Chapter 2: Application and Network Attacks Flashcards
Web Application Attacks
Issues: Web application attacks target content of HTTP traffic which is typically ignored by traditional network security devices.
Most web traffic is based on HTTP so the option to block HTTP is not available since it would prevent access to and from the Internet
Types of Web Attacks
Cross-Site Scripting (XSS)
Injects scripts into a Web application server that will then direct attacks at the clients.
It does not attempt to maliciously attack a Web application server to steal content or deface it.
Uses the server as a platform to launch attacks on other computers that access it.
Cross-Site Scripting (XSS)
How does it work?
Web browsers will execute any code sent from a Web site in the form of JavaScript, Hypertext Markup Language(HTML) and proprietary conent (Adobe Flash).
Web site must accept user input without validating it.
Must use that input in a response without encoding it.
Cross-Site Scripting (XSS)
Persistent attack:
Mallory posts a message with malicious payload to a social network.
When Bob reads the message, Mallory’s XSS steals Bob’s cookie.
Mallory can now hijack Bob’s session and impersonate Bob.
SQL Injection
Targets SQL servers by injecting commands.
Structured Query Language (SQL)
Used to view and manipulate data that is stored in a relational database.
Happens when input is not filtered
Example:
Option to recover or reset a forgotten password
XML Injection
Extensible Markup Language (XML)
Designed to carry data instead of indicating how to display it. (HTML displays).
XML does not have predefined set of tags
Similar to a SQL injection since it attacks a Web site that does not filter user data.
Allows us to manipulate XML tags and data
Command Injection/Directory Traversal
Users that access a server are typically held at the root directory.
Users can sometimes access directories and files beneath the root(in this case root means default) directory but cannot access other parallel or higher level directories
Example: IIS C:\Inetpub\wwwroot
Linux /var/www
Command Injection/Directory Traversal II
Directory Traversal: Takes advantage of vulnerability in the Web application program or the Web server software so that the user can move from the root directory to other restricted directories.
Once they get into a different directory they may be able to inject commands to execute on the server.
Example:
https://www.server.net/dynamic.asp?view=display.html
This example is calling for a specific file, by modifying the URL we can delve deeper and possibly gain access to other documents.
Client-Side Attacks
Considered client-side as opposed to web based attacks which are server side.
What does this mean though?
Attacks that are exploiting services
Targets vulnerabilities in client applications that interact with a compromised server or process malicious data.
Attackers identify a vulnerable Web server then inject content by exploiting the server through vulnerable scripting applications. (usually written in JavaScript).
Header Manipulation
HTTP Header: Part of an HTTP packet that is composed of fields that contain the different characteristics of the data being transmitted.
Header fields are the field name, a colon, and the field value
Cookies and Attachments
First-party cookie: Created from the Web site that a user is currently viewing. Whenever the user returns to the site, that cookie would be used by the site to view the user’s preferences and better customize the browsing experience.
Third-party cookie: Attempting to place additional cookies on the local hard drive. Often come from third parties that advertise on the site and want to record the user’s preferences.(Tailored advertising).
Session cookie: Stored in RAM, instead of on the hard drive, and only lasts for the duration of visiting the Web site.
Cookies and Attachments ll
Persistent cookie: Opposite of a session cookie, also known as a tracking cookie.
Secure cookie: Only used when a browser is visiting a server using a secure connection. Cookie is always encrypted when transmitting from the client browser to the Web server.
Flash cookie: (Adobe Flash) Also known as local shared objects(LSO’s). Significantly different from regular cookies. Can’t be deleted through the browsers normal settings. Larger than normal cookies, can reinstate regular cookies that a user has deleted or blocked.
Session Hijacking
User accessing a secure Web application can be verified to prevent an attacker from “Jumping In” to the interaction and ordering items that could be charged to the victim but are sent to another address.
This is known as a session token. It is comprised of a random string assigned to the users specific session.
Session Hijacking ll
What is it?
When an attacker attempts to impersonate the user by using the victim’s session token.
How is it done?
The attacker can eavesdrop on the transmission and steal the session token.
The attacker can steal the session token cookie from the victim’s computer and use it to impersonate the victim.
The attacker can attempt to guess the session token. Session token’s aren’t always random, so an attacker could accumulate session tokens to aid guessing.
Malicious Add-ons
ActiveX: Widely used add-ons for Windows computers
A method to make programs interactive using a set of rules and controls
Security concerns:
No internal controls to prevent them from reading from or writing to the local hard drive
Control is registered only once per computer. If multiple users on one computer it can affect all users.
Does not rely on IE, can be installed and executed independently. Third party application may not provide security.
