PACE-IT, Security+3.5: Types of Application Attacks (part 1)

Types of application attacks I.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Types of application attacks I.PACE-IT.

– Application attacks defined.

– Common application attacks.

Page 4

Application attacks defined.Types of application attacks I.

Page 5

Due to improvements in modern network security methods, hackers may not be able to easily exploit network resources.

As these security improvements have developed, in many cases, attackers have shifted their focus to application attacks. The hacker will focus on exploiting weaknesses in the software and operating systems that people use every day.In many cases, the security used to protect software from exploitation is not as robust as the security that is used to protect networks. A poorly developed application can often give the hacker administrative control of a system if the exploit is executed properly.

Application attacks defined.Types of application attacks I.

Page 6

Common application attacks.Types of application attacks I.

Page 7


– Cross-site scripting (XSS) attack.» The attacker inserts script code into a form on a Web

page that gets submitted to the server.• The server submits the script code to another client

system, which then executes the script.» XSS is often used to attack the database servers that

are used to support Web pages.

– SQL (Structured Query Language) Injection attack.

» SQL is the common language used to manipulate databases. Most business and Web applications use SQL to retrieve data from databases.

» To perform the attack, the hacker inserts SQL commands into the application, usually from an input field, knowing that the application will pass the command to the database application.

• The injected SQL commands will then modify the database (e.g., inserting a new username and password for the hacker to use in further exploitation).

Page 8


– Buffer overflow attack.» The hacker sends more information to the application

than the application’s memory buffer can handle—overflowing the buffer.

• The additional information will often be placed in memory outside of the buffer.

• If the hacker can get the right information stored outside of the buffer, he or she can execute code with administrative privilege.

– Integer overflow attack.» Similar to a buffer overflow attack, but involves

exploiting the mathematical functions of an application.

• When a mathematical function returns an integer (number) larger than the memory space that has been allocated to receive it, applications often respond in unexpected ways; this represents a security issue.

Page 9


– Directory traversal/command injection attack.

» A popular attack against Web servers in which the hacker attempts to traverse the Web server’s directories to the point where he or she can execute commands on the underlying operating system (OS).

• The attacker manipulates the URL (Uniform Resource Locator) requests in order to move through the directories and get to a command prompt on the underlying OS.

– LDAP (Lightweight Directory Access Protocol) injection attack.

» Uses the same principle as an SQL injection attack, but exploits LDAP calls instead of SQL commands.

– XML (Extensible Markup Language) injection attack.

» Uses the same principle as the SQL and LDAP injection attacks, but exploits XML to modify the targeted application.

Page 10

One of the largest threats that network security personnel face is the unknown vulnerability.

Network and systems administrators expend a fair amount of effort protecting the assets under their control. They can do a good job of hardening their systems, but not a perfect job.The problem lies with zero day attacks. Zero day attacks take advantage of either new or very recently discovered vulnerabilities in applications, which means that networks and systems probably haven’t yet been hardened against them.The unfortunate reality is that attacks keep changing and security experts must also be willing to adapt in order to keep pace.


Page 11

The best defense against application attacks begins with the application’s developer.

Most attacks against applications involve exploiting outside input to the applications. By using proper data validation techniques, application developers can stop most application attacks from succeeding.All data validation techniques should be thoroughly tested by the developer to ensure that they are effective. It is even advisable to have an unaffiliated person or organization attempt to bypass the validation techniques in order to increase the effectiveness of the testing.


Page 12

What was covered.Types of application attacks I.

As network security has improved, many hackers have shifted their focus to attempting to exploit the applications that are running on networks. In many cases, the security used to protect applications is not as difficult to overcome as the security that is used to protect networks. Application attacks seek to exploit weaknesses that may be found in the software and operating systems that people use every day.

Topic

Application attacks defined.

Summary

Cross-site scripting, SQL injection, buffer overflow, integer overflow, directory traversal/command injection, LDAP injection, and XML injection attacks are all common application attacks used by hackers. Zero day attacks exploit either unknown or recently discovered weaknesses in applications, making them difficult to defend against. The best defense against most application attacks is to ensure that the applications use effective data validation techniques.

Common application attacks.

Page 13

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.