Chapter 7: Identifying Advanced Attacks
ARP man-in-the-middle attacks
Imagine you have a wired subnet of users connected to a switch and then a router. Normally, traffic from the user to the Internet will go through the switch and then directly to the router. However, after poisoning the ARP cache/table of the victim, traffic will be redirected to the attacker. IP forwarding allows the attacker to send the traffic to the router so that the victim is unaware of the attack.
What is Spoofing?
Occurs when one person or entity impersonates or masquerades as someone or something else. There are many types of spoofing attacks, but many of them involve spoofing MAC addresses, source IP addresses, and the "from" address to an e-mail
What is an SQL Injection attack?
The attacker enters additional data into the web page form to generate different SQL statements. SQL query languages use a semicolon (;) to indicate the end of the SQL line and use two dashes (--) as an ignored comment. With this knowledge, the attacker could enter different information into the web form
What is TCP Sequence prediction Attack?
is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.[1] The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker.
What is domain kiting?
the practice of repeatedly registering and deleting a domain name so that the registrant can, in effect, own the domain name without paying for it. Domain kiting, like domain tasting , exploits the five-day add grace period (AGP) in the domain name registration system.
What is a ping of death?
uses a 'PING' utility to create an IP packet that exceeds the maximum 65,535 bytes of data allowed by the IP specification. The over-size packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.
What are the two primary applications used for Web servers?
Apache: the most popular. It is free and can run on Unix, Linux, and Windows Internet Information Services (ISS): A Microsoft Web server, and it is often included free with any Windows Server product
What is a "stack-based buffer overflow" attack?
Another type of buffer overflow attack that exploits the special structure of the memory stack. The memory stack is the component of the memory address space of a process that contains data associated with function (or method) calls.
What is an ARP DoS Attack?
AN attacker can send an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all of the computers cache the bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic out of the network. So, basically, the attacker tells every host on the network that the IP address for the gateway is some unreachable address outside of the network. When the hosts want to communicate with the gateway, they communicate with the wrong device.
What is a Persistent XSS attack?
Also called a "Stored" XSS attack. his is one where the script itself is stored on the Web server. The bad guy does not have to send information in an email with the script inside of it. Instead, they can post a message in a social network or in a forum somewhere with a script inside of it. It's now a PERSISTENT threat because now everyone gets the payload who goes to this Web site or all viewers of the Web page with a browser susceptible to XSS. It can spread very, very quickly.
In the past, hackers would use vulnerable ports and services to launch their denial of service (DoS) attacks against a network, but those became simple to block. What do hackers use now to launch more successful attacks against networks?
Hackers now flood a network with legitimate traffic, so that any traffic that hits a network resources appears to be genuine and passes through all defenses.
Name some ways we can defend against buffer overflow attacks.
-Input Validation/Sanitation (e.g., verifying proper characters, for example, verifying SSNs by accepting only the format "XXX-XX-XXXX." Input validation also includes proper boundaries/range checking. We can also block HTML code like no "<" or ">" for JavaScript codes. We can also prevent the use of specific characters, such as the (-), ('), or (=) used in SQL injections -Boundary/range checking -Higher-level programming languages -Secure Compilers -Static libraries:Using shared libraries can be bad. Not only can attackers modify .dll files that your application uses, but using shared libraries also leaves a lot of empty space in your application that attackers can inject arbitrary code into. -Error/Exception Handling: Make sure that your application can handle an error gracefully without crashing or revealing detailed information on the error response that an attacker can use. -Use capable systems -Test your application: Try breaking your own application and see how vulnerable it is to a buffer overflow. -Canaries or canary words: are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data is therefore an alert of an overflow, which can then be handled, for example, by invalidating the corrupted data.
How do we defend against a SQL Injection attack?
-Input validation/sanitation -Stored Procedures:Database developers often use "stored procedures" with dynamic web pages. A stored procedures is a group of SQL statements that execute as a whole, similar to a mini-program. A parameterized stored procedure accepts data as an input called a parameter. Instead of copying the user's input directly into a SELECT statement, the input is passed to the stored procedure as a parameter. The stored procedure performs data validation, but it also handles the parameter (the inputted data) differently and prevents a SQL injection attack. -Prepared Statements: The use of prepared statements with variable binding (aka parameterized queries) is how all developers should first be taught how to write database queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.
