Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks Objectives • List and explain the different types of Web application attacks • Define client-side attacks • Explain how a buffer overflow attack works • List different types of denial of service attacks • Describe interception and poisoning attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 2 Application Attacks • Attacks that target applications – – – – Category continues to grow Web application attacks Client-side attacks Buffer overflow attacks • Zero day attacks – Exploit previously unknown vulnerabilities – Victims have no time to prepare or defend Security+ Guide to Network Security Fundamentals, Fourth Edition 3 Web Application Attacks • Web applications an essential element of organizations today • Approach to securing Web applications – Hardening the Web server – Protecting the network Security+ Guide to Network Security Fundamentals, Fourth Edition 4 Figure 3-1 Web application infrastructure © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 5 Web Application Attacks (cont’d.) • Common Web application attacks – – – – Cross-site scripting SQL injection XML injection Command injection / directory traversal Security+ Guide to Network Security Fundamentals, Fourth Edition 6 Figure 3-2 Web application security © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 7 Cross-Site Scripting (XSS) • Injecting scripts into a Web application server – Directs attacks at clients Figure 3-3 XSS attacks © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 8 Cross-Site Scripting (cont’d.) • When victim visits injected Web site: – Malicious instructions sent to victim’s browser • Browser cannot distinguish between valid code and malicious script • Requirements of the targeted Web site – Accepts user input without validation – Uses input in a response without encoding it • Some XSS attacks designed to steal information: – Retained by the browser Security+ Guide to Network Security Fundamentals, Fourth Edition 9 Figure 3-4 Bookmark page that accepts user input without validating and provides unencoded response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 10 Figure 3-5 Input used as response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 11 SQL Injection • Targets SQL servers by injecting commands • SQL (Structured Query Language) – Used to manipulate data stored in relational database • Forgotten password example – Attacker enters incorrectly formatted e-mail address – Response lets attacker know whether input is being validated Security+ Guide to Network Security Fundamentals, Fourth Edition 12 SQL Injection (cont’d.) • Forgotten password example (cont’d.) – Attacker enters email field in SQL statement – Statement processed by the database – Example statement: SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’ – Result: All user email addresses will be displayed Security+ Guide to Network Security Fundamentals, Fourth Edition 13 SQL Injection (cont’d.) Table 3-1 SQL injection statements • See link Ch 3f Security+ Guide to Network Security Fundamentals, Fourth Edition 14 XML Injection • Markup language – Method for adding annotations to text • HTML – Uses tags surrounded by brackets – Instructs browser to display text in specific format • XML – Carries data instead of indicating how to display it – No predefined set of tags • Users define their own tags Security+ Guide to Network Security Fundamentals, Fourth Edition 15 XML Injection (cont’d.) • XML attack – Similar to SQL injection attack – Attacker discovers Web site that does not filter user data – Injects XML tags and data into the database • Xpath injection – Specific type of XML injection attack – Attempts to exploit XML Path Language queries Security+ Guide to Network Security Fundamentals, Fourth Edition 16 Command Injection / Directory Traversal • Web server users typically restricted to root directory • Users may be able to access subdirectories: – But not parallel or higher level directories • Sensitive files to protect from unauthorized user access – Cmd.exe can be used to enter text-based commands – Passwd (Linux) contains user account information Security+ Guide to Network Security Fundamentals, Fourth Edition 17 Command Injection / Directory Traversal (cont’d.) • Directory traversal attack – Takes advantage of software vulnerability – Attacker moves from root directory to restricted directories • Command injection attack – Attacker enters commands to execute on a server Security+ Guide to Network Security Fundamentals, Fourth Edition 18 Client-Side Attacks • Web application attacks are server-side attacks • Client-side attacks target vulnerabilities in client applications – Interacting with a compromised server – Client initiates connection with server, which could result in an attack Security+ Guide to Network Security Fundamentals, Fourth Edition 19 Client-Side Attacks (cont’d.) • Drive-by download – Client computer compromised simply by viewing a Web page – Attackers inject content into vulnerable Web server • Gain access to server’s operating system – Attackers craft a zero pixel frame to avoid visual detection – Embed an HTML document inside main document – Client’s browser downloads malicious script – Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fourth Edition 20 Client-Side Attacks (cont’d.) • Header manipulation – HTTP header contains fields that characterize data being transmitted – Headers can originate from a Web browser • Browsers do not normally allow this • Attacker’s short program can allow modification • Examples of header manipulation – Referer – Accept-language Security+ Guide to Network Security Fundamentals, Fourth Edition 21 Client-Side Attacks (cont’d.) • Referer