S3 application and network attacks in.ppt

Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 3
Application and Network Attacks

Objectives
• List and explain the different types of Web
application attacks
• Define client-side attacks
• Explain how a buffer overflow attack works
• List different types of denial of service attacks
• Describe interception and poisoning attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Application Attacks
• Attacks that target applications
– Category continues to grow
– Web application attacks
– Client-side attacks
– Buffer overflow attacks
• Zero day attacks
– Exploit previously unknown vulnerabilities
– Victims have no time to prepare or defend

Web Application Attacks
• Web applications an essential element of
organizations today
• Approach to securing Web applications
– Hardening the Web server
– Protecting the network

Figure 3-1 Web application infrastructure
© Cengage Learning 2012

Web Application Attacks (cont’d.)
• Common Web application attacks
– Cross-site scripting
– SQL injection
– XML injection
– Command injection / directory traversal

Figure 3-2 Web application security

Cross-Site Scripting (XSS)
• Injecting scripts into a Web application server
– Directs attacks at clients
Figure 3-3 XSS attacks

Cross-Site Scripting (cont’d.)
• When victim visits injected Web site:
– Malicious instructions sent to victim’s browser
• Browser cannot distinguish between valid code and
malicious script
• Requirements of the targeted Web site
– Accepts user input without validation
– Uses input in a response without encoding it
• Some XSS attacks designed to steal information:
– Retained by the browser

Figure 3-4 Bookmark page that accepts user input
without validating and provides unencoded response

Figure 3-5 Input used as response

SQL Injection
• Targets SQL servers by injecting commands
• SQL (Structured Query Language)
– Used to manipulate data stored in relational
database
• Forgotten password example
– Attacker enters incorrectly formatted e-mail address
– Response lets attacker know whether input is being
validated

SQL Injection (cont’d.)
• Forgotten password example (cont’d.)
– Attacker enters email field in SQL statement
– Statement processed by the database
– Example statement:
SELECT fieldlist FROM table WHERE field
= ‘whatever’ or ‘a’=‘a’
– Result: All user email addresses will be displayed

SQL Injection (cont’d.)
• See link Ch 3f
Table 3-1 SQL injection statements

XML Injection
• Markup language
– Method for adding annotations to text
• HTML
– Uses tags surrounded by brackets
– Instructs browser to display text in specific format
• XML
– Carries data instead of indicating how to display it
– No predefined set of tags
• Users define their own tags

XML Injection (cont’d.)
• XML attack
– Similar to SQL injection attack
– Attacker discovers Web site that does not filter user
data
– Injects XML tags and data into the database
• Xpath injection
– Specific type of XML injection attack
– Attempts to exploit XML Path Language queries

Command Injection /
Directory Traversal
• Web server users typically restricted to root
directory
• Users may be able to access subdirectories:
– But not parallel or higher level directories
• Sensitive files to protect from unauthorized user
access
– Cmd.exe can be used to enter text-based
commands
– Passwd (Linux) contains user account information

Command Injection /
Directory Traversal (cont’d.)
• Directory traversal attack
– Takes advantage of software vulnerability
– Attacker moves from root directory to restricted
directories
• Command injection attack
– Attacker enters commands to execute on a server

Client-Side Attacks
• Web application attacks are server-side attacks
• Client-side attacks target vulnerabilities in client
applications
– Interacting with a compromised server
– Client initiates connection with server, which could
result in an attack

Client-Side Attacks (cont’d.)
• Drive-by download
– Client computer compromised simply by viewing a
Web page
– Attackers inject content into vulnerable Web server
• Gain access to server’s operating system
– Attackers craft a zero pixel frame to avoid visual
detection
– Embed an HTML document inside main document
– Client’s browser downloads malicious script
– Instructs computer to download malware

• Header manipulation
– HTTP header contains fields that characterize data
being transmitted
– Headers can originate from a Web browser
• Browsers do not normally allow this
• Attacker’s short program can allow modification
• Examples of header manipulation
– Referer
– Accept-language

