Application Layer Attacksathena.ecs.csus.edu/~cookd/115/notes/CSC 115 - Summer... · 2018. 6. 30. · • Web application attacks • Client-side attacks • Buffer overflow attacks

1

Application

Layer Attacks

Week 2 – Part 2

Application

Layer Attacks

Attacks Against Programs

Application Layer

Attacks come in many forms and can target each of the 5 network protocol layers

It is straight-forward on how to protect the lower 4:• transport

• network

• data link

• physical

5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 3

Application Layer

The application layer, the top,

is the scene of most attacks

This is because…

• by design, the Internet does not care what is inside each

packet

• only the application

understands the content


Application Layer

Attackers attempt to create

fake or corrupted application-layer data

An application can…

• malfunction

• crash

• or be changed into anotherprogram while it is running!


Internet Protocols


Application Layer

Transport Layer

Network Layer

Data link Layer

Physical Layer

InternetTCP / IP

Any Data

2

The number of attacks that target

applications continues to grow

Examples:

• Web application attacks

• Client-side attacks

• Buffer overflow attacks


Application Attacks Zero-Day Attacks

Hackers attempt to discover new

vulnerabilities that can be exploited

If found, it is shared with other attackers

It takes time for to good guys to find out

Zero day attacks

• exploit previously unknown vulnerabilities

• victims have no time to prepare or defend

(hence, zero days)


Buffer

Overflow

Application Layer Attack

Operating systems protect

programs from having their memory / code damaged by

another program

However…operating systems

don't protect programs from

damaging themselves


Buffer Overflow

One technique – used to

attack a computer – is to take advantage of this fact

Get the program to damage/destroy itself

There is no defense


Buffer Overflow Buffers

In memory, a running program's data is often stored next to its instructions

Programs keep blocks of memory called buffers which store data (which can vary in size)

Examples:• people's names

• list of pet names

• bytes in an image


3

Buffer Overflow – How it Works

Computer Memory

Program Buffer

Data

Program


Not used

It is possible to store too

much information – resulting in a buffer overflow

The extra bytes will overwrite part of the running program –

changing it!


Buffer Overflow

Buffer Overflow – How it Works

Overwritten program

Overflow of data

Computer Memory


The Aftermath

Hackers can use this to make a program

rewrite itself – with malicious instructions

They can overflow a buffer and use an

innocent program to commit malicious acts

Anti-spyware, anti-virus, etc… software

• cannot stop this

• it all depends if the target software protects itself from overflows


A Scary Video…

I'm going to show a short video of a real-time application attack on a computer

The user…

• opens a Windows Meta File (.wmf) on the Internet

• it downloads and opens using the default Windows image viewer

It buffer overflows the application…

• converts it into a downloader

• it then downloads and installs rogueware


Example: Code Red Worm

Worm first attacked on July

13, 2001

First version just defaced web

pages

Code Red II showed no

visible evidence of its presence


4


Exploited a security flaw in Microsoft IIS

web servers

• used a buffer overflow to run malicious code

• exploit was a simple HTTP request

• server had no reason to worry – buffer was large enough for any normal HTTP request

Though infected, server ran normally



Worm used the server clock to determine its actions for each day of the month

What it did:

• Day 1 - 19: Attack random IP addresses in an attempt propagate the worm

• Day 20 - 27: Denial of Service Attack will be launched against pre-selected IP address

• Day 28 - 31: Sleep and wait

Wake-up call that a new type of war now exists


Scripting

Programs aren't always bits and bytes

Scripting

Most applications are compiled

• they are written in a high-level

language such as Java and C#

• but are converted into the raw 1's and 0's that run on a computer

However, some aren't

• they remain in their text form

• parsed and executed "on the fly"


Scripting

Scripting files are text files

that are executed

They require an interpreter to

parse and run the program

Common on servers, web

applications, and more


Scripting Examples

Sequential Query Language (SQL)

JavaScript

XML

UNIX shell scripts

DOS batch files


5

Javascript

Tricks

Your browser is running a program

Applications and Scripting

Applications – such as web applications –

use scripts to communicate with each other

e.g. SQL is used to talk to databases

Attackers can…

• insert malicious code into a script and change

how one computer talks to another

• this is a common application layer attack


Web Application Attacks

Web applications an essential element of

organizations today

Scripting attacks are increasingly common

Approach to securing Web applications

• hardening the web server

• protecting the network


This image cannot currently be displayed.