How do we defend against a persistent XSS Attack?
-Input validation/sanitation on the application server side: This will block all use of HTML and JavaScript tags, such as "<" or ">" that an attacker can put on the application -Keep Web server applications updated
Name 5 web-browser concerns related to security.
-Malicious add-ons -Cookies and attachments -Session Hijacking Attacks -Flash Cookies or LSOs -Arbitrary Code Execution or Remote Code Execution (RCE)
How do we defend against a non-persistent XSS attack?
-Never click malicious email links -spam filters -whitelisting email addresses -disable javascript -keep web browser updated
How do we defend against XSRF attacks?
-Require dual authentication: So, once users are automatically logged in via their cookies, they will have to authenticate again if they want to make a purchase or make some other action, for example. -Do not click unknown HTTP links
What is a DoS attack?
A Denial of Service attack is an attack from one attacker against a target
What is a DDoS attack?
A Distributed Denial of Service attack is an attack from two or more computers against one single target.
What is a "simple buffer overflow" attack?
A classic example of a buffer overflow attack against an application program, which allows for a privilege escalation, is known as a "buffer overflow" attack. In any situation where a program allocates a fixed-size buffer in memory in which to store information, care must be taken to ensure that copying user-supplied data is done securely and with boundary checks. If this is not the case, then it may be possible for an attacker to provide input that exceeds the length of the buffer, which the program will dutifully attempt to copy to the allocated buffer. However, because the provided input is larger than the buffer, this copying may overwrite data beyond the location of the buffer in memory, and potentially allow the attacker to gain control of the entire process and execute arbitrary code on the machine. As an example, an application may be expecting to receive a string of 15 characters for a username. If input validation is not used and it receives more than 15 characters, it can cause a buffer overflow and expose system memory on the web server.
What is a Session Hijacking attack?
Also called "TCP session Hijacking." When a user logs on to a website, the web site often returns a cookie with a session ID for your session. In many cases, the cookie is stored on the user's system and remains until the user logs off. If the user closes the session and returns to the web site, the web site reads the cookie and automatically logs the user on. This is convenient to the user, but can be exploited by the attacker. In a session hijacking attack, the attacker learns the user's session ID and uses it to impersonate the user. The web server does not know the difference between the original user and the attacker. Attackers can read cookies on your system through XSS and Flash cookies.
What is a Non-Persistent XSS Attack?
Also called a "Reflected" XSS attack. These are attacks that are NOT a part of a web page. These attacks are ones that are emailed to you OR you are enticed to click a link that is going to run the script that is part of that attack. This attack is trying to take advantage of vulnerabilities in user input in things like a search box, for instance. You might get an email from the bad guy with a link that might say, "please click this link," "here's a funny video" etc. That link will take you to a Web site that runs that cross site script that provides the bad guy with information they can use to gain access to your account. It takes advantage of a vulnerability. So, they might have you log into facebook, financial account, etc. Behind the scenes, it sends you credentials or session IDs back to the bad guy. Now they have access to your account. This attack EXECUTES IN THE VICTIM'S BROWSER. The victim goes to this website and it's the browser that is becoming the problem for us. It runs exactly the script that the bad guy gave us and the browser is happily handing off our credentials. Having our session IDs or cookies can be used to get into our account. The script tells the browser to grab the session ID and its sent to the bad guy.
What is a brute force attack>
An offline password attack that attempts to guess all possible character combinations. One of the best protections against offline brute force attacks is to use complex passwords using all 4 character types (uppercase, lowercase, numbers, and special characters). Additionally, longer passwords are more difficult to crack. Account lockout policies are effective too in online brute force attacks.
What is a dictionary attack?
An offline password attack that attempts to use every word in the dictionary of likely passwords to see if it works. Dictionaries used in these attacks evolved over time and included many of the common passwords that uneducated users configured for their accounts, like even 12345. These attacks are thwarted by using complex passwords.
What is a Rainbow Table attack?
