Chapter 3
Types of overflow attacks:
- Buffer overflow attacks - Integer overflow attacks - Arbitrary/remote code execution attacks
Cookies
- Cookies store user-specific information on user's local computer
Such common web application attacks are:
- Cross-site scripting - SQL injection - XML injection - Command injection/directory traversal
Header manipulation
- HTTP header contains fields that characterize data being transmitted - Headers can originate from a Web browser • Browsers do not normally allow this • Attacker's short program can allow modification
Buffer overflow attacks
- Occur when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer - Extra data overflows into adjacent memory locations • An attacker can overflow the buffer with a new address pointing to the attacker's malware code
- Locally shared object (LSO
- can store up to 100 KB of data form a website • More complex than the simple text found in a regular cookie • Also called a Flash cookie
First-party cookie
- cookie created by Web site user is currently viewing
Session cookie
- stored in RAM and expires when browser is closed
Arbitrary/Remote Code Execution
A heap spray is often used in an arbitrary/remote code execution attack • Inserts data only in parts of memory
• Malicious add-ons can be written by using Microsoft's Active X
ActiveX is a set of rules for how applications under the Microsoft Windows OS should share information • Attackers can take advantage of vulnerabilities in ActiveX to perform malicious attacks on a computer
In an integer overflow attack:
An attacker changes the value of a variable to something outside the range that the programmer had intended by using an integer overflow
• Integer Overflow Attack
An integer overflow is the condition that occurs when the result of an arithmetic operation exceeds the maximum size of the integer type used to store it
Attachments
Attachments - Files that are coupled with email messages - Malicious attachments are commonly used to spread viruses, Trojans, and other malware
Session Hijacking
Attacker attempts to impersonate user by stealing or guessing session token - Session token is a random string assigned to an interaction between user and web application • An attacker can attempt to obtain the session token: - By using XSS or other attacks to steal the session token cookie from the victim's computer - Eavesdropping on the transmission - Guessing the session token
• Security risks exist when using add-ons
Attackers can create malicious add-ons to launch attacks against the user's computer
• Impartial overflow attacks
Attacks designed to "overflow" areas of memory with instructions from the attacker
Application Attacks
Attacks on the applications in a networked computer system can be directed toward the server, the client, or both
Drive-by download
Client computer is compromised simply by viewing a Web page - Attackers inject content into vulnerable Web server • Gain access to server's operating system - Attackers craft a zero pixel Iframe (short for inline frame) to avoid visual detection - Embed an HTML document inside main document - Client's browser downloads malicious script - Instructs computer to download malware
Add-ons can do the following:
Create additional web browser toolbars - Change browser menus - Be aware of other tabs open in the same browser - Process the content of every webpage that is loaded
Cross-Site Scripting (XSS)
Injecting scripts into a Web application server to direct attacks at unsuspecting clients
• Malicious Add-ons
Plug-in - a third party library that attaches to a web browser and can be embedded inside a webpage - Add-ons or extensions - add functionality to the web browser
• Examples of HTTP header manipulation
Referrer - Accept-language - Response splitting
Server-Side Web Application Attacks
Securing server-side web applications of often considered more difficult than protecting other systems
SQL Injection
Targets SQL servers by injecting malicious commands into them • SQL (Structured Query Language) - Used to manipulate data stored in relational database • Forgotten password example: - Attacker enters incorrectly formatted e-mail address - Response lets attacker know whether input is being validated Targets SQL servers by injecting malicious commands into them • SQL (Structured Query Language) - Used to manipulate data stored in relational database • Forgotten password example: - Attacker enters incorrectly formatted e-mail address - Response lets attacker know whether input is being validated
Client-Side Application Attacks
Web application attacks are server-side attacks • Client-side attacks target vulnerabilities in client applications that interact with a compromised server or process malicious data • The client initiates connection with the server, which could result in an attack
Directory Traversal/ Command Injection
Web server users are typically restricted to the root directory • Users may be able to access subdirectories: - But not parallel or higher level directories • Directory traversal attack - Uses malformed input or takes advantage of software vulnerabilities - Attacker moves from root directory to restricted directories • Command injection attack - Attacker enters commands to execute on a server • A directory traversal attack can be launched through: - A vulnerability in the web application program that accepts user input - A vulnerability in the web server OS software - A security misconfiguration on the server
Zero-day attack
an attack that exploits previously unknown vulnerabilities, victims have not time to prepare for or defend against the attack
An arbitrary/remote code execution attack allows
an attacker to run programs and execute commands on a different computer - Gains control of the victim's computer to execute commands
• Traditional network security devices
can block traditional network attacks, but cannot always block web application attacks - Many network security devices ignore the content of HTTP traffic
Accept-language
field contents may be passed directly to an SQL database - Attacker could inject SQL command by modifying this header
referer field
indicates the site that generated the Web page - Attacker can modify this field to hide the fact it came from another site
Response splitting
is one of the most common HTTP header manipulation attacks
- Persistent cookie
recorded on computer's hard drive and does not expire when the browser closes • Also called a tracking cookie
Third-party cookie
site advertisers place a cookie to record user preferences
Many server-side web application attacks
target the input that the applications accept from users
What do cookies do?
• Cookies pose security and privacy risks - First-party cookies may be stolen and used to impersonate the user - Used to tailor advertising - Can be exploited by attackers
XML Injection
• Markup language - Method for adding annotations to text • HTML - Uses tags surrounded by brackets - Instructs browser to display text in specific format • XML - Carries data instead of indicating how to display it - No predefined set of tags • Users define their own tags CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 13 © Cengage Learning 2015 XML Injection • XML injection attack - Similar to SQL injection attack - Attacker discovers a Web site that does not filter user data - Injects XML tags and data into the database • XPath injection - Specific type of XML injection attack - Attempts to exploit XML Path Language queries that are built from user input