Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks
Jan 13, 2016
Security+ Guide to Network Security Fundamentals,
Fourth Edition
Chapter 3Application and Network Attacks
Objectives
• List and explain the different types of Web application attacks
• Define client-side attacks
• Explain how a buffer overflow attack works
• List different types of denial of service attacks
• Describe interception and poisoning attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 2
Application Attacks
• Attacks that target applications– Category continues to grow– Web application attacks– Client-side attacks– Buffer overflow attacks
• Zero day attacks– Exploit previously unknown vulnerabilities– Victims have no time to prepare or defend
Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Web Application Attacks
• Web applications an essential element of organizations today
• Approach to securing Web applications– Hardening the Web server– Protecting the network
Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Security+ Guide to Network Security Fundamentals, Fourth Edition 5
Figure 3-1 Web application infrastructure© Cengage Learning 2012
Web Application Attacks (cont’d.)
• Common Web application attacks– Cross-site scripting– SQL injection– XML injection– Command injection / directory traversal
Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Figure 3-2 Web application security© Cengage Learning 2012
Cross-Site Scripting (XSS)
• Injecting scripts into a Web application server– Directs attacks at clients
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Figure 3-3 XSS attacks© Cengage Learning 2012
Cross-Site Scripting (cont’d.)
• When victim visits injected Web site:– Malicious instructions sent to victim’s browser
• Browser cannot distinguish between valid code and malicious script
• Requirements of the targeted Web site– Accepts user input without validation– Uses input in a response without encoding it
• Some XSS attacks designed to steal information:– Retained by the browser
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Figure 3-5 Input used as response© Cengage Learning 2012
SQL Injection
• Targets SQL servers by injecting commands
• SQL (Structured Query Language)– Used to manipulate data stored in relational
database
• Forgotten password example– Attacker enters incorrectly formatted e-mail address– Response lets attacker know whether input is being
validated
Security+ Guide to Network Security Fundamentals, Fourth Edition 12
SQL Injection (cont’d.)
• Forgotten password example (cont’d.)– Attacker enters email field in SQL statement– Statement processed by the database– Example statement:
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
– Result: All user email addresses will be displayed
Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Table 3-1 SQL injection statements
SQL Injection (cont’d.)
XML Injection
• Markup language– Method for adding annotations to text
• HTML– Uses tags surrounded by brackets– Instructs browser to display text in specific format
• XML– Carries data instead of indicating how to display it– No predefined set of tags
• Users define their own tags
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
XML Injection (cont’d.)
• XML attack– Similar to SQL injection attack– Attacker discovers Web site that does not filter user
data– Injects XML tags and data into the database
• Xpath injection– Specific type of XML injection attack– Attempts to exploit XML Path Language queries
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Command Injection / Directory Traversal
• Web server users typically restricted to root directory
• Users may be able to access subdirectories:– But not parallel or higher level directories
• Sensitive files to protect from unauthorized user access– Cmd.exe can be used to enter text-based
commands– Passwd (Linux) contains user account information
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Command Injection / Directory Traversal (cont’d.)
• Directory traversal attack– Takes advantage of software vulnerability– Attacker moves from root directory to restricted
directories
• Command injection attack– Attacker enters commands to execute on a server
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
Client-Side Attacks
• Web application attacks are server-side attacks
• Client-side attacks target vulnerabilities in client applications– Interacting with a compromised server– Client initiates connection with server, which could
result in an attack
Security+ Guide to Network Security Fundamentals, Fourth Edition 19
Client-Side Attacks (cont’d.)
• Drive-by download– Client computer compromised simply by viewing a
Web page– Attackers inject content into vulnerable Web server
• Gain access to server’s operating system
– Attackers craft a zero pixel frame to avoid visual detection
– Embed an HTML document inside main document– Client’s browser downloads malicious script– Instructs computer to download malware
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Client-Side Attacks (cont’d.)
• Header manipulation– HTTP header contains fields that characterize data
being transmitted– Headers can originate from a Web browser
• Browsers do not normally allow this
• Attacker’s short program can allow modification
• Examples of header manipulation– Referer– Accept-language
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Client-Side Attacks (cont’d.)
• Referer field indicates site that generated the Web page– Attacker can modify this field to hide fact it came
from another site– Modified Web page hosted from attacker’s computer
• Accept-language– Some Web applications pass contents of this field
directly to database– Attacker could inject SQL command by modifying
this header
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Client-Side Attacks (cont’d.)