Are a type of attack that attempts to discover the password from the hash. However, they use rainbow tables, which are huge databses or precomputed hashes. It helps to look at the process of how some password crackers discover passwords without a rainbow table. Assume that an attacker has the hash of a password. Salting will prevent this attack
What is an LDAP Injection attack?
Attackers can query or modify account information in Active Directory with LDAP commands. This type of attack gives a hacker access to system information from a Web page.
What is an "integer overflow" attack?
Attempts to create a numeric value that is too big for an application to handle. The result is that the application gives inaccurate results. As an example, if an application reserves 8 bits to store a number, it can store any value between 0 and 255. If the application attempts to multiply 2 values, such as 95 x 59, the result is 5,605. This number cannot be stored in the 8 bits, so it causes an integer overflow. In some situations, an integer overflow occurs if an application expects a positive number, but receives a negative number instead. If the application does not have the adequate error- and exception-handling routines, this might cause a buffer overflow error. Or, you assign a variable to cover the range between, let's say, -32 and 32. if you were allocating a space in memory or creating a buffer area to store some other information and the size of that area was based on this integer and we were expecting the integer to be 32, but when we are ready to allocate the space...instead of having a 32 as represented as that integer, its now a -32 and obviously we cannot allocate a negative amount of space in memory and our application would fail. This is an Integer overflow.
What is a Watering Hole Attack?
Attempts to discover which web site employees are likely to visit and then infects those web sites with malware that can infect the visitors.
What is an online password attack?
attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user's password is an online attack
What is a fraggle?
Is similar to a smurf attack, but instead of ICMP echoes, it uses UDP echoes. The admins can protect from this type of attack by configuring routers not to forward packets directed to broadcast addresses, which is usually the default.
What is an XML Injection Attack?
Many databases use Extensible Markup Language for inputting or exporting data. XML provides formatting rules to describe the data.
What is RCE?
Remote Code Execution. Also called "Arbitrary Code Execution." refers to the ability of an attacker to execute commands or run programs on a targeted system. Remote Code Execution refers to the ability of an attacker to execute the code from a remote system. Neither of these are desirable because it allows attacker to install and run malware on vulnerable systems. As an example, imagine an application, such as a Web browser, has a vulnerability that allows execution of code using one of these methods. AN unsuspecting user can visit a malicious web site with specially crafted code to exploit this vulnerability. This code can use elevated privileges to cause the system to DL a malicious file and then execute it to install. Once installed, the malware can allow the attacker to take control of the computer whenever desired. Software bugs are the most common reason for arbitrary code execution and remote code execution. So patches are important
What is a header manipulation attack?
TCP/IP packages data into packets before sending them over a network. These packets have headers, which include different types of information depending on the header type. For example, TCP headers include port numbers to ID the protocol, and IP headers include source and destination IP addresses. Headers also include various flags. A "flag" is simply a bit that is set to 1 or 0, often indicating true or false. Attackers can manipulate the flags within the headers to modify behavior. In some cases of header manipulation, the attacker modifies data within the packet, such as the session ID> Many programs are available to attackers, making it relatively easy to modify these headers. In a session hijacking attack, the attacker inserts the session ID of the original user into the header. Many web sites use dual authentication to prevent an attacker from taking malicious action with the session ID. For example, Amazon will use the session ID to Identify the user and enhance the browsing experience; however, if the user makes a purchase, Amazon requires the user to authenticate again. An attacker cannot authenticate again while in the victim's session without the right credentials.
What is the SDLC? Name the 4 steps of the SDLC.
The Software Development Life Cycle contains 4 steps: 1. Planning & Analysis 2. System Design 3. Implementation 4. Testing
What is a smurf attack?
This attack spoofs a ping. Usually, pings are unicast or sent from computer-to-computer. It's just an ICMP echo request that responds with an ICMP echo reply. However, in this attack, the attacker sends the ping out as a broadcast that is sent to all the computers in the subnet. The ping's source address is spoofed with the address of the target/victim computer. That way, when all the computers reply with their ICMP echo reply, they send the datagrams to the victim computer, which could disable that computer. Routers usually do not forward broadcast traffic by default, so this attack is rarely seen these days.
