Chap 03.ppt

Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 3
Application and Network Attacks

Objectives
• List and explain the different types of Web
application attacks
• Define client-side attacks
• Explain how a buffer overflow attack works
• List different types of denial of service attacks
• Describe interception and poisoning attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Application Attacks
• Attacks that target applications
– Category continues to grow
– Web application attacks
– Client-side attacks
– Buffer overflow attacks
• Zero day attacks
– Exploit previously unknown vulnerabilities
– Victims have no time to prepare or defend

Web Application Attacks
• Web applications an essential element of
organizations today
• Approach to securing Web applications
– Hardening the Web server
– Protecting the network

Figure 3-1 Web application infrastructure
© Cengage Learning 2012

Web Application Attacks (cont’d.)
• Common Web application attacks
– Cross-site scripting
– SQL injection
– XML injection
– Command injection / directory traversal

Figure 3-2 Web application security

Cross-Site Scripting (XSS)
• Injecting scripts into a Web application server
– Directs attacks at clients
Figure 3-3 XSS attacks

Cross-Site Scripting (cont’d.)
• When victim visits injected Web site:
– Malicious instructions sent to victim’s browser
• Browser cannot distinguish between valid code and
malicious script
• Requirements of the targeted Web site
– Accepts user input without validation
– Uses input in a response without encoding it
• Some XSS attacks designed to steal information:
– Retained by the browser

Figure 3-4 Bookmark page that accepts user input
without validating and provides unencoded response

Figure 3-5 Input used as response

SQL Injection
• Targets SQL servers by injecting commands
• SQL (Structured Query Language)
– Used to manipulate data stored in relational
database
• Forgotten password example
– Attacker enters incorrectly formatted e-mail address
– Response lets attacker know whether input is being
validated

SQL Injection (cont’d.)
• Forgotten password example (cont’d.)
– Attacker enters email field in SQL statement
– Statement processed by the database
– Example statement:
SELECT fieldlist FROM table WHERE field
= ‘whatever’ or ‘a’=‘a’
– Result: All user email addresses will be displayed

SQL Injection (cont’d.)
• See link Ch 3f
Table 3-1 SQL injection statements

XML Injection
• Markup language
– Method for adding annotations to text
• HTML
– Uses tags surrounded by brackets
– Instructs browser to display text in specific format
• XML
– Carries data instead of indicating how to display it
– No predefined set of tags
• Users define their own tags

XML Injection (cont’d.)
• XML attack
– Similar to SQL injection attack
– Attacker discovers Web site that does not filter user
data
– Injects XML tags and data into the database
• Xpath injection
– Specific type of XML injection attack
– Attempts to exploit XML Path Language queries

Command Injection /
Directory Traversal
• Web server users typically restricted to root
directory
• Users may be able to access subdirectories:
– But not parallel or higher level directories
• Sensitive files to protect from unauthorized user
access
– Cmd.exe can be used to enter text-based
commands
– Passwd (Linux) contains user account information

Command Injection /
Directory Traversal (cont’d.)
• Directory traversal attack
– Takes advantage of software vulnerability
– Attacker moves from root directory to restricted
directories
• Command injection attack
– Attacker enters commands to execute on a server

Client-Side Attacks
• Web application attacks are server-side attacks
• Client-side attacks target vulnerabilities in client
applications
– Interacting with a compromised server
– Client initiates connection with server, which could
result in an attack

Client-Side Attacks (cont’d.)
• Drive-by download
– Client computer compromised simply by viewing a
Web page
– Attackers inject content into vulnerable Web server
• Gain access to server’s operating system
– Attackers craft a zero pixel frame to avoid visual
detection
– Embed an HTML document inside main document
– Client’s browser downloads malicious script
– Instructs computer to download malware

• Header manipulation
– HTTP header contains fields that characterize data
being transmitted
– Headers can originate from a Web browser
• Browsers do not normally allow this
• Attacker’s short program can allow modification
• Examples of header manipulation
– Referer
– Accept-language

