PPT Ch03 Updates

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION

Chapter 3Application and Network Attacks

Objectives

Security+ Guide to Network Security Fundamentals, Fourth Edition

2

List and explain the different types of Web application attacks

Define client-side attacks Explain how a buffer overflow attack

works List different types of denial of service

attacks Describe interception and poisoning

attacks

Application Attacks


3

Attacks that target applications Category continues to grow Web application attacks Client-side attacks Buffer overflow attacks Zero day attacks

Exploit previously unknown vulnerabilities Victims have no time to prepare or defend

Web Application Attacks


4

Web applications an essential element of organizations today

Approach to securing Web applications Hardening the Web server

Hardening the web server operating system, and system services from other attacks, e.g. DDOs, BUT do not prevent attacks against application server.

Protecting the network Network security devices can block the traditional

attacks but not the Web app server, simply they ignore the content of the HTTP traffic


5

Figure 3-1 Web application infrastructure© Cengage Learning 2012

Web Application Attacks (cont’d.)


6

Common Web application attacks Cross-site scripting ( or recently called, Java

scripting injections) SQL injection XML injection Command injection / directory traversal

Solution can be done by The Strategies to secure the web app is in

writing a good source code.


7

Figure 3-2 Web application security© Cengage Learning 2012

Cross-Site Scripting (XSS)


8

Injecting scripts into a Web application server Directs attacks at clients, not direct attack

on the web app server to deface it.

Figure 3-3 XSS attacks© Cengage Learning 2012

Cross-Site Scripting (cont’d.)


9

When victim visits injected Web site: Malicious instructions sent to victim’s browser

Browser cannot distinguish between valid code and malicious script The web browser execute any code sent from the

web site in the form of JS, HTML , Adobe Flash Requirements of the targeted Web site

Accepts user input without validation Uses input in a response without encoding it

Some XSS attacks designed to steal information: Retained by the browser


10

Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response© Cengage Learning 2012

Cross-Site Scripting (cont’d.)


11

For the example below, a web application that allows friends to share their favorite Bookmarks

User enter their Name, a description and a URL of a bookmark.

Then uses a personalized “Thank you” screen The Name the user input is part of the code segment Attacker can use this in an XSS attack Attacker can enter a malicious code into the Name field Then that command can be executed in the victim machine

when a victim is tricked in clicking to malicious link page Example of the malicious link is : http://fakesite.com/login.asp?

serviceName=fakesite.comaccess&templatename=pro_sel.forte&source=…fakeimg.srcc=‘http://www.attacker_site.com/’ this link to attacker web page


12

Figure 3-5 Input used as response© Cengage Learning 2012

SQL Injection


13

Targets SQL servers by injecting commands SQL (Structured Query Language)

Used to manipulate data stored in relational database

Example is a forgotten password needed to be retrieved by just validating email address

Forgotten password example Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being

validated The message could be displayed as Server failure or

Email address unknown

SQL Injection


14

User NameLast name

Current Email Address [email protected] ‘ ‘

Request for Forgotten password

mailto:[email protected]

mailto:[email protected]

SQL Injection (cont’d.)


15

Forgotten password example (cont’d.) Forgotten pw is stored in a variable “$EMAIL”

SELECT fieldlist FROM table WHERE field =”$EMAIL” Where : database query to only display a information when

the condition is true Attacker enters email field in SQL statement, where all

the emails will be listed. Statement processed by the database Instead of entering a user name the attacker will send a

statement as SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’

Result: All user email addresses will be displayed



16

Instead of entering a username, the attacker will enter “whatever” or ‘a’=‘a’, so the statement will look like

SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’

whatever: can be any meaningless Or either of the conditions is true ‘a’=‘a’: the statement is always true Therfore the statement will be read as

SELECT fieldlist FROM table Last all users email will then be displayed



17

Table 3-1 SQL injection statements

XML Injection


18

Markup language Method for adding annotations to text

HTML Uses tags surrounded by brackets Instructs browser to display text in specific

format XML

Carries data instead of indicating how to display it

No predefined set of tags Users define their own tags

XML Injection (cont’d.)


19

XML attack Similar to SQL injection attack Attacker discovers Web site that does not

filter user data Injects XML tags and data into the database

Xpath injection Specific type of XML injection attack Attempts to exploit XML Path Language

queries

Command Injection / Directory Traversal


20

Web server users typically restricted to root directory

Users may be able to access subdirectories: But not parallel or higher level directories

Sensitive files to protect from unauthorized user access Cmd.exe can be used to enter text-based

commands Passwd (Linux) contains user account

information

Command Injection / Directory Traversal (cont’d.)


21

Directory traversal attack Takes advantage of software vulnerability Attacker moves from root directory to

restricted directories Command injection attack

Attacker enters commands to execute on a server

Client-Side Attacks


22

Web application attacks are server-side attacks

Client-side attacks target vulnerabilities in client applications Interacting with a compromised server Client initiates connection with server,

which could result in an attack

Client-Side Attacks (cont’d.)


