Top Banner
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks
43

Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Jan 13, 2016

Download

Documents

Jonas Knight
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals,

Fourth Edition

Chapter 3Application and Network Attacks

Page 2: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Objectives

• List and explain the different types of Web application attacks

• Define client-side attacks

• Explain how a buffer overflow attack works

• List different types of denial of service attacks

• Describe interception and poisoning attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Page 3: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Application Attacks

• Attacks that target applications– Category continues to grow– Web application attacks– Client-side attacks– Buffer overflow attacks

• Zero day attacks– Exploit previously unknown vulnerabilities– Victims have no time to prepare or defend

Security+ Guide to Network Security Fundamentals, Fourth Edition 3

Page 4: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Web Application Attacks

• Web applications an essential element of organizations today

• Approach to securing Web applications– Hardening the Web server– Protecting the network

Security+ Guide to Network Security Fundamentals, Fourth Edition 4

Page 5: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 5

Figure 3-1 Web application infrastructure© Cengage Learning 2012

Page 6: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Web Application Attacks (cont’d.)

• Common Web application attacks– Cross-site scripting– SQL injection– XML injection– Command injection / directory traversal

Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Page 7: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Figure 3-2 Web application security© Cengage Learning 2012

Page 8: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Cross-Site Scripting (XSS)

• Injecting scripts into a Web application server– Directs attacks at clients

Security+ Guide to Network Security Fundamentals, Fourth Edition 8

Figure 3-3 XSS attacks© Cengage Learning 2012

Page 9: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Cross-Site Scripting (cont’d.)

• When victim visits injected Web site:– Malicious instructions sent to victim’s browser

• Browser cannot distinguish between valid code and malicious script

• Requirements of the targeted Web site– Accepts user input without validation– Uses input in a response without encoding it

• Some XSS attacks designed to steal information:– Retained by the browser

Security+ Guide to Network Security Fundamentals, Fourth Edition 9

Page 10: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 10

Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response© Cengage Learning 2012

Page 11: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 11

Figure 3-5 Input used as response© Cengage Learning 2012

Page 12: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

SQL Injection

• Targets SQL servers by injecting commands

• SQL (Structured Query Language)– Used to manipulate data stored in relational

database

• Forgotten password example– Attacker enters incorrectly formatted e-mail address– Response lets attacker know whether input is being

validated

Security+ Guide to Network Security Fundamentals, Fourth Edition 12

Page 13: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

SQL Injection (cont’d.)

• Forgotten password example (cont’d.)– Attacker enters email field in SQL statement– Statement processed by the database– Example statement:

SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’

– Result: All user email addresses will be displayed

Security+ Guide to Network Security Fundamentals, Fourth Edition 13

Page 14: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 14

Table 3-1 SQL injection statements

SQL Injection (cont’d.)

Page 15: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

XML Injection

• Markup language– Method for adding annotations to text

• HTML– Uses tags surrounded by brackets– Instructs browser to display text in specific format

• XML– Carries data instead of indicating how to display it– No predefined set of tags

• Users define their own tags

Security+ Guide to Network Security Fundamentals, Fourth Edition 15

Page 16: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

XML Injection (cont’d.)

• XML attack– Similar to SQL injection attack– Attacker discovers Web site that does not filter user

data– Injects XML tags and data into the database

• Xpath injection– Specific type of XML injection attack– Attempts to exploit XML Path Language queries

Security+ Guide to Network Security Fundamentals, Fourth Edition 16

Page 17: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Command Injection / Directory Traversal

• Web server users typically restricted to root directory

• Users may be able to access subdirectories:– But not parallel or higher level directories

• Sensitive files to protect from unauthorized user access– Cmd.exe can be used to enter text-based

commands– Passwd (Linux) contains user account information

Security+ Guide to Network Security Fundamentals, Fourth Edition 17

Page 18: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Command Injection / Directory Traversal (cont’d.)

• Directory traversal attack– Takes advantage of software vulnerability– Attacker moves from root directory to restricted

directories

• Command injection attack– Attacker enters commands to execute on a server

Security+ Guide to Network Security Fundamentals, Fourth Edition 18

Page 19: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks

• Web application attacks are server-side attacks

• Client-side attacks target vulnerabilities in client applications– Interacting with a compromised server– Client initiates connection with server, which could

result in an attack

Security+ Guide to Network Security Fundamentals, Fourth Edition 19

Page 20: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Drive-by download– Client computer compromised simply by viewing a

Web page– Attackers inject content into vulnerable Web server

• Gain access to server’s operating system

– Attackers craft a zero pixel frame to avoid visual detection

– Embed an HTML document inside main document– Client’s browser downloads malicious script– Instructs computer to download malware

Security+ Guide to Network Security Fundamentals, Fourth Edition 20

Page 21: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Header manipulation– HTTP header contains fields that characterize data

being transmitted– Headers can originate from a Web browser

• Browsers do not normally allow this

• Attacker’s short program can allow modification

• Examples of header manipulation– Referer– Accept-language

Security+ Guide to Network Security Fundamentals, Fourth Edition 21

Page 22: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Referer field indicates site that generated the Web page– Attacker can modify this field to hide fact it came

from another site– Modified Web page hosted from attacker’s computer

• Accept-language– Some Web applications pass contents of this field

directly to database– Attacker could inject SQL command by modifying

this header

Security+ Guide to Network Security Fundamentals, Fourth Edition 22

Page 23: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Cookies and Attachments– Cookies store user-specific information on user’s

local computer

• Web sites use cookies to identify repeat visitors

• Examples of information stored in a cookie– Travel Web sites may store user’s travel itinerary– Personal information provided when visiting a site

