Buffer Over Flow (BOF) : Bounds Are Not Checked While Populating It, The Array May Overflow Into
Buffer Over Flow (BOF) : Bounds Are Not Checked While Populating It, The Array May Overflow Into
1
lOMoARcPSD|32189809
• A buffer (or array or string) is a space in which data can be held. A buffer resides in
memory. Because memory is finite, a buffer's capacity is finite. For this reason, in
many programming languages the programmer must declare the buffer's maximum
size so that the compiler can set aside that amount of space.
• In information security and programming, a buffer overflow, or buffer overrun, is
an anomaly where a program, while writing data to a buffer, overruns the buffer's
boundary and overwrites adjacent memory locations. ... Exploiting the behavior of a
buffer overflow is a well-known security exploit.
• Let us look at an example to see how buffer overflows can happen.
• Suppose a C language program contains the
declaration: char sample [10];
• The compiler sets aside 10 bytes to store this buffer, one byte for each of the 10
elements of the array, sample [0] through sample [9]. Now we execute the
statement:
sample [10] = 'B9;
• The subscript is out of bounds (that is, it does not fall between 0 and 9),
• so, we have a problem. The nicest outcome (from a security perspective)
• is for the compiler to detect the problem and mark the error
• during compilation. However, if the statement were
sample[i] = 'B';
• Let us examine this problem more closely. It is important to recognize that the
potential overflow causes a serious problem only in some instances.
• The problem's occurrence depends on what is adjacent to the array sample. For
example, suppose each of the ten elements of the array sample is filled with the
letter A and the erroneous reference uses the letter B, as follows:
for (i=O; i<=9; i++)
sample[i] = 'A9;
sample[1O] = 'B'
2
lOMoARcPSD|32189809
Memory A AQ A) A) A A | A) A) A) A|B
Memory
(b) ARec6usñacode
Memory A AQ A| A A) A |A| A A) AQ B
Memory
• If the extra character overflows into the user's data space, it simply overwrites an
existing variable value (or it may be written into an as-yet unused location),
perhaps affecting the program's result, but affecting no other program or data.
• In the second case, the 'B' goes into the user's program area. If it overlays an
already executed instruction, the user should perceive no effect. If it overlays
an instruction that is not yet executed, the machine will try to execute an
instruction with operation code 0x42, the internal code for the character 'B9.
• If there is no instruction with operation code 0x42, the system will halt on an
illegal instruction exception. Otherwise, the machine will use subsequent bytes
as if they were the rest of the instruction, with success or failure depending on the
meaning of the contents. Again, only the user is likely to experience an effect.
Why is buffer overflow A vulnerability?
• Key Concepts of Buffer Overflow. This error occurs when there is more data in a
buffer than it can handle, causing data to overflow into adjacent storage. This
vulnerability can cause a system crash or, worse, create an entry point for a
cyberattack. C and C++ are more susceptible to buffer overflow.
3
lOMoARcPSD|32189809
4
lOMoARcPSD|32189809
• A stack consists of logical stack frames that are pushed when calling a function and
popped when returning. Frame pointer (FP) – points to a fixed location within a
frame.
• When a function is called, the return address, stack frame pointer and the variables
are pushed on the stack (in that order).
• So the return address has a higher address as the buffer.
• When we overflow the buffer, the return address will be
overwritten. void function()
{
&
return;
}
void main()
{
..
Function();
5
lOMoARcPSD|32189809
..
}
6
lOMoARcPSD|32189809
Example Code
void function(int a, int b, int c)
{ char buffer1[5];
char buffer2[10];
}
void main(){
function(1,2,3);
}
7
lOMoARcPSD|32189809
retu rn acldr
void main (}
( char
(iii) executing the attack code
buffer{9e•]:
strcpy(buffer, &rqe_stri
nq}; return;
8
lOMoARcPSD|32189809
9
lOMoARcPSD|32189809
10
lOMoARcPSD|32189809
11
lOMoARcPSD|32189809
12
lOMoARcPSD|32189809
<select>
<script>document.write("<OPTION value=1>< +document.location.href.substring
(document.location.href.indexOf ("default=")+8)+"</OPTION>");
</script></select>
http://www.some.site/page.html?default=ASP.NET /page.html?default=
<script>alert(document.cookie)</script>
13
lOMoARcPSD|32189809
14
lOMoARcPSD|32189809
15
lOMoARcPSD|32189809
Validate Output
▫ Encode HTML Output
16
lOMoARcPSD|32189809
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&</body>
<div>&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&</div>
any other normal HTML elements
• Escape these characters:
▫ & --> &
▫ < --> <
▫ > --> >
▫ " --> "
▫ ' --> ' ' is not recommended
▫ / --> /
forward slash is included as it helps end an HTML entity
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common
Attributes
<div attr=&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&>content</div>
inside UNquoted attribute
<div attr='&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&'>content</div>
inside single quoted attribute
<div attr="&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&">content</div>
inside double quoted attribute
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the &#xHH; format or named entity if available. Examples: " '
17
lOMoARcPSD|32189809
RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript
Data Values
The only safe place to put untrusted data into these event handlers as a quoted "data
value.<
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a
quoted string
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a
quoted expression
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div>
inside quoted event handler
Except for alphanumeric characters, escape all characters less than 256 with the \xHH
format. Example: \x22 not \=
<script> window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED
HERE...'); </script>
RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property
Values
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; }
</style> property value
<span style=property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...;>text</style> property value
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the \HH escaping format. Example: \22 not \=
RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter
Values
<a href="http://www.somesite.com?test=...URL ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...">link</a >
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the %HH escaping format. Example: %22
Remember HttpUtility.UrlEncode()
Reduce Impact of XSS Vulnerabilities
• If Cookies Are Used:
▫ Scope as strict as possible
▫ Set 8secure9 flag
▫ Set 8HttpOnly9 flag
▫ On the client, consider disabling JavaScript (if possible) or use something
like the No Script Firefox extension.