What is a SYN flood attack?
These attacks are easy against servers. This attack interrupts the TCP three way handshake by sending thousands of SYNs. The server responds with SYN+ACK, but the attacker does not respond with an ACK. Instead, he just responds with more and more SYNs, which leaves thousands of connections "half-open." This attack eventually overfills the server's buffer and will eventually no longer accept any more connection attempts
What is a XSRF attack?
This is a Cross-Site Request Forgery attack. an attack where an attacker tricks a user into performing an action on a web site. The attacker creates a specially crafted HTML link and the user performs the action without realizing it. AS an innocent example of how HTML links create action, consider this HTML link: http://www.google.com/search?q=Success. If a user clicks on the link, it works just as if a user browsed to Google and entered success in the search box. The ?q=Success part of the query causes the action. Many web sites use the same type of HTML queries to perform actions. For example, imagine a web site that supports user profiles. If a user wanted to change profile information ,they could log on to the site, make the change, and click a button. The web site may use a link like this to perform the action: i. http://getcertifiedgetahead.com/edit?action=set&key=email&[email protected] Attackers use this knowledge to create a malicious link. For example, the following link could change the email address in the user profile, redirecting the user's email to the attacker: http://getcertifiedgetahead.com/edit?actionset&key=email&[email protected]. Thus, if a website supports any action via HTML link, an attack is possible. This includes making purchases, changing passwords, transferring money, and much more. Web sites typically will not allow these actions without users first logging on. However, if users have logged on before, authentication information is stored on their system either in a cookie or in the web browser's cache. Some web sites automatically use this information to log users on as soon as they visit. In some cases, the XSRF attack allows the attacker to access the user's password.
What is a Permanent DoS attack?
This is a type of DoS attack that is successful if the attacker is able to remotely flash the firmware of the target machine with his own image. It is normally used on routers or other networking devices. The attack is also called "flashing"
What is a birthday attack?
This is a type of password hash attack. It is named after the birthday paradox in mathematical probability theory. The birthday paradox states that for any random group of 23 people, there is a 50 percent change that 2 of them have the same birthday. This is not the same year, but instead one of the 365 days in the year. In a birthday attack, an attacker is able to create a password that produces the same hash as the user's actual password. This is also known as a "hash-collision." This occurs when the hashing algorithm creates the same hash from different passwords. This is not desirable. As an example, imagine a simple hashing algorithm creates 3-digit hashes. The password "success" might create a hash of 123 and the password "passed" might create the same hash of 123. In this scenario, an attacker could use either "success" or "passed" as the password and both would work! Birthday attacks on hashes are thwarted by increasing the number of bits used in the hash to increase the number of possible hashes. For example, MD5 algorithm uses 128-bits and is susceptible to birthday attacks. Secure Hash Algorithm version 2 (SHA-2) can use as many as 512 bits and is not susceptible to birthday attacks Any hash that creates 128-bit hashes and below is susceptible to this attack
What is a tear drop attack?
This type of attack sends mangled IP fragments that overlap and create an oversized payload on the target machine. It causes the system to reboot or crash. This attack exploits weakness in the reassemble of the IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.
What is DNS poisoning?
attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with the domain name google.com and replace it with the IP address to a malicious site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious Web site. Many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks
What is a "Race condition?"
When two or more modules of an application, or two or more applications, attempt to access a resource at the same time, it can cause conflict known as a "race condition." Most developers are aware of this and develop code to prevent this. Developers who are not aware of race conditions, or ignore them, are in for trouble. As a simple example of a potential problem, imagine you are buying a plane ticket online and use the web application to pick your seat. You find a window seat and select it. However, at the same time you are selecting this window seat, someone else is, too. You both make the purchase at the same time and you both have tickets with the same seat number. You arrive after the other person and he's in your seat, unwilling to move, showing his ticket with the seat number. A flight attendant ultimately helps you find a seat. Unfortunately, it's between two burly gentlemen who have been on all-cabbage diet for the last week. You probably won't be too happy.
