Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks
Objectives List and explain the different types of Web application attacks Define client-side attacks Explain how a buffer overflow attack works List different types of denial of service attacks Describe interception and poisoning attacks Security+ Guide to Network Security Fundamentals, Fourth Edition
Application Attacks Attacks that target applications Zero day attacks Category continues to grow Web application attacks Client-side attacks Buffer overflow attacks Zero day attacks Exploit previously unknown vulnerabilities Victims have no time to prepare or defend Security+ Guide to Network Security Fundamentals, Fourth Edition
Web Application Attacks Web applications an essential element of organizations today Approach to securing Web applications Hardening the Web server Protecting the network Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-1 Web application infrastructure © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Web Application Attacks (cont’d.) Common Web application attacks Cross-site scripting SQL injection XML injection Command injection / directory traversal Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-2 Web application security © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Cross-Site Scripting (XSS) Injecting scripts into a Web application server Directs attacks at clients Figure 3-3 XSS attacks © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Cross-Site Scripting (cont’d.) When victim visits injected Web site: Malicious instructions sent to victim’s browser Browser cannot distinguish between valid code and malicious script Requirements of the targeted Web site Accepts user input without validation Uses input in a response without encoding it Some XSS attacks designed to steal information: Retained by the browser Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-5 Input used as response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
SQL Injection Targets SQL servers by injecting commands SQL (Structured Query Language) Used to manipulate data stored in relational database Forgotten password example Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being validated Security+ Guide to Network Security Fundamentals, Fourth Edition
SQL Injection (cont’d.) Forgotten password example (cont’d.) Attacker enters email field in SQL statement Statement processed by the database Example statement: SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’ Result: All user email addresses will be displayed Security+ Guide to Network Security Fundamentals, Fourth Edition
SQL Injection (cont’d.) Table 3-1 SQL injection statements Security+ Guide to Network Security Fundamentals, Fourth Edition
XML Injection Markup language HTML XML Method for adding annotations to text HTML Uses tags surrounded by brackets Instructs browser to display text in specific format XML Carries data instead of indicating how to display it No predefined set of tags Users define their own tags Security+ Guide to Network Security Fundamentals, Fourth Edition
XML Injection (cont’d.) XML attack Similar to SQL injection attack Attacker discovers Web site that does not filter user data Injects XML tags and data into the database Xpath injection Specific type of XML injection attack Attempts to exploit XML Path Language queries Security+ Guide to Network Security Fundamentals, Fourth Edition
Command Injection / Directory Traversal Web server users typically restricted to root directory Users may be able to access subdirectories: But not parallel or higher level directories Sensitive files to protect from unauthorized user access Cmd.exe can be used to enter text-based commands Passwd (Linux) contains user account information Security+ Guide to Network Security Fundamentals, Fourth Edition
Command Injection / Directory Traversal (cont’d.) Directory traversal attack Takes advantage of software vulnerability Attacker moves from root directory to restricted directories Command injection attack Attacker enters commands to execute on a server Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications Interacting with a compromised server Client initiates connection with server, which could result in an attack Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Drive-by download Client computer compromised simply by viewing a Web page Attackers inject content into vulnerable Web server Gain access to server’s operating system Attackers craft a zero pixel frame to avoid visual detection Embed an HTML document inside main document Client’s browser downloads malicious script Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Header manipulation HTTP header contains fields that characterize data being transmitted Headers can originate from a Web browser Browsers do not normally allow this Attacker’s short program can allow modification Examples of header manipulation Referer Accept-language Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Referer field indicates site that generated the Web page Attacker can modify this field to hide fact it came from another site Modified Web page hosted from attacker’s computer Accept-language Some Web applications pass contents of this field directly to database Attacker could inject SQL command by modifying this header Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Cookies and Attachments Cookies store user-specific information on user’s local computer Web sites use cookies to identify repeat visitors Examples of information stored in a cookie Travel Web sites may store