Common Web Application Attacks

Cross-site scripting

SQL injection

XML injection

Command injection / directory traversal


JavaScript

JavaScript

• scripting language designed add functionality to webpages

• executed by the web browser on the client

• examples: mouseovers, menus, etc ...

Don't confuse it with….

• Java Programming Language

• Java Virtual Machine


6

This image cannot currently be displayed.


<script> … </script>

The <SCRIPT> Tag

Inserts a script directly into the program

Can define functions, to be called from events like clicking on button

Or executed immediately

Can be in the header or body of a webpage

<script>

function hello()

{

alert("Sac State rocks!");

}

</script>

Javascript Example


Common Gateway Interface

Users often submit data to a website

• logging into your e-mail website

• entering a bid on eBay

• etc…

This information is passed using Common

Gateway Interface protocol

Application layer protocol that is used by all

web browsers


Common Gateway Interface

Information is sent one of two different ways

POST• information is based directly from the browser

to the server

• users do not see it

GET• data is sent as part of a webpage address

• used in links


CGI Get

The Get format is pretty straight forward,

and can be read with little effort

Get link consists of the following:

• original webpage address

• question mark – separates the URL from data

• one or more names and values


http://url.com?name=Gunchy&major=CSC

Example CGI Get link


Website. Just a dummy one

in this example

7




Question mark separates

link and data




"name" field equals

"Gunchy"

Different fields are

separated by ampersands

Cross Site

Scripting

Attacks


Cross Site Scripting Attacks

Cross Site Scripting (XSS)

allows an attacker to execute their code on a webpage

Doesn't attack the vulnerable server, but uses it to attack

someone else

Hence, the "cross" in the

name


Cross Site Scripting Attacks

Most commonly makes use of

Javascript

Some experts want to call

this Javascript Injection rather than XSS

Use the terms synonymously


The Attack

When victim visits an injected web site, the

malicious script is downloaded

It is executed on the user's machine

The browser…

• doesn't distinguish between valid code and

malicious script

• its all just script – that it needs to run


8

The Vulnerability

XSS attack requires a targeted

website/server that doesn't validate input

Without validation…

• accepts user input without checking

• uses input in a response without encoding it

• malicious input becomes malicious output


What Javascript can do…

Display pop-up alerts and prompts

Change the displayed page using

Document Object Model (DOM)

• read cookies/session tokens

• “Circumvent” same-origin policy

• virtually deface web page

Redirect to a different website



Detect installed programs

Detect browser history

Capture keystrokes

Port scan the local network

Induce user actions



Determine if they are logged on to a

website

Capture clipboard content

Rewrite the status bar

Exploit browser vulnerabilities

Launch executable files (in some cases)


Types of XSS

Reflected XSS

Stored XSS (a.k.a.

“Persistent XSS”)

DOM Based XSS


9

Reflective XSS

Reflective XSS uses script inserted into a CGI get link that

"reflects" on the victim

Attacker only needs to find a server and send a poisoned link

Victim clicks the link…

• opens the website with the script

• script then runs on the user computer


http://url.com?srch=Hornet&pg=1

Example Normal Link


Search field contains "Hornet"

Example Website Output

<h2>Search Results For:

Hornet

</h2>


Text of the search placed

directly in generated webpage

http://url.com?srch=<script>

alert('Attack')</script>&pg=1

Example Poisoned Link


search field contains a

script

10

Example Website Output

<h2>Search Results For:

<script>alert('Attack')</script>

</h2>


Script will execute!

Stored XSS

Javascript is supplied by the attacker and

stored by the website (e.g. in a database)

Doesn’t require the victim to do anything.

They just have to visit the exploited page

• more dangerous than Reflected XSS

• caused many XSS worms on popular sites


Affected MySpace

Attacked every visitor to

Samy’s page

Used XSS JavaScript

embedded in the page

MySpace did not validate

input (which users at the time

had fun with)


Example: Samy Worm

For each visitor:

• it added them to Sammy’s friends

• it infected there page with the same JavaScript

• it posted “but most of all, Samyis my hero” to their page


Example: Samy Worm

Worm spread exponentially

Over 1 million friend requests

in less than 20 hours

Sammy was popular!!