What is a LAND Attack?
a type of DoS attack. In a LAND attack, hackers flood SYN packets to the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. This was an issue for older OSs
What are flood guards?
an help prevent SYN and other flooding attacks. Many firewalls and INDSs include flood guards, which are simply techniques to limit the success of a SYN flood attack. One method of detecting and blocking these attacks is by identifying the source IP address of where all the SYNs are coming from. If you know where its coming from, then a flood guard can block that IP address. The problem is obvious though. Any smart attacker is going to spoof their IP address in each SYN packet. Additionally, attackers often launch attacks from multiple systems at the same time, making it difficult to identify legitimate traffic from attacking traffic. Another method is to adjust the time a system waits for a third packet. For example, the system may normally wait 75 seconds for an ACK after sending the SYN/ACK packet. After sensing a barrage of SYN packets, it can reduce that time it waits for the ACK packet.
What is a directory traversal?
also called a "dot dot slash" attack. It can leverage poorly secured web servers. They are usually used on PHP sites, but can also be used on MS web servers. The attack traverses the directory structure in hopes that the web server allows important files to be displayed. These files contain passwords and other important info that can be leveraged for further attacks. Cross Site Request Forgery (XSRF) attacks are a type of directory traversal attack using HTML. In other words, it is an HTTP exploit that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Any web page that accepts input from users is a potential threat. Directory traversal is a specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure. For example, in Unix systems, the passwd file includes user login information, and its stored in the /etc directory path of /etc/passwd. Attackers can use commands, such as ../../etc/passwd or .etc.passwd to read the file. Similarly, they could use a remove directory command ( such as rm -rf) to delete a directory, including all files and subdirectories. Gaining access to certain directories can be done by modifying GET and POST requests.
What is typo squatting?
also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "Gooogle.com" instead of "Google.com").
What is ARP poisoning?
an attack that misleads computers or switches about the actual MAC address of a system. ARP resolves the IP addresses of systems to their hardware address and stores the result in an area of memory known as the ARP cache. TCP/IP uses the IP address to get a packet to a destination network. Once the packet arrives on the destination network, it uses the MAC address to get it to the correct host. ARP uses 3 primary messages: ARP request, ARP reply, and gratuitous ARPs
What is an offline password attack?
attempt to discover passwords from captured databases or captured packet scans. For example, when attackers hack into a Web site causing a data breach, they can download entire databases. They can perform offline attacks to discover the passwords contained within the databases. Similarly, Wi-Fi protected Access (WPA) cracking attacks first capture the 4-way handshake when WPA wireless clients authenticate with wireless access points (WAPs).
What is a Zero-Day attack?
is an attack that exploits an undocumented vulnerability. Many times, the vendor is not aware of the issue. At some point, the vendor learns of the vulnerability and begins to write and test a patch to eliminate it. However, until the vendor releases the patch or a work-around, the vulnerability is still a zero-day vulnerability.
What is a fork bomb?
happens when an attacker is able to "fork" processes to create other processes. The forking continues until the system runs out of memory. These attacks are also called "wabbits" or :"bacteria," since they self-replicate.
What is a Null session?
is a connection to the Windows inter-process communication share (IP$). If successful, the attacker can gain access to the user's ID to share names and other computer settings. This information can then be used to gain even higher levels of access or personal data. In other words, it is an attack that makes unauthenticated NetBIOS connections to the target computer.
What is a Man-in-the-middle attack?
is a form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. The two computers are unaware of this, but the attacker can interrupt the traffic and insert malicious code. This is usually done by ARP poisoning. Kerberos helps prevent MITM attacks with mutual authentication. It does not allow a malicious system to insert itself in the middle of a conversation without the knowledge of the other two systems.
What is a replay attack?
is where an attacker replays data that was already part of a communication session. IN a replay attack, a third party attempts to impersonate a client that is involved in the original session. Replay attacks can occur on both wired and wireless networks. As an example, Maggie and Bart may initiate a session with each other. During the communication, each client authenticates with the other by passing authentication credentials to the other system. Hacker Harry intercepts all the data, including the credentials, and later initiates a session with Maggie pretending to be Bart. When Maggie challenges Hacker Harry, he sends Bart's credentials. Many protocols use timestamps and sequence numbers to thwart replay attacks. For example, Kerberos, helps prevent replay attacks with timestamped tickets.