23

Drive-by download Client computer compromised simply by viewing

a Web page Attackers inject content into vulnerable Web

server Gain access to server’s operating system

Attackers craft a zero pixel frame to avoid visual detection

Embed an HTML document inside main document Client’s browser downloads malicious script Instructs computer to download malware



24

Header manipulation HTTP header contains fields that

characterize data being transmitted Headers can originate from a Web browser

Browsers do not normally allow this Attacker’s short program can allow modification

Examples of header manipulation Referer Accept-language



25

Referer field indicates site that generated the Web page Attacker can modify this field to hide fact it came

from another site Modified Web page hosted from attacker’s

computer Accept-language

Some Web applications pass contents of this field directly to database

Attacker could inject SQL command by modifying this header



26

Cookies and Attachments Cookies store user-specific information on

user’s local computer Web sites use cookies to identify repeat

visitors Examples of information stored in a

cookie Travel Web sites may store user’s travel

itinerary Personal information provided when visiting

a site Only the Web site that created a cookie

can read it



27

First-party cookie Cookie created by Web site user is currently

visiting Third-party cookie

Site advertisers place a cookie to record user preferences

Session cookie Stored in RAM and expires when browser is

closed



28

Persistent cookie Recorded on computer’s hard drive Does not expire when browser closes

Secure cookie Used only when browser visits server over

secure connection Always encrypted



29

Flash cookie Uses more memory than traditional cookie Cannot be deleted through browser

configuration settings See Project 3-6 to change Flash cookie

settings Cookies pose security and privacy risks

May be stolen and used to impersonate user

Used to tailor advertising Can be exploited by attackers



30

Session hijacking Attacker attempts to impersonate user by

stealing or guessing session token Malicious add-ons

Browser extensions provide multimedia or interactive Web content

Active X add-ons have several security concerns


31

Figure 3-7 Session hijacking© Cengage Learning 2012



32

Buffer overflow attacks Process attempts to store data in RAM

beyond boundaries of fixed-length storage buffer

Data overflows into adjacent memory locations

May cause computer to stop functioning Attacker can change “return address”

Redirects to memory address containing malware code


33

Figure 3-8 Buffer overflow attack© Cengage Learning 2012

Network Attacks


34

Denial of service (DoS) Attempts to prevent system from performing

normal functions Ping flood attack

Ping utility used to send large number of echo request messages

Overwhelms Web server Smurf attack

Ping request with originating address changed Appears as if target computer is asking for

response from all computers on the network

Network Attacks


35

Denial of service (DoS) (cont’d.) SYN flood attack

Takes advantage of procedures for establishing a connection

Distributed denial of service (DDoS) Attacker uses many zombie computers in a

botnet to flood a device with requests Virtually impossible to identify and block

source of attack


36

Figure 3-9 SYN flood attack© Cengage Learning 2012

Interception


37

Man-in-the-middle Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of

transmission before sending to recipient Replay attacks

Similar to passive man-in-the-middle attack

Interception (cont’d.)


38

Replay attacks (cont’d.) Attacker makes copy of transmission

Uses copy at a later time Example: capturing logon credentials

More sophisticated replay attacks Attacker captures network device’s

message to server Later sends original, valid message to

server Establishes trust relationship between

attacker and server

Poisoning


39

ARP poisoning Attacker modifies MAC address in ARP

cache to point to different computer

Table 3-3 ARP poisoning attack

Poisoning (cont’d.)


40

Table 3-4 Attacks from ARP poisoning

Poisoning (cont’d.)


41

DNS poisoning Domain Name System is current basis for

name resolution to IP address DNS poisoning substitutes DNS addresses

to redirect computer to another device Two locations for DNS poisoning

Local host table External DNS server


42

Figure 3-12 DNS poisoning© Cengage Learning 2012

Attacks on Access Rights


43

Privilege escalation Exploiting software vulnerability to gain

access to restricted data Lower privilege user accesses functions

restricted to higher privilege users User with restricted privilege accesses

different restricted privilege of a similar user

Attacks on Access Rights (cont’d.)


44

Transitive access Attack involving a third party to gain access

rights Has to do with whose credentials should be

used when accessing services Different users have different access rights

Summary


45

Web application flaws are exploited through normal communication channels

XSS attack uses Web sites that accept user input without validating it Uses server to launch attacks on computers

that access it Client-side attack targets vulnerabilities

in client applications Client interacts with compromised server

Summary (cont’d.)


46

Session hijacking Attacker steals session token and impersonates user

Buffer overflow attack Attempts to compromise computer by pushing data

into inappropriate memory locations Denial of service attack attempts to overwhelm

system so that it cannot perform normal functions In ARP and DNS poisoning, valid addresses are

replaced with fraudulent addresses Access rights and privileges may also be exploited

Documents

PPT Ch03 Updates