont’d.)

• XML attack

– Similar to SQL injection attack

– Attacker discovers Web site that does not filter user

data

– Injects XML tags and data into the database

• Xpath injection

– Specific type of XML injection attack

– Attempts to exploit XML Path Language queries


Command Injection /

Directory Traversal

• Web server users typically restricted to root

directory

• Users may be able to access subdirectories:

– But not parallel or higher level directories

• Sensitive files to protect from unauthorized user

access

– Cmd.exe can be used to enter text-based

commands

– Passwd (Linux) contains user account information


Command Injection /

Directory Traversal (cont’d.)

• Directory traversal attack

– Takes advantage of software vulnerability

– Attacker moves from root directory to restricted

directories

• Command injection attack

– Attacker enters commands to execute on a server


Client-Side Attacks

• Web application attacks are server-side attacks

• Client-side attacks target vulnerabilities in client

applications

– Interacting with a compromised server

– Client initiates connection with server, which could

result in an attack


Client-Side Attacks (cont’d.)

• Drive-by download

– Client computer compromised simply by viewing a

Web page

– Attackers inject content into vulnerable Web server

• Gain access to server’s operating system

– Attackers craft a zero pixel frame to avoid visual

detection

– Embed an HTML document inside main document

– Client’s browser downloads malicious script

– Instructs computer to download malware



• Header manipulation

– HTTP header contains fields that characterize data

being transmitted

– Headers can originate from a Web browser

• Browsers do not normally allow this

• Attacker’s short program can allow modification

• Examples of header manipulation

– Referer

– Accept-language



• Referer field indicates site that generated the Web

page

– Attacker can modify this field to hide fact it came

from another site

– Modified Web page hosted from attacker’s computer

• Accept-language

– Some Web applications pass contents of this field

directly to database

– Attacker could inject SQL command by modifying

this header



• Cookies and Attachments

– Cookies store user-specific information on user’s

local computer

• Web sites use cookies to identify repeat visitors

• Examples of information stored in a cookie

– Travel Web sites may store user’s travel itinerary

– Personal information provided when visiting a site

• Only the Web site that created a cookie can read it



• First-party cookie

– Cookie created by Web site user is currently visiting

• Third-party cookie

– Site advertisers place a cookie to record user

preferences

• Session cookie

– Stored in RAM and expires when browser is closed



• Persistent cookie

– Recorded on computer’s hard drive

– Does not expire when browser closes

• Secure cookie

– Used only when browser visits server over secure

connection

– Always encrypted



• Flash cookie

– Uses more memory than traditional cookie

– Cannot be deleted through browser configuration

settings

– See Project 3-6 to change Flash cookie settings

• Cookies pose security and privacy risks

– May be stolen and used to impersonate user

– Used to tailor advertising

– Can be exploited by attackers



• Session hijacking

– Attacker attempts to impersonate user by stealing or

guessing session token

• Malicious add-ons

– Browser extensions provide multimedia or interactive

Web content

– Active X add-ons have several security concerns



Figure 3-7 Session hijacking © Cengage Learning 2012


• Buffer overflow attacks

– Process attempts to store data in RAM beyond

boundaries of fixed-length storage buffer

– Data overflows into adjacent memory locations

– May cause computer to stop functioning

– Attacker can change “return address”

• Redirects to memory address containing malware

code


Network Attacks

• Denial of service (DoS)

– Attempts to prevent system from performing normal

functions

– Ping flood attack

• Ping utility used to send large number of echo request

messages

• Overwhelms Web server

– Smurf attack

• Ping request with originating address changed

• Appears as if target computer is asking for response

from all computers on the network


Network Attacks

• Denial of service (DoS) (cont’d.)

– SYN flood attack

• Takes advantage of procedures for establishing a

connection

• Distributed denial of service (DDoS)

– Attacker uses many zombie computers in a botnet to

flood a device with requests

– Virtually impossible to identify and block source of

attack


Interception

• Man-in-the-middle

– Interception of legitimate communication

– Forging a fictitious response to the sender

– Passive attack records transmitted data

– Active attack alters contents of transmission before

sending to recipient

• Replay attacks

– Similar to passive man-in-the-middle attack


Interception (cont’d.)

• Replay attacks (cont’d.)

– Attacker makes copy of transmission

• Uses copy at a later time

– Example: capturing logon credentials

• More sophisticated replay attacks

– Attacker captures network device’s message to

server

– Later sends original, valid message to server

– Establishes trust relationship between attacker and

server


Poisoning

• ARP poisoning

– Attacker modifies MAC address in ARP cache to

point to different computer


Table 3-3 ARP poisoning attack

Poisoning (cont’d.)


Table 3-4 Attacks from ARP poisoning

Poisoning (cont’d.)

• DNS poisoning

– Domain Name System is current basis for name

resolution to IP address

– DNS poisoning substitutes DNS addresses to

redirect computer to another device

• Two locations for DNS poisoning

– Local host table

– External DNS server


Attacks on Access Rights

• Privilege escalation

– Exploiting software vulnerability to gain access to

restricted data

– Lower privilege user accesses functions restricted to

higher privilege users

– User with restricted privilege accesses different

restricted privilege of a similar user


Attacks on Access Rights (cont’d.)

• Transitive access

– Attack involving a third party to gain access rights

– Has to do with whose credentials should be used

when accessing services

• Different users have different access rights


Summary

• Web application flaws are exploited through normal

communication channels

• XSS attack uses Web sites that accept user input

without validating it

– Uses server to launch attacks on computers that

access it

• Client-side attack targets vulnerabilities in client

applications

– Client interacts with compromised server


Summary (cont’d.)

• Session hijacking

– Attacker steals session token and impersonates user

• Buffer overflow attack

– Attempts to compromise computer by pushing data

into inappropriate memory locations

• Denial of service attack attempts to overwhelm

system so that it cannot perform normal functions

• In ARP and DNS poisoning, valid addresses are

replaced with fraudulent addresses

• Access rights and privileges may also be exploited


Security+ Guide to Network Security Fundamentals, Fourth...

Documents

Transcript of Security+ Guide to Network Security Fundamentals, Fourth...