• Referer field indicates site that generated the Web
page
– Attacker can modify this field to hide fact it came
from another site
– Modified Web page hosted from attacker’s computer
• Accept-language
– Some Web applications pass contents of this field
directly to database
– Attacker could inject SQL command by modifying
this header

• Cookies and Attachments
– Cookies store user-specific information on user’s
local computer
• Web sites use cookies to identify repeat visitors
• Examples of information stored in a cookie
– Travel Web sites may store user’s travel itinerary
– Personal information provided when visiting a site
• Only the Web site that created a cookie can read it

• First-party cookie
– Cookie created by Web site user is currently visiting
• Third-party cookie
– Site advertisers place a cookie to record user
preferences
• Session cookie
– Stored in RAM and expires when browser is closed

• Persistent cookie
– Recorded on computer’s hard drive
– Does not expire when browser closes
• Secure cookie
– Used only when browser visits server over secure
connection
– Always encrypted

• Flash cookie
– Uses more memory than traditional cookie
– Cannot be deleted through browser configuration
settings
– See Project 3-6 to change Flash cookie settings
• Cookies pose security and privacy risks
– May be stolen and used to impersonate user
– Used to tailor advertising
– Can be exploited by attackers

• Session hijacking
– Attacker attempts to impersonate user by stealing or
guessing session token
• Malicious add-ons
– Browser extensions provide multimedia or interactive
Web content
– Active X add-ons have several security concerns

Figure 3-7 Session hijacking

• Buffer overflow attacks
– Process attempts to store data in RAM beyond
boundaries of fixed-length storage buffer
– Data overflows into adjacent memory locations
– May cause computer to stop functioning
– Attacker can change “return address”
• Redirects to memory address containing malware
code

Figure 3-8 Buffer overflow attack

Network Attacks
• Denial of service (DoS)
– Attempts to prevent system from performing normal
functions
– Ping flood attack
• Ping utility used to send large number of echo request
messages
• Overwhelms Web server
– Smurf attack
• Ping request with originating address changed
• Appears as if target computer is asking for response
from all computers on the network

Network Attacks
• Denial of service (DoS) (cont’d.)
– SYN flood attack
• Takes advantage of procedures for establishing a
connection
• Distributed denial of service (DDoS)
– Attacker uses many zombie computers in a botnet to
flood a device with requests
– Virtually impossible to identify and block source of
attack

Figure 3-9 SYN flood attack

Interception
• Man-in-the-middle
– Interception of legitimate communication
– Forging a fictitious response to the sender
– Passive attack records transmitted data
– Active attack alters contents of transmission before
sending to recipient
• Replay attacks
– Similar to passive man-in-the-middle attack

Interception (cont’d.)
• Replay attacks (cont’d.)
– Attacker makes copy of transmission
• Uses copy at a later time
– Example: capturing logon credentials
• More sophisticated replay attacks
– Attacker captures network device’s message to
server
– Later sends original, valid message to server
– Establishes trust relationship between attacker and
server

Poisoning
• ARP poisoning
– Attacker modifies MAC address in ARP cache to
point to different computer
Table 3-3 ARP poisoning attack

Poisoning (cont’d.)
Table 3-4 Attacks from ARP poisoning

Poisoning (cont’d.)
• DNS poisoning
– Domain Name System is current basis for name
resolution to IP address
– DNS poisoning substitutes DNS addresses to
redirect computer to another device
• Two locations for DNS poisoning
– Local host table
– External DNS server

Figure 3-12 DNS poisoning

Attacks on Access Rights
• Privilege escalation
– Exploiting software vulnerability to gain access to
restricted data
– Lower privilege user accesses functions restricted to
higher privilege users
– User with restricted privilege accesses different
restricted privilege of a similar user

Attacks on Access Rights (cont’d.)
• Transitive access
– Attack involving a third party to gain access rights
– Has to do with whose credentials should be used
when accessing services
• Different users have different access rights

S3 application and network attacks in.ppt

More Related Content

Similar to S3 application and network attacks in.ppt

More from ubaidullah75790

Recently uploaded

S3 application and network attacks in.ppt