Network Security Group 1 Jake Desmond Kaidi Chen

  • Slides: 29
Download presentation
Network Security Group 1: Jake Desmond Kaidi Chen Andrew Grant

Network Security Group 1: Jake Desmond Kaidi Chen Andrew Grant

ARP Poisoning

ARP Poisoning

What is ARP ? ARP( Address Resolution Protocol): is a protocol used by the

What is ARP ? ARP( Address Resolution Protocol): is a protocol used by the Internet Protocol, to map IP network addresses to the hardware addresses used by a data link protocol. How does ARP work?

ARP Poisoning: . LAN specific cyber attack This attack is a MAC layer attack

ARP Poisoning: . LAN specific cyber attack This attack is a MAC layer attack that can only be carried out when an attacker is connected to the same local network as the target machines

ARP Poisoning (Continued) ❖Routers serve as borders for both collision and broadcast domains ❖Tips

ARP Poisoning (Continued) ❖Routers serve as borders for both collision and broadcast domains ❖Tips to prevent ARP poisoning : ❖ Use Static ARP ❖ Use ARP-Spoofing Proof Switches ❖ Use Virtual Private Networks Also known as ARP Spoofing

DSN Spoofing

DSN Spoofing

What is DNS? DNS (Domain Name Server): is a protocol within the set of

What is DNS? DNS (Domain Name Server): is a protocol within the set of standards for how computers exchange data on the Internet and on many private networks, known as the TCP/IP protocol suite. "www. kennesaw. edu" into an Internet Protocol (IP) address like 70. 42. 251. 42

DNS Spoofing A type of attack that exploits vulnerabilities in the domain name system

DNS Spoofing A type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones. One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server

Types of DNS Spoofing the DNS responses : Every DNS request have an associated

Types of DNS Spoofing the DNS responses : Every DNS request have an associated 16 bit query ID, if the attacker could guess the way DNS generate its query ID he (the attacker) can send fake responses with a lie about the ip address of the queried host. DNS cache poisoning : sending a dns server incorrect mapping information with high TTL value to save the faulty record in the DNS cache for a longer period of time , so that next time the server is queried it will reply with the incorrect information. Breaking into the platform: the attacker could break into the platform running DNS using attacks like Buffer overflows or any other attacks to gain root access the attacker will have full control over the network.

SQL Injection

SQL Injection

What is SQL Injection? • SQL injection is a code injection technique. It uses

What is SQL Injection? • SQL injection is a code injection technique. It uses SQL statements instead of normal user inputs for some malicious executions on web application. • The commonly approach is by Web request and forms submission.

A simple example. . . ID User Password Info. 1 Jake 123 Abc 2

A simple example. . . ID User Password Info. 1 Jake 123 Abc 2 Kaidi 123 Def u. Name = get. Request. String(“user"); 3 Andrew 123 u. Pass = get. Request. String(“pas"); … … … sql = “SELECT * FROM Users WHERE User =““ + u. Name + “” AND Passwor =“ + u. Pass database. execute(sql) Ghi … SELECT * FROM Users WHERE User =“Jake” AND Password = 123 SELECT * FROM Users WHERE User =“Kaidi” AND Password = 123; DROP TABLE Users

Types of SQL injection ● In-band SQL injection The most common and easy-to-exploit attacks.

Types of SQL injection ● In-band SQL injection The most common and easy-to-exploit attacks. In this, an attacker is able to use the same communication channel to both launch the attack and gather results. 1. Error-based SQLi It relies on error messages thrown by the database server to obtain information about the structure of the database. 2. Union-based SQLi It uses the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

Types of SQL injection ● Inferential SQL injection (Blind SQL injection) No data will

Types of SQL injection ● Inferential SQL injection (Blind SQL injection) No data will be transferred via the web application. An attacker needs to reconstruct the database structure by sending payloads, observing the response and the resulting behavior. 1. Boolean-based (content-based) Blind SQLi It relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE. 2. Time-based Blind SQLi It relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding.

Types of SQL injection ● Out-of-band SQLi This is not very common, mostly because

Types of SQL injection ● Out-of-band SQLi This is not very common, mostly because it depends on some abilities of the database server which are used for Web application. For example, Microsoft SQL Server “xp_dirtree” command, which can be used to make DNS requests to a server by an attacker.