field indicates site that generated the Web page – Attacker can modify this field to hide fact it came from another site – Modified Web page hosted from attacker’s computer • Accept-language – Some Web applications pass contents of this field directly to database – Attacker could inject SQL command by modifying this header Security+ Guide to Network Security Fundamentals, Fourth Edition 22 Client-Side Attacks (cont’d.) • Cookies and Attachments – Cookies store user-specific information on user’s local computer • Web sites use cookies to identify repeat visitors • Examples of information stored in a cookie – Travel Web sites may store user’s travel itinerary – Personal information provided when visiting a site • Only the Web site that created a cookie can read it Security+ Guide to Network Security Fundamentals, Fourth Edition 23 Client-Side Attacks (cont’d.) • First-party cookie – Cookie created by Web site user is currently visiting • Third-party cookie – Site advertisers place a cookie to record user preferences • Session cookie – Stored in RAM and expires when browser is closed Security+ Guide to Network Security Fundamentals, Fourth Edition 24 Client-Side Attacks (cont’d.) • Persistent cookie – Recorded on computer’s hard drive – Does not expire when browser closes • Secure cookie – Used only when browser visits server over secure connection – Always encrypted Security+ Guide to Network Security Fundamentals, Fourth Edition 25 Client-Side Attacks (cont’d.) • Flash cookie – Uses more memory than traditional cookie – Cannot be deleted through browser configuration settings – See Project 3-6 to change Flash cookie settings • Cookies pose security and privacy risks – May be stolen and used to impersonate user – Used to tailor advertising – Can be exploited by attackers Security+ Guide to Network Security Fundamentals, Fourth Edition 26 Client-Side Attacks (cont’d.) • Session hijacking – Attacker attempts to impersonate user by stealing or guessing session token • Malicious add-ons – Browser extensions provide multimedia or interactive Web content – Active X add-ons have several security concerns Security+ Guide to Network Security Fundamentals, Fourth Edition 27 Figure 3-7 Session hijacking © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 28 Client-Side Attacks (cont’d.) • Buffer overflow attacks – Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer – Data overflows into adjacent memory locations – May cause computer to stop functioning – Attacker can change “return address” • Redirects to memory address containing malware code Security+ Guide to Network Security Fundamentals, Fourth Edition 29 Figure 3-8 Buffer overflow attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 30 Network Attacks • Denial of service (DoS) – Attempts to prevent system from performing normal functions – Ping flood attack • Ping utility used to send large number of echo request messages • Overwhelms Web server – Smurf attack • Ping request with originating address changed • Appears as if target computer is asking for response from all computers on the network Security+ Guide to Network Security Fundamentals, Fourth Edition 31 Network Attacks • Denial of service (DoS) (cont’d.) – SYN flood attack • Takes advantage of procedures for establishing a connection • Distributed denial of service (DDoS) – Attacker uses many zombie computers in a botnet to flood a device with requests – Virtually impossible to identify and block source of attack Security+ Guide to Network Security Fundamentals, Fourth Edition 32 Figure 3-9 SYN flood attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 33 Interception • Man-in-the-middle – – – – Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of transmission before sending to recipient • Replay attacks – Similar to passive man-in-the-middle attack Security+ Guide to Network Security Fundamentals, Fourth Edition 34 Interception (cont’d.) • Replay attacks (cont’d.) – Attacker makes copy of transmission • Uses copy at a later time – Example: capturing logon credentials • More sophisticated replay attacks – Attacker captures network device’s message to server – Later sends original, valid message to server – Establishes trust relationship between attacker and server Security+ Guide to Network Security Fundamentals, Fourth Edition 35 Poisoning • ARP poisoning – Attacker modifies MAC address in ARP cache to point to different computer Table 3-3 ARP poisoning attack Security+ Guide to Network Security Fundamentals, Fourth Edition 36 Poisoning (cont’d.) Table 3-4 Attacks from ARP poisoning Security+ Guide to Network Security Fundamentals, Fourth Edition 37 Poisoning (cont’d.) • DNS poisoning – Domain Name System is current basis for name resolution to IP address – DNS poisoning substitutes DNS addresses to redirect computer to another device • Two locations for DNS poisoning – Local host table – External DNS server Security+ Guide to Network Security Fundamentals, Fourth Edition 38 Figure 3-12 DNS poisoning © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 39 Attacks on Access Rights • Privilege escalation – Exploiting software vulnerability to gain access to restricted data – Lower privilege user accesses functions restricted to higher privilege users – User with restricted privilege accesses different restricted privilege of a similar user Security+ Guide to Network Security Fundamentals, Fourth Edition 40 Attacks on Access Rights (cont’d.) • Transitive access – Attack involving a third party to gain access rights – Has to do with whose credentials should be used when accessing services • Different users have different access rights Security+ Guide to Network Security Fundamentals, Fourth Edition 41