Analyzing Application & Network Attacks Flashcards
(Cross-site scripting)
Non-persistent (reflected) XSS attack
Web site allows scripts to run in user input
– Search box is a common source
• Attacker emails a link that takes advantage of this
vulnerability
– Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim’s browser
– As if it came from the server
• Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge
– Very sneaky
(Cross-site scripting)
Persistent (stored) XSS attack
Is a script the persists on a website
Attacker posts a message to a social network
Includes the malicious payload
- It’s now “persistent” - Everyone gets the payload
- No specific target - All viewers to the page
• For social networking, this can spread quickly
Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…
(Cross-site scripting)
Protecting against XSS
• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
• Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
• Validate input
– Don’t allow users to add their own scripts to an
input field
Privilege escalation
Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design flaw
• Higher-level access means more capabilities
– This commonly is the highest-level access
• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator
• Horizontal privilege escalation
– User A can access user B resources
Mitigating privilege escalation
Patch quickly
– Fix the vulnerability
• Updated anti-virus/anti-malware software
• Data Execution Prevention – Only data in executable areas can run • Address space layout randomization – Prevent a buffer overrun at a known memory address
Injection Attacks
Code injection
SQL injection
XML injection and LDAP injection
DLL injection
DLL injection
• Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
• Inject a DLL and have an application run a program
– Runs as part of the target process
XML injection and LDAP injection
XML - Extensible Markup Language
–AKA Soap injection
Are attacks that target XML data stores by injecting
malicious XML and XPath code into a user
Controllable input-
Occurs when user Input is inserted unsafely
XML metacharacters can be used to modify
-Performs unauthorized task
• LDAP Injection - Lightweight Directory Access Protocol
Is often used in web applications over the internet or a corporate intranet
-The web application takes the input from the client in order to process it further, so the attacker exploits data not being properly sanitized or going directly to a back end database
• LDAP injection
– Modify LDAP requests to manipulate application results
Code injection
Code injection – Adding your own information into a data stream • Enabled because of bad programming – The application should properly handle input and output • So many different data types – HTML, SQL, XML, LDAP, etc.
(Coding Attacks)
NULL Pointer dereference
Programming technique that references a
portion of memory
-A null-pointer dereference occurs when a pointer with a value of NULL is used as if it actually points to a valid memory area
– What happens if that reference points to nothing?
– Application crash, debug information displayed, DoS
(Coding Attacks)
Directory traversal
Directory traversal / path traversal – Read files from a web server that are outside of the website’s file directory – Users shouldn’t be able to browse the Windows folder • Web server software vulnerability – Won’t stop users from browsing past the web server root • Web application code vulnerability – Take advantage of badly written code
(Coding Attacks)
Buffer overflows
Overwriting a buffer of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
• Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
• A really useful buffer overflow is repeatable
– Which means that a system can be compromised
(Coding Attacks)
Integer overflow
Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able to manipulate
memory this way
(Coding Attacks)
Race Conditions
A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check
and the use
(Coding Attacks)
Improper error handling
Errors happen – And you should probably know about it Messages should be just informational enough – Avoid too much detail – Network information, memory dump, stack traces, database dumps • This is an easy one to find and fix – A development best-practice
Improper input handling
Many applications accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devastating
– SQL injections, buffer overflows,
denial of service, etc.