• Only the Web site that created a cookie can read it

Security+ Guide to Network Security Fundamentals, Fourth Edition 23

Page 24: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• First-party cookie– Cookie created by Web site user is currently visiting

• Third-party cookie– Site advertisers place a cookie to record user

preferences

• Session cookie– Stored in RAM and expires when browser is closed

Security+ Guide to Network Security Fundamentals, Fourth Edition 24

Page 25: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Persistent cookie– Recorded on computer’s hard drive– Does not expire when browser closes

• Secure cookie– Used only when browser visits server over secure

connection– Always encrypted

Security+ Guide to Network Security Fundamentals, Fourth Edition 25

Page 26: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Flash cookie – Uses more memory than traditional cookie– Cannot be deleted through browser configuration

settings– See Project 3-6 to change Flash cookie settings

• Cookies pose security and privacy risks– May be stolen and used to impersonate user– Used to tailor advertising– Can be exploited by attackers

Security+ Guide to Network Security Fundamentals, Fourth Edition 26

Page 27: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Session hijacking– Attacker attempts to impersonate user by stealing or

guessing session token

• Malicious add-ons– Browser extensions provide multimedia or interactive

Web content– Active X add-ons have several security concerns

Security+ Guide to Network Security Fundamentals, Fourth Edition 27

Page 28: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 28

Figure 3-7 Session hijacking© Cengage Learning 2012

Page 29: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Client-Side Attacks (cont’d.)

• Buffer overflow attacks– Process attempts to store data in RAM beyond

boundaries of fixed-length storage buffer– Data overflows into adjacent memory locations– May cause computer to stop functioning– Attacker can change “return address”

• Redirects to memory address containing malware code

Security+ Guide to Network Security Fundamentals, Fourth Edition 29

Page 30: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 30

Figure 3-8 Buffer overflow attack© Cengage Learning 2012

Page 31: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Network Attacks

• Denial of service (DoS)– Attempts to prevent system from performing normal

functions– Ping flood attack

• Ping utility used to send large number of echo request messages

• Overwhelms Web server

– Smurf attack• Ping request with originating address changed

• Appears as if target computer is asking for response from all computers on the network

Security+ Guide to Network Security Fundamentals, Fourth Edition 31

Page 32: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Network Attacks

• Denial of service (DoS) (cont’d.)– SYN flood attack

• Takes advantage of procedures for establishing a connection

• Distributed denial of service (DDoS)– Attacker uses many zombie computers in a botnet to

flood a device with requests– Virtually impossible to identify and block source of

attack

Security+ Guide to Network Security Fundamentals, Fourth Edition 32

Page 33: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 33

Figure 3-9 SYN flood attack© Cengage Learning 2012

Page 34: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Interception

• Man-in-the-middle– Interception of legitimate communication– Forging a fictitious response to the sender– Passive attack records transmitted data– Active attack alters contents of transmission before

sending to recipient

• Replay attacks– Similar to passive man-in-the-middle attack

Security+ Guide to Network Security Fundamentals, Fourth Edition 34

Page 35: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Interception (cont’d.)

• Replay attacks (cont’d.)– Attacker makes copy of transmission

• Uses copy at a later time

– Example: capturing logon credentials

• More sophisticated replay attacks– Attacker captures network device’s message to

server– Later sends original, valid message to server– Establishes trust relationship between attacker and

server

Security+ Guide to Network Security Fundamentals, Fourth Edition 35

Page 36: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Poisoning

• ARP poisoning– Attacker modifies MAC address in ARP cache to

point to different computer

Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Table 3-3 ARP poisoning attack

Page 37: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Poisoning (cont’d.)

Security+ Guide to Network Security Fundamentals, Fourth Edition 37

Table 3-4 Attacks from ARP poisoning

Page 38: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Poisoning (cont’d.)

• DNS poisoning– Domain Name System is current basis for name

resolution to IP address– DNS poisoning substitutes DNS addresses to

redirect computer to another device

• Two locations for DNS poisoning– Local host table– External DNS server

Security+ Guide to Network Security Fundamentals, Fourth Edition 38

Page 39: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition 39

Figure 3-12 DNS poisoning© Cengage Learning 2012

Page 40: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Attacks on Access Rights

• Privilege escalation– Exploiting software vulnerability to gain access to

restricted data– Lower privilege user accesses functions restricted to

higher privilege users– User with restricted privilege accesses different

restricted privilege of a similar user

Security+ Guide to Network Security Fundamentals, Fourth Edition 40

Page 41: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Attacks on Access Rights (cont’d.)

• Transitive access– Attack involving a third party to gain access rights– Has to do with whose credentials should be used

when accessing services• Different users have different access rights

Security+ Guide to Network Security Fundamentals, Fourth Edition 41

Page 42: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Summary

• Web application flaws are exploited through normal communication channels

• XSS attack uses Web sites that accept user input without validating it– Uses server to launch attacks on computers that

access it

• Client-side attack targets vulnerabilities in client applications– Client interacts with compromised server

Security+ Guide to Network Security Fundamentals, Fourth Edition 42

Page 43: Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Summary (cont’d.)

• Session hijacking– Attacker steals session token and impersonates user

• Buffer overflow attack– Attempts to compromise computer by pushing data

into inappropriate memory locations

• Denial of service attack attempts to overwhelm system so that it cannot perform normal functions

• In ARP and DNS poisoning, valid addresses are replaced with fraudulent addresses

• Access rights and privileges may also be exploited

Security+ Guide to Network Security Fundamentals, Fourth Edition 43