• Referer field indicates site that generated the Web
page
– Attacker can modify this field to hide fact it came
from another site
– Modified Web page hosted from attacker’s
computer
• Accept-language
– Some Web applications pass contents of this field
directly to database
– Attacker could inject SQL command by modifying
this header

• Cookies and Attachments
– Cookies store user-specific information on user’s
local computer
• Web sites use cookies to identify repeat visitors
• Examples of information stored in a cookie
– Travel Web sites may store user’s travel itinerary
– Personal information provided when visiting a site
• Only the Web site that created a cookie can read it

• First-party cookie
– Cookie created by Web site user is currently visiting
• Third-party cookie
– Site advertisers place a cookie to record user
preferences
• Session cookie
– Stored in RAM and expires when browser is closed

• Persistent cookie
– Recorded on computer’s hard drive
– Does not expire when browser closes
• Secure cookie
– Used only when browser visits server over secure
connection
– Always encrypted

• Flash cookie
– Uses more memory than traditional cookie
– Cannot be deleted through browser configuration
settings
– See Project 3-6 to change Flash cookie settings
• Cookies pose security and privacy risks
– May be stolen and used to impersonate user
– Used to tailor advertising
– Can be exploited by attackers

• Session hijacking
– Attacker attempts to impersonate user by stealing or
guessing session token
• Malicious add-ons
– Browser extensions provide multimedia or interactive
Web content
– Active X add-ons have several security concerns

Figure 3-7 Session hijacking

• Buffer overflow attacks
– Process attempts to store data in RAM beyond
boundaries of fixed-length storage buffer
– Data overflows into adjacent memory locations
– May cause computer to stop functioning
– Attacker can change “return address”
• Redirects to memory address containing malware
code

Figure 3-8 Buffer overflow attack

Network Attacks
• Denial of service (DoS)
– Attempts to prevent system from performing normal
functions
– Ping flood attack
• Ping utility used to send large number of echo request
messages
• Overwhelms Web server
– Smurf attack
• Ping request with originating address changed
• Appears as if target computer is asking for response
from all computers on the network

Network Attacks
• Denial of service (DoS) (cont’d.)
– SYN flood attack
• Takes advantage of procedures for establishing a
connection
• Distributed denial of service (DDoS)
– Attacker uses many zombie computers in a botnet to
flood a device with requests
– Virtually impossible to identify and block source of
attack

Figure 3-9 SYN flood attack

Interception
• Man-in-the-middle
– Interception of legitimate communication
– Forging a fictitious response to the sender
– Passive attack records transmitted data
– Active attack alters contents of transmission before
sending to recipient
• Replay attacks
– Similar to passive man-in-the-middle attack

Interception (cont’d.)
• Replay attacks (cont’d.)
– Attacker makes copy of transmission
• Uses copy at a later time
– Example: capturing logon credentials
• More sophisticated replay attacks
– Attacker captures network device’s message to
server
– Later sends original, valid message to server
– Establishes trust relationship between attacker and
server

Poisoning
• ARP poisoning
– Attacker modifies MAC address in ARP cache to
point to different computer
Table 3-3 ARP poisoning attack

Poisoning (cont’d.)
Table 3-4 Attacks from ARP poisoning

Poisoning (cont’d.)
• DNS poisoning
– Domain Name System is current basis for name
resolution to IP address
– DNS poisoning substitutes DNS addresses to
redirect computer to another device
• Two locations for DNS poisoning
– Local host table
– External DNS server

Figure 3-12 DNS poisoning

Attacks on Access Rights
• Privilege escalation
– Exploiting software vulnerability to gain access to
restricted data
– Lower privilege user accesses functions restricted to
higher privilege users
– User with restricted privilege accesses different
restricted privilege of a similar user

Attacks on Access Rights (cont’d.)
• Transitive access
– Attack involving a third party to gain access rights
– Has to do with whose credentials should be used
when accessing services
• Different users have different access rights

Chap 03.ppt

More Related Content

Similar to Chap 03.ppt

More from Razith2

Recently uploaded

Chap 03.ppt