Example: Samy Worm DOM Based XSS

Injected Javascript changes the page as

the client (your browser) is creating it

Uses Document Object Model (DOM)

What they can do:

• change the content of the page

• add fake links

• fill out forms with their data


11

Client Side

Attacks


(Against You)

Client-Side Attacks

Web application attacks are

server-side attacks

Client-side attacks target

vulnerabilities in client applications


Client-Side Attacks

Just interacting with a

compromised server can result in an attack

What happens?

• client initiates an Internet connection with server

• server then attacks the client


Port Scanner

Used to scan a network to

find what services are running a computer

Scans each of the 65,536 ports

If a listening service is found the hacker can check if their

is a vulnerability


Drive-by

Downloads

Application Layer Attack (Client)

Drive-By Download

Client computer is attacked

by simply viewing a compromised Web page

Attackers inject content into vulnerable Web server

They must gain access to server’s operating system


12

How it Works

HTML allows page pages to

be inserted into other pages using the <iframe> tag

Commonly used for embedding video clips (e.g.

YouTube) into a site

Used by attackers to hide an

malicious embedded page


How it Works

Attackers craft a zero pixel frame to avoid visual detection

Embed an malicious HTML page inside main page

Client’s browser downloads malicious script

Instructs computer to download malware


Internet

Cookies

Delicious Little Annoyances

Hypertext Transfer Protocol is

used to transfer webpages

However, HTTP is a stateless

protocol

• one request and one response per session

• it cannot store state data


The Problem with HTTP

The Problem with HTTP

But, this data is very useful

• keep you logged onto a website

• keep track of a step in e-commerce (checkout)

• preview an e-mail before you send it

• etc...

Cookies fix this problem


What are Cookies?

A small text file saved on your computer

• created by a web server

• only visible to the site that created them

• managed by your web browser

You do not have to accept cookies


13

Types of Cookies

Secure cookie

• used only when browser visits server over secure connection

• always encrypted

Flash cookie

• uses more memory than traditional cookie

• cannot be deleted through browser configuration settings


Session Cookies

Persistent cookie

• saved on the hard drive

• does not expire

Session cookie

• stored in RAM

• expires when browser is closed


Session Cookies

The session cookie is also

known as a "token"

It is passed between the

server and client each time they send data


Cookie Sources

First-party cookie

• cookie created by website user is currently visiting

• e.g. keep user logged in

Third-party cookie

• created by site advertisers

• records user preferences


Threat of Cookies

Any web server that you request data from

can create (bake) a cookie

Pages can get data from multiple servers

• this can included servers related to the site

• but are often servers that embed advertisements – e.g. banners, pictures, etc...

• cookies can come from any of these sources


Threat of Cookies

Some information may be

saved you don't know about:

• Travel Web sites may store user’s travel itinerary

• Personal information provided

when visiting a site

All this can build a "profile" of

the user


14

Cookies and Ads

Ad-servers often shared by webpages

By saving data in cookies ...

• ad-servers sites can track your page habits

• this cannot damage our computer

Not dangerous like Spyware

• although this is a form of spying

• you do not suffer the effects of spyware

• only your browsing habits can be watched


1. Visit site about "energy drinks"

Ad Server

Your Computer Website 1

Energy Drinks

Website contains an ad from

UglyAds. The browser downloads it, and the UglyAds server takes note.

2. Server saves cookie to browser

Ad Server


Energy Drinks

Energy drinks

3. Do a report on "Dr. Oz"

Ad Server


Dr. Oz

A second website uses UglyAds. It

also saves a cookie about your activity.

Energy drinks

4. Server saves "Dr. Oz" cookie

Ad Server


Dr. Oz

Energy drinks

Dr. Oz

5. User visits eCommerce site

Ad Server

Your Computer Sales site

Energy drinks

Dr. Oz

UglyAds wants you to buy a client's

product. It looks at cookies and thinks you will buy a common

"quack" product.

15

6. Sends targeted ad (quack medicine)

Ad Server

Your Computer Sales site

Adrenal

Fatigue

Ad

Energy drinks

Dr. Oz

Session Hijacking

Session hijacking is when an attacker

attempts to impersonate user by stealing or guessing session token

They intercept this data as it is passed over the network or has malware on your

computer steal it


Dangers of Cookies

Cookies pose security and privacy risks

Examples:

• may be stolen and used to impersonate user

• used to tailor advertising

• can be exploited by attackers


Documents

Application Layer Attacksathena.ecs.csus.edu/~cookd/115/notes/CSC 115 - Summer... · 2018. 6. 30. · • Web application attacks • Client-side attacks • Buffer overflow attacks