• Cookies and Attachments– Cookies store user-specific information on user’s
local computer
• Web sites use cookies to identify repeat visitors
• Examples of information stored in a cookie– Travel Web sites may store user’s travel itinerary– Personal information provided when visiting a site
• Only the Web site that created a cookie can read it
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Client-Side Attacks (cont’d.)
• First-party cookie– Cookie created by Web site user is currently visiting
• Third-party cookie– Site advertisers place a cookie to record user
preferences
• Session cookie– Stored in RAM and expires when browser is closed
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Client-Side Attacks (cont’d.)
• Persistent cookie– Recorded on computer’s hard drive– Does not expire when browser closes
• Secure cookie– Used only when browser visits server over secure
connection– Always encrypted
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Client-Side Attacks (cont’d.)
• Flash cookie – Uses more memory than traditional cookie– Cannot be deleted through browser configuration
settings– See Project 3-6 to change Flash cookie settings
• Cookies pose security and privacy risks– May be stolen and used to impersonate user– Used to tailor advertising– Can be exploited by attackers
Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Client-Side Attacks (cont’d.)
• Session hijacking– Attacker attempts to impersonate user by stealing or
guessing session token
• Malicious add-ons– Browser extensions provide multimedia or interactive
Web content– Active X add-ons have several security concerns
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Security+ Guide to Network Security Fundamentals, Fourth Edition 28
Figure 3-7 Session hijacking© Cengage Learning 2012
Client-Side Attacks (cont’d.)
• Buffer overflow attacks– Process attempts to store data in RAM beyond
boundaries of fixed-length storage buffer– Data overflows into adjacent memory locations– May cause computer to stop functioning– Attacker can change “return address”
• Redirects to memory address containing malware code
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Figure 3-8 Buffer overflow attack© Cengage Learning 2012
Network Attacks
• Denial of service (DoS)– Attempts to prevent system from performing normal
functions– Ping flood attack
• Ping utility used to send large number of echo request messages
• Overwhelms Web server
– Smurf attack• Ping request with originating address changed
• Appears as if target computer is asking for response from all computers on the network
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Network Attacks
• Denial of service (DoS) (cont’d.)– SYN flood attack
• Takes advantage of procedures for establishing a connection
• Distributed denial of service (DDoS)– Attacker uses many zombie computers in a botnet to
flood a device with requests– Virtually impossible to identify and block source of
attack
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Figure 3-9 SYN flood attack© Cengage Learning 2012
Interception
• Man-in-the-middle– Interception of legitimate communication– Forging a fictitious response to the sender– Passive attack records transmitted data– Active attack alters contents of transmission before
sending to recipient
• Replay attacks– Similar to passive man-in-the-middle attack
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Interception (cont’d.)
• Replay attacks (cont’d.)– Attacker makes copy of transmission
• Uses copy at a later time
– Example: capturing logon credentials
• More sophisticated replay attacks– Attacker captures network device’s message to
server– Later sends original, valid message to server– Establishes trust relationship between attacker and
server
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Poisoning
• ARP poisoning– Attacker modifies MAC address in ARP cache to
point to different computer
Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Table 3-3 ARP poisoning attack
Poisoning (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Table 3-4 Attacks from ARP poisoning
Poisoning (cont’d.)
• DNS poisoning– Domain Name System is current basis for name
resolution to IP address– DNS poisoning substitutes DNS addresses to
redirect computer to another device
• Two locations for DNS poisoning– Local host table– External DNS server
Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Figure 3-12 DNS poisoning© Cengage Learning 2012
Attacks on Access Rights
• Privilege escalation– Exploiting software vulnerability to gain access to
restricted data– Lower privilege user accesses functions restricted to
higher privilege users– User with restricted privilege accesses different
restricted privilege of a similar user
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Attacks on Access Rights (cont’d.)
• Transitive access– Attack involving a third party to gain access rights– Has to do with whose credentials should be used
when accessing services• Different users have different access rights
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Summary
• Web application flaws are exploited through normal communication channels
• XSS attack uses Web sites that accept user input without validating it– Uses server to launch attacks on computers that
access it
• Client-side attack targets vulnerabilities in client applications– Client interacts with compromised server
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Summary (cont’d.)
• Session hijacking– Attacker steals session token and impersonates user
• Buffer overflow attack– Attempts to compromise computer by pushing data
into inappropriate memory locations
• Denial of service attack attempts to overwhelm system so that it cannot perform normal functions
• In ARP and DNS poisoning, valid addresses are replaced with fraudulent addresses
• Access rights and privileges may also be exploited
Security+ Guide to Network Security Fundamentals, Fourth Edition 43