user’s travel itinerary Personal information provided when visiting a site Only the Web site that created a cookie can read it Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) First-party cookie Cookie created by Web site user is currently visiting Third-party cookie Site advertisers place a cookie to record user preferences Session cookie Stored in RAM and expires when browser is closed Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Persistent cookie Recorded on computer’s hard drive Does not expire when browser closes Secure cookie Used only when browser visits server over secure connection Always encrypted Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Flash cookie Uses more memory than traditional cookie Cannot be deleted through browser configuration settings See Project 3-6 to change Flash cookie settings Cookies pose security and privacy risks May be stolen and used to impersonate user Used to tailor advertising Can be exploited by attackers Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Session hijacking Attacker attempts to impersonate user by stealing or guessing session token Malicious add-ons Browser extensions provide multimedia or interactive Web content Active X add-ons have several security concerns Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-7 Session hijacking © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Client-Side Attacks (cont’d.) Buffer overflow attacks Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer Data overflows into adjacent memory locations May cause computer to stop functioning Attacker can change “return address” Redirects to memory address containing malware code Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-8 Buffer overflow attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Network Attacks Denial of service (DoS) Attempts to prevent system from performing normal functions Ping flood attack Ping utility used to send large number of echo request messages Overwhelms Web server Smurf attack Ping request with originating address changed Appears as if target computer is asking for response from all computers on the network Security+ Guide to Network Security Fundamentals, Fourth Edition
Network Attacks Denial of service (DoS) (cont’d.) SYN flood attack Takes advantage of procedures for establishing a connection Distributed denial of service (DDoS) Attacker uses many zombie computers in a botnet to flood a device with requests Virtually impossible to identify and block source of attack Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-9 SYN flood attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Interception Man-in-the-middle Replay attacks Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of transmission before sending to recipient Replay attacks Similar to passive man-in-the-middle attack Security+ Guide to Network Security Fundamentals, Fourth Edition
Interception (cont’d.) Replay attacks (cont’d.) Attacker makes copy of transmission Uses copy at a later time Example: capturing logon credentials More sophisticated replay attacks Attacker captures network device’s message to server Later sends original, valid message to server Establishes trust relationship between attacker and server Security+ Guide to Network Security Fundamentals, Fourth Edition
Poisoning ARP poisoning Attacker modifies MAC address in ARP cache to point to different computer Table 3-3 ARP poisoning attack Security+ Guide to Network Security Fundamentals, Fourth Edition
Poisoning (cont’d.) Table 3-4 Attacks from ARP poisoning Security+ Guide to Network Security Fundamentals, Fourth Edition
Poisoning (cont’d.) DNS poisoning Two locations for DNS poisoning Domain Name System is current basis for name resolution to IP address DNS poisoning substitutes DNS addresses to redirect computer to another device Two locations for DNS poisoning Local host table External DNS server Security+ Guide to Network Security Fundamentals, Fourth Edition
Figure 3-12 DNS poisoning © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition
Attacks on Access Rights Privilege escalation Exploiting software vulnerability to gain access to restricted data Lower privilege user accesses functions restricted to higher privilege users User with restricted privilege accesses different restricted privilege of a similar user Security+ Guide to Network Security Fundamentals, Fourth Edition
Attacks on Access Rights (cont’d.) Transitive access Attack involving a third party to gain access rights Has to do with whose credentials should be used when accessing services Different users have different access rights Security+ Guide to Network Security Fundamentals, Fourth Edition
Summary Web application flaws are exploited through normal communication channels XSS attack uses Web sites that accept user input without validating it Uses server to launch attacks on computers that access it Client-side attack targets vulnerabilities in client applications Client interacts with compromised server Security+ Guide to Network Security Fundamentals, Fourth Edition
Summary (cont’d.) Session hijacking Buffer overflow attack Attacker steals session token and impersonates user Buffer overflow attack Attempts to compromise computer by pushing data into inappropriate memory locations Denial of service attack attempts to overwhelm system so that it cannot perform normal functions In ARP and DNS poisoning, valid addresses are replaced with fraudulent addresses Access rights and privileges may also be exploited Security+ Guide to Network Security Fundamentals, Fourth Edition