How to prevent SQL injection? Avoid from code Hide • Encode values in forms

How to prevent SQL injection? Avoid from code Hide • Encode values in forms submission and web request. Validate • Check the type and format of inputs on Server side. • Filter special symbol. Prepared. State ment • bind variables as parameters in functions instead of operating SQL strings.

How to prevent SQL injection? Avoid from design privileges • Limit functions in user

How to prevent SQL injection? Avoid from design privileges • Limit functions in user accessing. Encrypt • Encrypt sensitive data Store • Do not store sensitive data if don’t need it

Cross-Site Request Forgery

Cross-Site Request Forgery

What I will cover about Cross-Site Request Forgery What is CSRF? Requirements for a

What I will cover about Cross-Site Request Forgery What is CSRF? Requirements for a successful CSRF Attack How to Program Your Own CSRF Attack Limitations of CSRF Attacks Security Protocols for Defence against CSRF

What is Cross-Site Request Forgery? A type of network attack that targets end user

What is Cross-Site Request Forgery? A type of network attack that targets end user accounts of web applications Must be authenticated at some level Example: Online bank account Relies on a vulnerability in the targeted web application Attacker can perform security-sensitive actions as if they were the user Security-Sensitive Actions: Edit Document Logout

Requirements for a Successful CSRF Attack Part 1: Creation of malicious website Must be

Requirements for a Successful CSRF Attack Part 1: Creation of malicious website Must be publicly accessible Code capable of submitting requests is added User of targeted web application visits malicious site User must be logged in to the web application The code contained on the malicious website will automatically

Requirements for a Successful CSRF Attack Part 2: Social Engineering In general, this refers

Requirements for a Successful CSRF Attack Part 2: Social Engineering In general, this refers to the use of psychological manipulation of a victim by an assailant. Good example is the bail money phone scam In the case of Cross-Site Request Forgery: Assailant must deceive a user who is logged in to the target website to access their malicious web application Done through hyperlinks shared in email or internet forums

Visual Representation of CSRF

Visual Representation of CSRF

Programming Your Very Own CSRF Attack Code for a website that contains a link

Programming Your Very Own CSRF Attack Code for a website that contains a link to a CSRF attack:

*This is a fully functional CSRF attack *But there a few problems with it:

*This is a fully functional CSRF attack *But there a few problems with it: ● Not very deceitful ● Placement of the link ○ Obscure website

Limitations of CSRF (Excluding Security Protocols) Incapable of data theft Can only carry out

Limitations of CSRF (Excluding Security Protocols) Incapable of data theft Can only carry out state-changing requests like transferring funds Cannot retrieve a user’s username and password Functionality of attack is limited by targeted user’s security clearance Cannot generate requests that the target website’s security has not granted the target user Ramifications of attack can vary greatly depending on who the user is (Example of admin vs restricted bank users)

Security Protocols for Defence against CSRF attacks are easy to defend against if web

Security Protocols for Defence against CSRF attacks are easy to defend against if web designer’s are conscious of them “Origin” and “Referer” headers within the HTTP protocol packet can be used to neutralize CSRF attacks These two headers are Forbidden Headers Can compare dst of server’s message to origin

If CSRV is so easy to defend against, why is it relevant? CSRV is

If CSRV is so easy to defend against, why is it relevant? CSRV is one of the lesser-known internet attacks Many web programmers are not aware of them Even less end users are aware of them If web programmer is not aware, they will not defend Why is his face covered?

References Fleck, Bob, and Jordan Dimov. "Wireless access points and arp poisoning. " Online

References Fleck, Bob, and Jordan Dimov. "Wireless access points and arp poisoning. " Online document (2001). https: //www. giac. org/paper/gcih/364/dns-spoofing-attack/103863 https: //www. incapsula. com/images/illustrations/web-app-security-mini-site/csrf-cross-site-request-forgery. png http: //scraping. pro/res/http/post_headers. jpg http: //images. mid-day. com/2013/mar/2903 comp. jpg https: //www. slideshare. net/danielmiessler/understanding-csrf https: //www. owasp. org/index. php/Cross-Site_Request_Forgery_(CSRF)