Upload
fahad-almarri
View
47
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Chapter 3Application and Network Attacks
Citation preview
SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION
Chapter 3Application and Network Attacks
Objectives
Security+ Guide to Network Security Fundamentals, Fourth Edition
2
List and explain the different types of Web application attacks
Define client-side attacks Explain how a buffer overflow attack
works List different types of denial of service
attacks Describe interception and poisoning
attacks
Application Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
3
Attacks that target applications Category continues to grow Web application attacks Client-side attacks Buffer overflow attacks Zero day attacks
Exploit previously unknown vulnerabilities Victims have no time to prepare or defend
Web Application Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
4
Web applications an essential element of organizations today
Approach to securing Web applications Hardening the Web server
Hardening the web server operating system, and system services from other attacks, e.g. DDOs, BUT do not prevent attacks against application server.
Protecting the network Network security devices can block the traditional
attacks but not the Web app server, simply they ignore the content of the HTTP traffic
Security+ Guide to Network Security Fundamentals, Fourth Edition
5
Figure 3-1 Web application infrastructure© Cengage Learning 2012
Web Application Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
6
Common Web application attacks Cross-site scripting ( or recently called, Java
scripting injections) SQL injection XML injection Command injection / directory traversal
Solution can be done by The Strategies to secure the web app is in
writing a good source code.
Security+ Guide to Network Security Fundamentals, Fourth Edition
7
Figure 3-2 Web application security© Cengage Learning 2012
Cross-Site Scripting (XSS)
Security+ Guide to Network Security Fundamentals, Fourth Edition
8
Injecting scripts into a Web application server Directs attacks at clients, not direct attack
on the web app server to deface it.
Figure 3-3 XSS attacks© Cengage Learning 2012
Cross-Site Scripting (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
9
When victim visits injected Web site: Malicious instructions sent to victim’s browser
Browser cannot distinguish between valid code and malicious script The web browser execute any code sent from the
web site in the form of JS, HTML , Adobe Flash Requirements of the targeted Web site
Accepts user input without validation Uses input in a response without encoding it
Some XSS attacks designed to steal information: Retained by the browser
Security+ Guide to Network Security Fundamentals, Fourth Edition
10
Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response© Cengage Learning 2012
Cross-Site Scripting (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
11
For the example below, a web application that allows friends to share their favorite Bookmarks
User enter their Name, a description and a URL of a bookmark.
Then uses a personalized “Thank you” screen The Name the user input is part of the code segment Attacker can use this in an XSS attack Attacker can enter a malicious code into the Name field Then that command can be executed in the victim machine
when a victim is tricked in clicking to malicious link page Example of the malicious link is : http://fakesite.com/login.asp?
serviceName=fakesite.comaccess&templatename=pro_sel.forte&source=…fakeimg.srcc=‘http://www.attacker_site.com/’ this link to attacker web page
Security+ Guide to Network Security Fundamentals, Fourth Edition
12
Figure 3-5 Input used as response© Cengage Learning 2012
SQL Injection
Security+ Guide to Network Security Fundamentals, Fourth Edition
13
Targets SQL servers by injecting commands SQL (Structured Query Language)
Used to manipulate data stored in relational database
Example is a forgotten password needed to be retrieved by just validating email address
Forgotten password example Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being
validated The message could be displayed as Server failure or
Email address unknown
SQL Injection
Security+ Guide to Network Security Fundamentals, Fourth Edition
14
User NameLast name
Current Email Address [email protected] ‘ ‘
Request for Forgotten password
SQL Injection (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
15
Forgotten password example (cont’d.) Forgotten pw is stored in a variable “$EMAIL”
SELECT fieldlist FROM table WHERE field =”$EMAIL” Where : database query to only display a information when
the condition is true Attacker enters email field in SQL statement, where all
the emails will be listed. Statement processed by the database Instead of entering a user name the attacker will send a
statement as SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
Result: All user email addresses will be displayed
SQL Injection (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
16
Instead of entering a username, the attacker will enter “whatever” or ‘a’=‘a’, so the statement will look like
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
whatever: can be any meaningless Or either of the conditions is true ‘a’=‘a’: the statement is always true Therfore the statement will be read as
SELECT fieldlist FROM table Last all users email will then be displayed
SQL Injection (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
17
Table 3-1 SQL injection statements
XML Injection
Security+ Guide to Network Security Fundamentals, Fourth Edition
18
Markup language Method for adding annotations to text
HTML Uses tags surrounded by brackets Instructs browser to display text in specific
format XML
Carries data instead of indicating how to display it
No predefined set of tags Users define their own tags
XML Injection (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
19
XML attack Similar to SQL injection attack Attacker discovers Web site that does not
filter user data Injects XML tags and data into the database
Xpath injection Specific type of XML injection attack Attempts to exploit XML Path Language
queries
Command Injection / Directory Traversal
Security+ Guide to Network Security Fundamentals, Fourth Edition
20
Web server users typically restricted to root directory
Users may be able to access subdirectories: But not parallel or higher level directories
Sensitive files to protect from unauthorized user access Cmd.exe can be used to enter text-based
commands Passwd (Linux) contains user account
information
Command Injection / Directory Traversal (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
21
Directory traversal attack Takes advantage of software vulnerability Attacker moves from root directory to
restricted directories Command injection attack
Attacker enters commands to execute on a server
Client-Side Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
22
Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client applications Interacting with a compromised server Client initiates connection with server,
