1
Application
Layer Attacks
Week 2 – Part 2
Application
Layer Attacks
Attacks Against Programs
Application Layer
Attacks come in many forms and can target each of the 5 network protocol layers
It is straight-forward on how to protect the lower 4:• transport
• network
• data link
• physical
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 3
Application Layer
The application layer, the top,
is the scene of most attacks
This is because…
• by design, the Internet does not care what is inside each
packet
• only the application
understands the content
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 4
Application Layer
Attackers attempt to create
fake or corrupted application-layer data
An application can…
• malfunction
• crash
• or be changed into anotherprogram while it is running!
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 5
Internet Protocols
5/31/2018 Sacramento State - Cook - CSc 8 - Summer 2017 6
Application Layer
Transport Layer
Network Layer
Data link Layer
Physical Layer
InternetTCP / IP
Any Data
2
The number of attacks that target
applications continues to grow
Examples:
• Web application attacks
• Client-side attacks
• Buffer overflow attacks
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 7
Application Attacks Zero-Day Attacks
Hackers attempt to discover new
vulnerabilities that can be exploited
If found, it is shared with other attackers
It takes time for to good guys to find out
Zero day attacks
• exploit previously unknown vulnerabilities
• victims have no time to prepare or defend
(hence, zero days)
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 8
Buffer
Overflow
Application Layer Attack
Operating systems protect
programs from having their memory / code damaged by
another program
However…operating systems
don't protect programs from
damaging themselves
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 10
Buffer Overflow
One technique – used to
attack a computer – is to take advantage of this fact
Get the program to damage/destroy itself
There is no defense
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 11
Buffer Overflow Buffers
In memory, a running program's data is often stored next to its instructions
Programs keep blocks of memory called buffers which store data (which can vary in size)
Examples:• people's names
• list of pet names
• bytes in an image
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 12
3
Buffer Overflow – How it Works
Computer Memory
Program Buffer
Data
Program
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 13
Not used
It is possible to store too
much information – resulting in a buffer overflow
The extra bytes will overwrite part of the running program –
changing it!
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 14
Buffer Overflow
Buffer Overflow – How it Works
Overwritten program
Overflow of data
Computer Memory
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 15
The Aftermath
Hackers can use this to make a program
rewrite itself – with malicious instructions
They can overflow a buffer and use an
innocent program to commit malicious acts
Anti-spyware, anti-virus, etc… software
• cannot stop this
• it all depends if the target software protects itself from overflows
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 16
A Scary Video…
I'm going to show a short video of a real-time application attack on a computer
The user…
• opens a Windows Meta File (.wmf) on the Internet
• it downloads and opens using the default Windows image viewer
It buffer overflows the application…
• converts it into a downloader
• it then downloads and installs rogueware
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 17
Example: Code Red Worm
Worm first attacked on July
13, 2001
First version just defaced web
pages
Code Red II showed no
visible evidence of its presence
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 18
4
Example: Code Red Worm
Exploited a security flaw in Microsoft IIS
web servers
• used a buffer overflow to run malicious code
• exploit was a simple HTTP request
• server had no reason to worry – buffer was large enough for any normal HTTP request
Though infected, server ran normally
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 19
Example: Code Red Worm
Worm used the server clock to determine its actions for each day of the month
What it did:
• Day 1 - 19: Attack random IP addresses in an attempt propagate the worm
• Day 20 - 27: Denial of Service Attack will be launched against pre-selected IP address
• Day 28 - 31: Sleep and wait
Wake-up call that a new type of war now exists
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 20
Scripting
Programs aren't always bits and bytes
Scripting
Most applications are compiled
• they are written in a high-level
language such as Java and C#
• but are converted into the raw 1's and 0's that run on a computer
However, some aren't
• they remain in their text form
• parsed and executed "on the fly"
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 22
Scripting
Scripting files are text files
that are executed
They require an interpreter to
parse and run the program
Common on servers, web
applications, and more
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 23
Scripting Examples
Sequential Query Language (SQL)
JavaScript
XML
UNIX shell scripts
DOS batch files
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 24
5
Javascript
Tricks
Your browser is running a program
Applications and Scripting
Applications – such as web applications –
use scripts to communicate with each other
e.g. SQL is used to talk to databases
Attackers can…
• insert malicious code into a script and change
how one computer talks to another
• this is a common application layer attack
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 26
Web Application Attacks
Web applications an essential element of
organizations today
Scripting attacks are increasingly common
Approach to securing Web applications
• hardening the web server
• protecting the network
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 27
This image cannot currently be displayed.