• It takes a lot of work to find input that
can be used maliciously
– But they will find it
Replay Attacks
– Replay the data to appear as someone else
This is not an on-path attack
– The actual replay doesn’t require
the original workstation
• Avoid this type of replay attack with a salt
– Use a session ID with the password hash to
create a unique authentication hash each time
– A crafty hacker will take advantage of this
• Need access to the raw network data
– Network tap, ARP poisoning, malware on the victim computer
• The gathered information may help the attacker
Useful information is transmitted over the network
API attacks
API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
– Exposing sensitive data, DoS, intercepted
communication, privileged access
Used to enable communication between applications and end-users ranging from your car telling you where the nearest fuel station is to your phone fetching weather and sports updates
API’s
are used and no matter what devices are connected
SSL stripping / HTTP downgrade
(Secure Socket Layer) (Transport Layer Security)
Combines an on-path attack with a downgrade attack
• Attacker must sit in the middle of the conversation
– Must modify data between the victim and web server
– Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
• Victim does not see any significant problem
– Except the browser page isn’t encrypted
– Strips the “S” away from HTTPS, which stands for secure
• This is a client and server problem
– Works on SSL and TLS
SSL and TLS
• SSL (Secure Sockets Layer) 2.0 - Deprecated in 2011
• SSL 3.0
– Vulnerable to the POODLE attack
– Deprecated in June 2015
• Transport Layer Security (TLS) 1.0
– Upgrade to SSL 3.0, and a name change
from SSL to TLS
– Can downgrade to SSL 3.0
• TLS 1.1
– Deprecated in January 2020 by modern browsers
• TLS 1.2 and TLS 1.3 - The latest standards
Driver Manipulation exampled
Shimming
Refactoring
Shimming
Filling in the space between two objects – A middleman • Windows includes it’s own shim – Backwards compatibility with previous Windows versions – Application Compatibility Shim Cache • Malware authors write their own shims – Get around security (like UAC) • January 2015 Microsoft vulnerability – Elevates privilege
Refactoring
Metamorphic malware
– A different program each time it’s downloaded
• Make it appear different each time
– Add NOP instructions
– Loops, pointless code strings
• Can intelligently redesign itself
– Reorder functions
– Modify the application flow
– Reorder code and insert unused data types
• Difficult to match with signature-based detection
– Use a layered approach
Driver
The interaction between the hardware and your
operating system
– They are often trusted
– Great opportunity for security issues
• May 2016 - HP Audio Drivers
– Conexant audio chips
– Driver installation includes audio control software
– Debugging feature enables a keylogger
• Hardware interactions contain sensitive information
– Video, keyboard, mouse
Evil twin
An unauthorized wireless access point
- May be added by an employee or an attacker
- Potential backdoor
Very easy to plug in a wireless AP
-or enable wireless sharing in your OS
Schedule a periodic survey
- Walk around your building/ campus
- Use third-paty tool/ Wifi Pineapple
Rogue access point
• A less-secure entry point to the network
Wireless disassociation
– A significant wireless
denial of service (DoS) attack
Wireless disassociation or wireless de-authentication attack is a denial of service attack that is specifically
causing devices that are on the wireless network to suddenly not be able to communicate at all to the access point.
Wireless jamming
• Many different types
– Constant, random bits / Constant, legitimate frames
• Data sent at random times
– Random data and legitimate frames
• Reactive jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Difficult to be effective from a distance
• Time to go fox hunting
– You’ll need the right equipment to hunt down the jam – Directional antenna, attenuator
Weak keys
Larger keys are generally more difficult to brute force – The weak IV in RC4 resulted in the WEP security issues
WPA3
• Wi-Fi Protected Access 3 (WPA3) - Introduced in 2018
Bluejacking
Sending of unsolicited messages to another device via Bluetooth
– No mobile carrier required!
• Typical functional distance is about 10 meters
– More or less, depending on antenna and interference
• Bluejack with an address book object
– Instead of contact name, write a message – “You are Bluejacked!”
– “You are Bluejacked! Add to contacts?”
• Third-party software may also be used – Blooover, Bluesniff
Bluesnarfing
Access a Bluetooth-enabled device and transfer data – Contact list, calendar, email, pictures, video, etc.