which could result in an attack
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
23
Drive-by download Client computer compromised simply by viewing
a Web page Attackers inject content into vulnerable Web
server Gain access to server’s operating system
Attackers craft a zero pixel frame to avoid visual detection
Embed an HTML document inside main document Client’s browser downloads malicious script Instructs computer to download malware
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
24
Header manipulation HTTP header contains fields that
characterize data being transmitted Headers can originate from a Web browser
Browsers do not normally allow this Attacker’s short program can allow modification
Examples of header manipulation Referer Accept-language
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
25
Referer field indicates site that generated the Web page Attacker can modify this field to hide fact it came
from another site Modified Web page hosted from attacker’s
computer Accept-language
Some Web applications pass contents of this field directly to database
Attacker could inject SQL command by modifying this header
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
26
Cookies and Attachments Cookies store user-specific information on
user’s local computer Web sites use cookies to identify repeat
visitors Examples of information stored in a
cookie Travel Web sites may store user’s travel
itinerary Personal information provided when visiting
a site Only the Web site that created a cookie
can read it
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
27
First-party cookie Cookie created by Web site user is currently
visiting Third-party cookie
Site advertisers place a cookie to record user preferences
Session cookie Stored in RAM and expires when browser is
closed
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
28
Persistent cookie Recorded on computer’s hard drive Does not expire when browser closes
Secure cookie Used only when browser visits server over
secure connection Always encrypted
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
29
Flash cookie Uses more memory than traditional cookie Cannot be deleted through browser
configuration settings See Project 3-6 to change Flash cookie
settings Cookies pose security and privacy risks
May be stolen and used to impersonate user
Used to tailor advertising Can be exploited by attackers
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
30
Session hijacking Attacker attempts to impersonate user by
stealing or guessing session token Malicious add-ons
Browser extensions provide multimedia or interactive Web content
Active X add-ons have several security concerns
Security+ Guide to Network Security Fundamentals, Fourth Edition
31
Figure 3-7 Session hijacking© Cengage Learning 2012
Client-Side Attacks (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
32
Buffer overflow attacks Process attempts to store data in RAM
beyond boundaries of fixed-length storage buffer
Data overflows into adjacent memory locations
May cause computer to stop functioning Attacker can change “return address”
Redirects to memory address containing malware code
Security+ Guide to Network Security Fundamentals, Fourth Edition
33
Figure 3-8 Buffer overflow attack© Cengage Learning 2012
Network Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
34
Denial of service (DoS) Attempts to prevent system from performing
normal functions Ping flood attack
Ping utility used to send large number of echo request messages
Overwhelms Web server Smurf attack
Ping request with originating address changed Appears as if target computer is asking for
response from all computers on the network
Network Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
35
Denial of service (DoS) (cont’d.) SYN flood attack
Takes advantage of procedures for establishing a connection
Distributed denial of service (DDoS) Attacker uses many zombie computers in a
botnet to flood a device with requests Virtually impossible to identify and block
source of attack
Security+ Guide to Network Security Fundamentals, Fourth Edition
36
Figure 3-9 SYN flood attack© Cengage Learning 2012
Interception
Security+ Guide to Network Security Fundamentals, Fourth Edition
37
Man-in-the-middle Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of
transmission before sending to recipient Replay attacks
Similar to passive man-in-the-middle attack
Interception (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
38
Replay attacks (cont’d.) Attacker makes copy of transmission
Uses copy at a later time Example: capturing logon credentials
More sophisticated replay attacks Attacker captures network device’s
message to server Later sends original, valid message to
server Establishes trust relationship between
attacker and server
Poisoning
Security+ Guide to Network Security Fundamentals, Fourth Edition
39
ARP poisoning Attacker modifies MAC address in ARP
cache to point to different computer
Table 3-3 ARP poisoning attack
Poisoning (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
40
Table 3-4 Attacks from ARP poisoning
Poisoning (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
41
DNS poisoning Domain Name System is current basis for
name resolution to IP address DNS poisoning substitutes DNS addresses
to redirect computer to another device Two locations for DNS poisoning
Local host table External DNS server
Security+ Guide to Network Security Fundamentals, Fourth Edition
42
Figure 3-12 DNS poisoning© Cengage Learning 2012
Attacks on Access Rights
Security+ Guide to Network Security Fundamentals, Fourth Edition
43
Privilege escalation Exploiting software vulnerability to gain
access to restricted data Lower privilege user accesses functions
restricted to higher privilege users User with restricted privilege accesses
different restricted privilege of a similar user
Attacks on Access Rights (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
44
Transitive access Attack involving a third party to gain access
rights Has to do with whose credentials should be
used when accessing services Different users have different access rights
Summary
Security+ Guide to Network Security Fundamentals, Fourth Edition
45
Web application flaws are exploited through normal communication channels
XSS attack uses Web sites that accept user input without validating it Uses server to launch attacks on computers
that access it Client-side attack targets vulnerabilities
in client applications Client interacts with compromised server
Summary (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition
46
Session hijacking Attacker steals session token and impersonates user
Buffer overflow attack Attempts to compromise computer by pushing data
into inappropriate memory locations Denial of service attack attempts to overwhelm
system so that it cannot perform normal functions In ARP and DNS poisoning, valid addresses are
replaced with fraudulent addresses Access rights and privileges may also be exploited