Common Web Application Attacks
Cross-site scripting
SQL injection
XML injection
Command injection / directory traversal
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 29
JavaScript
JavaScript
• scripting language designed add functionality to webpages
• executed by the web browser on the client
• examples: mouseovers, menus, etc ...
Don't confuse it with….
• Java Programming Language
• Java Virtual Machine
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 30
6
This image cannot currently be displayed.
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 31
<script> … </script>
The <SCRIPT> Tag
Inserts a script directly into the program
Can define functions, to be called from events like clicking on button
Or executed immediately
Can be in the header or body of a webpage
<script>
function hello()
{
alert("Sac State rocks!");
}
</script>
Javascript Example
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 32
Common Gateway Interface
Users often submit data to a website
• logging into your e-mail website
• entering a bid on eBay
• etc…
This information is passed using Common
Gateway Interface protocol
Application layer protocol that is used by all
web browsers
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 33
Common Gateway Interface
Information is sent one of two different ways
POST• information is based directly from the browser
to the server
• users do not see it
GET• data is sent as part of a webpage address
• used in links
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 34
CGI Get
The Get format is pretty straight forward,
and can be read with little effort
Get link consists of the following:
• original webpage address
• question mark – separates the URL from data
• one or more names and values
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 35
http://url.com?name=Gunchy&major=CSC
Example CGI Get link
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 36
Website. Just a dummy one
in this example
7
http://url.com?name=Gunchy&major=CSC
Example CGI Get link
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 37
Question mark separates
link and data
http://url.com?name=Gunchy&major=CSC
Example CGI Get link
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 38
"name" field equals
"Gunchy"
Different fields are
separated by ampersands
Cross Site
Scripting
Attacks
Application Layer Attack
Cross Site Scripting Attacks
Cross Site Scripting (XSS)
allows an attacker to execute their code on a webpage
Doesn't attack the vulnerable server, but uses it to attack
someone else
Hence, the "cross" in the
name
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 40
Cross Site Scripting Attacks
Most commonly makes use of
Javascript
Some experts want to call
this Javascript Injection rather than XSS
Use the terms synonymously
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 41
The Attack
When victim visits an injected web site, the
malicious script is downloaded
It is executed on the user's machine
The browser…
• doesn't distinguish between valid code and
malicious script
• its all just script – that it needs to run
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 42
8
The Vulnerability
XSS attack requires a targeted
website/server that doesn't validate input
Without validation…
• accepts user input without checking
• uses input in a response without encoding it
• malicious input becomes malicious output
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 43
What Javascript can do…
Display pop-up alerts and prompts
Change the displayed page using
Document Object Model (DOM)
• read cookies/session tokens
• “Circumvent” same-origin policy
• virtually deface web page
Redirect to a different website
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 45
What Javascript can do…
Detect installed programs
Detect browser history
Capture keystrokes
Port scan the local network
Induce user actions
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 46
What Javascript can do…
Determine if they are logged on to a
website
Capture clipboard content
Rewrite the status bar
Exploit browser vulnerabilities
Launch executable files (in some cases)
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 47
Types of XSS
Reflected XSS
Stored XSS (a.k.a.
“Persistent XSS”)
DOM Based XSS
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 48
9
Reflective XSS
Reflective XSS uses script inserted into a CGI get link that
"reflects" on the victim
Attacker only needs to find a server and send a poisoned link
Victim clicks the link…
• opens the website with the script
• script then runs on the user computer
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 51
http://url.com?srch=Hornet&pg=1
Example Normal Link
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 52
Search field contains "Hornet"
Example Website Output
<h2>Search Results For:
Hornet
</h2>
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 53
Text of the search placed
directly in generated webpage
http://url.com?srch=<script>
alert('Attack')</script>&pg=1
Example Poisoned Link
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 54
search field contains a
script
10
Example Website Output
<h2>Search Results For:
<script>alert('Attack')</script>
</h2>
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 55
Script will execute!
Stored XSS
Javascript is supplied by the attacker and
stored by the website (e.g. in a database)
Doesn’t require the victim to do anything.
They just have to visit the exploited page
• more dangerous than Reflected XSS
• caused many XSS worms on popular sites
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 56
Affected MySpace
Attacked every visitor to
Samy’s page
Used XSS JavaScript
embedded in the page
MySpace did not validate
input (which users at the time
had fun with)
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 57
Example: Samy Worm
For each visitor:
• it added them to Sammy’s friends
• it infected there page with the same JavaScript
• it posted “but most of all, Samyis my hero” to their page
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 58
Example: Samy Worm
Worm spread exponentially
Over 1 million friend requests
in less than 20 hours
Sammy was popular!!