• First major security weakness in Bluetooth – Marcel Holtmann in September 2003 and – Adam Laurie in November 2003
– This weakness was patched
• Serious security issue
– If you know the file, you can download it without
authentication
RFID (Radio-frequency identification)
It’s everywhere – Access badges – Inventory/Assembly line tracking – Pet/Animal identification – Anything that needs to be tracked • Radar technology – Radio energy transmitted to the tag – RF powers the tag, ID is transmitted back – Bidirectional communication – Some tag formats can be active/powered
RFID Attacks
• Data capture
– View communication – Replay attack
• Spoof the reader - Write your own data to the tag
• Denial of service - Signal jamming
• Decrypt communication
Wireless jamming
• Many different types
– Constant, random bits / Constant, legitimate frames
• Data sent at random times
– Random data and legitimate frames
• Reactive jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Difficult to be effective from a distance
• Time to go fox hunting
– You’ll need the right equipment to hunt down the jam – Directional antenna, attenuator
Near field communication (NFC)
• Two-way wireless communication
– Builds on RFID, which is mostly one-way
• Payment systems
– Many options available
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, identity “card”
– Short range with encryption support
NFC Security Concern
• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming – Denial of service
• Relay / Replay attack – On-path attack
• Loss of RFC device control – Stolen/lost phone
Initialization Vectors (IV)
• A type of nonce
– Used for randomizing an encryption scheme – The more random the better
• Used in encryption ciphers, WEP, and some SSL implementations
Salt
• A nonce most commonly associated with password randomization
– Make the password hash unpredictable
• Password storage should always be salted – Each user gets a different salt
• If the password database is breached, you can’t correlate any passwords
– Even users with the same password have different
hashes stored
– Many default keys are on Google
Near field communication (NFC)
Two-way wireless communication – Builds on RFID, which is mostly one-way • Payment systems – Many options available • Bootstrap for other wireless – NFC helps with Bluetooth pairing • Access token, identity “card” – Short range with encryption support
NFC Security Concern
• Remote capture – It’s a wireless network – 10 meters for active devices • Frequency jamming – Denial of service • Relay / Replay attack – On-path attack • Loss of RFC device control – Stolen/lost phone
Man in The Middle Attack
A system with the ability to view the communication between two (or more) hosts (frames, packets) injects itself in the path between the host systems
Can be good (Proxy, ALG, Translators) or it can be dangerous (Proxy ARP, DHCP Spoofing)
Types of Layer 2 Attacks
ARP Poisoning
MAC Flooding
MMAC Cloning
ARP Poisoning
Address Resolution Protocol
- A form of man in the middle attack that exploits ARP
- ARP Maps the IP address to the MAC address
- When a hacker redirects your traffic to his device and then passes it on to a router, server, switch or other intended devices.
- Malicious host injects false frames in order to corrupt (poison) the ARP cache buffers on endpoints, switches, servers, firewalls, and routers
- Exploit kits have several scripts, modules, and tools to compromise the ARP protocol
- Only works in IPv4 networks - not IPv6
MAC flooding
The MAC table is only so big
• Attacker starts sending traffic with different source
MAC addresses
– Force out the legitimate MAC addresses
• The table fills up
– Switch begins flooding traffic to all interfaces
• This effectively turns the switch into a hub
– All traffic is transmitted to all interfaces
– No interruption in traffic flows
• Attacker can easily capture all network traffic!
• Flooding can be restricted in the switch’s port
security settings
MAC cloning / MAC spoofing
An attacker changes their MAC address to match
the MAC address of an existing device
– A clone / a spoof
• Circumvent filters
– Wireless or wired MAC filters
– Identify a valid MAC address and copy it
• Create a DoS
– Disrupt communication to the legitimate MAC
• Easily manipulated through software
– Usually a device driver option
Distributed Denial of Service (DDoS)
• Launch an army of computers to bring down a service
– Use all the bandwidth or resources - traffic spike
• This is why the attackers have botnets
– Thousands or millions of computers at your command
– At its peak, Zeus botnet infected over 3.6 million PCs
– Coordinated attack
• Asymmetric threat
– The attacker may have fewer resources than the victim
DDoS amplification
Turn your small attack into a big attackthe attacker performs two malicious tasks.
First, the attacker spoofs the IP address of the DNS resolver and replaces it with the victim’s IP address.
This will cause all DNS replies from the DNS servers
to be sent to the victim’s servers.
Second, the attacker finds an Internet domain that
is registered with many DNS records.
During the attack, the attacker sends DNS queries that request the entire list of DNS records for that domain.
This results in large replies from the DNS servers.
Using very few computers, the attacker send a high rate of short DNS queries
Malicious Code
This is the generic term from which malware is derived
-A virus is an unwanted and unsolicited malicious program or piece of code that can damage an electronic system
Malicious Script
Script viruses are written using script languages
This type of virus either infects other scripts or forms a part of multicomponent viruses
It affects only those applications for which it has been written
