Analyzing Application & Network Attacks Flashcards
(Cross-site scripting)
Non-persistent (reflected) XSS attack
Web site allows scripts to run in user input
– Search box is a common source
• Attacker emails a link that takes advantage of this
vulnerability
– Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim’s browser
– As if it came from the server
• Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge
– Very sneaky
(Cross-site scripting)
Persistent (stored) XSS attack
Is a script the persists on a website
Attacker posts a message to a social network
Includes the malicious payload
- It’s now “persistent” - Everyone gets the payload
- No specific target - All viewers to the page
• For social networking, this can spread quickly
Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…
(Cross-site scripting)
Protecting against XSS
• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
• Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
• Validate input
– Don’t allow users to add their own scripts to an
input field
Privilege escalation
Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design flaw
• Higher-level access means more capabilities
– This commonly is the highest-level access
• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator
• Horizontal privilege escalation
– User A can access user B resources
Mitigating privilege escalation
Patch quickly
– Fix the vulnerability
• Updated anti-virus/anti-malware software
• Data Execution Prevention – Only data in executable areas can run • Address space layout randomization – Prevent a buffer overrun at a known memory address
Injection Attacks
Code injection
SQL injection
XML injection and LDAP injection
DLL injection
DLL injection
• Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
• Inject a DLL and have an application run a program
– Runs as part of the target process
XML injection and LDAP injection
XML - Extensible Markup Language
–AKA Soap injection
Are attacks that target XML data stores by injecting
malicious XML and XPath code into a user
Controllable input-
Occurs when user Input is inserted unsafely
XML metacharacters can be used to modify
-Performs unauthorized task
• LDAP Injection - Lightweight Directory Access Protocol
Is often used in web applications over the internet or a corporate intranet
-The web application takes the input from the client in order to process it further, so the attacker exploits data not being properly sanitized or going directly to a back end database
• LDAP injection
– Modify LDAP requests to manipulate application results
Code injection
Code injection – Adding your own information into a data stream • Enabled because of bad programming – The application should properly handle input and output • So many different data types – HTML, SQL, XML, LDAP, etc.
(Coding Attacks)
NULL Pointer dereference
Programming technique that references a
portion of memory
-A null-pointer dereference occurs when a pointer with a value of NULL is used as if it actually points to a valid memory area
– What happens if that reference points to nothing?
– Application crash, debug information displayed, DoS
(Coding Attacks)
Directory traversal
Directory traversal / path traversal – Read files from a web server that are outside of the website’s file directory – Users shouldn’t be able to browse the Windows folder • Web server software vulnerability – Won’t stop users from browsing past the web server root • Web application code vulnerability – Take advantage of badly written code
(Coding Attacks)
Buffer overflows
Overwriting a buffer of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
• Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
• A really useful buffer overflow is repeatable
– Which means that a system can be compromised
(Coding Attacks)
Integer overflow
Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able to manipulate
memory this way
(Coding Attacks)
Race Conditions
A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check
and the use
(Coding Attacks)
Improper error handling
Errors happen – And you should probably know about it Messages should be just informational enough – Avoid too much detail – Network information, memory dump, stack traces, database dumps • This is an easy one to find and fix – A development best-practice
Improper input handling
Many applications accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devastating
– SQL injections, buffer overflows,
denial of service, etc.
• It takes a lot of work to find input that
can be used maliciously
– But they will find it
Replay Attacks
– Replay the data to appear as someone else
This is not an on-path attack
– The actual replay doesn’t require
the original workstation
• Avoid this type of replay attack with a salt
– Use a session ID with the password hash to
create a unique authentication hash each time
– A crafty hacker will take advantage of this
• Need access to the raw network data
– Network tap, ARP poisoning, malware on the victim computer
• The gathered information may help the attacker
Useful information is transmitted over the network
API attacks
API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
– Exposing sensitive data, DoS, intercepted
communication, privileged access
Used to enable communication between applications and end-users ranging from your car telling you where the nearest fuel station is to your phone fetching weather and sports updates
API’s
are used and no matter what devices are connected