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 59
Example: Samy Worm DOM Based XSS
Injected Javascript changes the page as
the client (your browser) is creating it
Uses Document Object Model (DOM)
What they can do:
• change the content of the page
• add fake links
• fill out forms with their data
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 60
11
Client Side
Attacks
Application Layer Attack
(Against You)
Client-Side Attacks
Web application attacks are
server-side attacks
Client-side attacks target
vulnerabilities in client applications
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 62
Client-Side Attacks
Just interacting with a
compromised server can result in an attack
What happens?
• client initiates an Internet connection with server
• server then attacks the client
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 63
Port Scanner
Used to scan a network to
find what services are running a computer
Scans each of the 65,536 ports
If a listening service is found the hacker can check if their
is a vulnerability
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 64
Drive-by
Downloads
Application Layer Attack (Client)
Drive-By Download
Client computer is attacked
by simply viewing a compromised Web page
Attackers inject content into vulnerable Web server
They must gain access to server’s operating system
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 66
12
How it Works
HTML allows page pages to
be inserted into other pages using the <iframe> tag
Commonly used for embedding video clips (e.g.
YouTube) into a site
Used by attackers to hide an
malicious embedded page
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 67
How it Works
Attackers craft a zero pixel frame to avoid visual detection
Embed an malicious HTML page inside main page
Client’s browser downloads malicious script
Instructs computer to download malware
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 68
Internet
Cookies
Delicious Little Annoyances
Hypertext Transfer Protocol is
used to transfer webpages
However, HTTP is a stateless
protocol
• one request and one response per session
• it cannot store state data
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 70
The Problem with HTTP
The Problem with HTTP
But, this data is very useful
• keep you logged onto a website
• keep track of a step in e-commerce (checkout)
• preview an e-mail before you send it
• etc...
Cookies fix this problem
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 71
What are Cookies?
A small text file saved on your computer
• created by a web server
• only visible to the site that created them
• managed by your web browser
You do not have to accept cookies
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 72
13
Types of Cookies
Secure cookie
• used only when browser visits server over secure connection
• always encrypted
Flash cookie
• uses more memory than traditional cookie
• cannot be deleted through browser configuration settings
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 73
Session Cookies
Persistent cookie
• saved on the hard drive
• does not expire
Session cookie
• stored in RAM
• expires when browser is closed
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 74
Session Cookies
The session cookie is also
known as a "token"
It is passed between the
server and client each time they send data
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 75
Cookie Sources
First-party cookie
• cookie created by website user is currently visiting
• e.g. keep user logged in
Third-party cookie
• created by site advertisers
• records user preferences
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 76
Threat of Cookies
Any web server that you request data from
can create (bake) a cookie
Pages can get data from multiple servers
• this can included servers related to the site
• but are often servers that embed advertisements – e.g. banners, pictures, etc...
• cookies can come from any of these sources
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 77
Threat of Cookies
Some information may be
saved you don't know about:
• Travel Web sites may store user’s travel itinerary
• Personal information provided
when visiting a site
All this can build a "profile" of
the user
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 78
14
Cookies and Ads
Ad-servers often shared by webpages
By saving data in cookies ...
• ad-servers sites can track your page habits
• this cannot damage our computer
Not dangerous like Spyware
• although this is a form of spying
• you do not suffer the effects of spyware
• only your browsing habits can be watched
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 79
1. Visit site about "energy drinks"
Ad Server
Your Computer Website 1
Energy Drinks
Website contains an ad from
UglyAds. The browser downloads it, and the UglyAds server takes note.
2. Server saves cookie to browser
Ad Server
Your Computer Website 1
Energy Drinks
Energy drinks
3. Do a report on "Dr. Oz"
Ad Server
Your Computer Website 2
Dr. Oz
A second website uses UglyAds. It
also saves a cookie about your activity.
Energy drinks
4. Server saves "Dr. Oz" cookie
Ad Server
Your Computer Website 2
Dr. Oz
Energy drinks
Dr. Oz
5. User visits eCommerce site
Ad Server
Your Computer Sales site
Energy drinks
Dr. Oz
UglyAds wants you to buy a client's
product. It looks at cookies and thinks you will buy a common
"quack" product.
15
6. Sends targeted ad (quack medicine)
Ad Server
Your Computer Sales site
Adrenal
Fatigue
Ad
Energy drinks
Dr. Oz
Session Hijacking
Session hijacking is when an attacker
attempts to impersonate user by stealing or guessing session token
They intercept this data as it is passed over the network or has malware on your
computer steal it
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 86
Dangers of Cookies
Cookies pose security and privacy risks
Examples:
• may be stolen and used to impersonate user
• used to tailor advertising
• can be exploited by attackers
5/31/2018 Sacramento State - Cook - CSc 115 - Summer 2017 87