What is an Xmas attack?
lso called the Christmas Tree Attack, is a type of port scan used to identify underlying details of an OS. For example, it can determine if the scanned system is running MS or Linux-based OS. A typical port scan attempts to learn what ports are open on a system. Based on what ports are open, the port scanner can detect what services and protocols are running. For example, if port 80 is open, its very likely that the HTTP protocol is running on the system. However, the Xmas attack goes further. It has several bits set in the packet header and is reminiscent of lights lit in a Christmas tree. Or at least someone thought it did. Most importantly, the Xmas attack sets certain flags within the TCP packet header. Different OSs respond to these flags in specific ways. Attackers can analyze the response and determine the OS of the remote system in addition to what ports are open. IN many cases, the attacker can even determine the version of the responding system. Fortunately, most IDSs and IPSs can detect these attack.
What is a pharming attack?
manipulates the DNS name resolution process as well. It either tries to corrupt the DNS server OR the DNS client. Just as DNS poisoning attacks can redirect users to a different web site, a successful DNS pharming attack redirects a user to a different web site. Pharming attacks on the client computer modify the hosts file used on Windows systems. This file is located in the C:\Windows\System32\drivers\etc\ folder. A default entry in the hosts file resolves the host name to the IP address of 127.0.0.1. If an attacker is able to modify other entries, he can cause systems to use that IP address instead of querying DNS. Many viruses have done this in the past. Here is an example of a corrupted hosts file that modifies the entry for google.com You can use ipconfig /displaydns to show all the contents of the hosts file's cache (DNS cache). You can also use ipconfig /flushdns to remove all the cached entries from DNS responses, but this won't do anything to the hosts file.
What are Transitive Access and Client-Side Attacks?
ransitive access relationships refer to trusts, and if not addressed, these relationships can allow unauthorized personnel to access restricted data. SQL Injection attacks are a type of transitive access attack performed from the client side using a web browser. Is this because the Web server automatically trusts any client? As an example, Homer is able to access the web server, and the web server is able to access the database server. However , even though Homer is not able to access the database server directly, he might be able to access the database server using transitive access attacks (SQL Injection) via his web browser. EXAMPLE ON PAGE 311. Even with two firewalls creating a DMZ where the web server resides and the database behind the 2nd firewall, Homer can still access the database through a SQL injection attack
What does it mean to "salt" a password?
s a set of random data, such as 2 additional characters. Password salting adds these additional characters to the password before hashing it. These additional characters add complexity to the password, and also result in a different hash than the system would create using the original password. This causes password attacks that compare hashes to fail, such as the rainbow table attack
What is a DLL Injection attack?
though DDL is great for memory conservation and debugging. Programmers can easily change functions in their applications without recompiling their code. However, this technique poses a potential security risk because it may allow malicious parties to inject their own arbitrary code into legitimate programs via shared libraries. This is called a "DLL Injection Attack." Think of a DLL injection as a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. Imagine the consequences if a guest user redefined a function called by a system administrator program; hence, the need for administrative privileges. This arbitrary and malicious code may grant access to the process's or application's memory space and permissions. Even worse, the attacker can mask his actions by disguising this as a legitimate process. So, basically, I think an attacker creates a .dll file with arbitrary code and fools the currently running process into loading that malicious .dll into memory. Defense: HIDS AV software File Integrity Checking
What is "fuzzing" or "fuzz testing?"
uses a computer program to send random data to an application. In some cases, the random data can actually crash the program or provide unexpected results, indicating a vulnerability. Security professionals use fuzz testing to test systems and applications for vulnerabilities they can correct. In contrast, attacker use fuzz testing to ID vulnerabilities they can exploit. Sometimes, attackers will write a fuzz testing script to run on the attacked system instead of sending data over the network. For example, an attacker can use JavaScript to send random data to another service on the same system. In some cases , this discovers a string of code that can cause a buffer overflow. If an attacker discovers a string of data that can create a buffer overflow, he can use it in an attack.