18
lOMoARcPSD|32189809
SQL Injection
• SQL injection is a code injection technique that might destroy your database.
• SQL injection is one of the most common web hacking techniques.
• SQL injection is the placement of malicious code in SQL statements, via web page input.
1. App sends form to user.
2. Attacker submits form with SQL exploit data.
3. Application builds string with exploit data.
4. Application sends SQL query to DB.
5. DB executes query, including exploit, sends data back to application.
6. Application returns data to user.
Firewall
19
lOMoARcPSD|32189809
Create DB
CREATE TABLE `users` (`id` INT NOT NULL AUTO_INCREMENT, `email` VARCHAR (45)
NULL,
`password` VARCHAR (45) NULL, PRIMARY KEY (`id`));
insert into users (email, password) values ('[email protected], (81234'));
ID EMAIL PASSWORD
1 [email protected] 1234
• Let9s suppose the statement at the backend (PHP & MySQL) for checking user ID is as
follows
SELECT * FROM users WHERE email = $_POST['email'] AND password =
md5($_POST['password']);
• The above statement uses the values of the $_POST[] array directly without
sanitizing them. The password is encrypted using MD5 algorithm.
• These values has to be checked in the DB.
• Original code is
SELECT * FROM users WHERE email = [email protected] AND password = md5(1234);
• The out put is:
20
lOMoARcPSD|32189809
21
lOMoARcPSD|32189809
Example 2:
Let9s suppose an attacker provides the following input
• Step 1: Enter [email protected]' OR 1 = 1 LIMIT 1 -- 8 ] as the email Step 2: Enter
1234 as the password
• The Injected SQL code:
SELECT * FROM users WHERE email = '[email protected]' OR 1 = 1 LIMIT 1 -- ' ] AND
password = md5(81234');
• [email protected] ends with a single quote which completes the string quote
• OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned
results to only one record.
• -- ' AND & is a SQL comment that eliminates the password part.
Example 3
SQL Injection Based on ""="" is Always True
• Here is an example of a user login on a web site:
22
lOMoARcPSD|32189809
uName = getRequestString("username");
uPass = getRequestString("password");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + 8<9
23
lOMoARcPSD|32189809
Phishing
• Phishing is the fraudulent attempt to obtain sensitive information such as
usernames, passwords and credit card details by disguising as a trustworthy
entity in an electronic communication.
• Phishing is a type of social engineering attack often used to steal user data,
including login credentials and credit card numbers. It occurs when an attacker,
masquerading as a trusted entity, dupes a victim into opening an email, instant
message, or text message.
Detect a Phishing Scam
• Spelling errors (e.g., <pessward=), lack of punctuation or poor grammar
• Hyperlinked URL differs from the one displayed, or it is hidden
• Threatening language that calls for immediate action
• Requests for personal information
• Announcement indicating you won a prize or lottery
• Requests for donations
• Phishing – Cybercriminal attempts to steal personal and financial information or
infect computers and other devices with malware and viruses
• Designed to trick you into clicking a link or providing personal or financial
information
• Often in the form of emails and websites
• May appear to come from legitimate companies, organizations or known
individuals
• Take advantage of natural disasters, epidemics, health scares, political
elections or timely events
• eBay and PayPal are two of the most targeted companies, and online banks are
also common targets.
• Phishing is typically carried out by email or instant messaging, and often
directs users to give details at a website, although phone contact has been
used as well.
• E-mails supposedly from the Internal Revenue Service have also been used.
• Social Networking sites are also a target of phishing, since the personal details in
such sites can be used in identity theft.
• Experiments show a success rate of over 7O% for phishing attacks on social
networks
24
lOMoARcPSD|32189809
Types of Phishing
• Mass Phishing (Deceptive Phishing) – Mass, large-volume attack intended to
reach as many people as possible
• Spear Phishing – Targeted attack directed at specific individuals or companies
using gathered information to personalize the message and make the scam more
difficult to detect
• Whaling (CEO Fraud) – Type of spear phishing attack that targets <big fish,= including
high-profile individuals or those with a great deal of authority or access
• Clone Phishing(pharming) – Spoofed copy of a legitimate and previously
delivered email, with original attachments or hyperlinks replaced with malicious
versions, which is sent from a forged email address. so it appears to come from
the original sender or another legitimate source
• Advance-Fee Scam- Requests the target to send money or bank account
information to the cybercriminal
Phishing – Link Manipulation
• Most methods of phishing use some form of technical deception designed to
make a link in an email (and the spoofed website it leads to) appear to belong to
the spoofed organization.
• Misspelled URLs (Uniform resource locator ) or the use of subdomains
are common tricks used by phishers, such as this example URL,
http://www.Suntrust.com.bank.com/.
• Another common trick is to make the anchor text for a link appear to be a valid
URL when the link actually goes to the phishers' site.
Phishing Lure
Claims to come from the NDSU IT Help Desk and system administrators
• References NDSU and North Dakota State University
• Calls for immediate action using threatening language
• Includes hyperlink that points to fraudulent site
25
lOMoARcPSD|32189809
26
lOMoARcPSD|32189809
27
lOMoARcPSD|32189809
Model Questions
1. What is vulnerability? Give the different types of vulnerabilities.
2. What is software vulnerability? What are the common types of software flaws that
lead to vulnerability?
3. Why is buffer overflow a vulnerability?
4. How do buffer overflow attacks work?
5. With an example explain the concept of buffer overflow. Discuss how the
buffer overflow has security implications.
6. What do you understand by a stack and a buffer overflow? How are these
two different? What are the practices of writing a safe program code?
7. Describe how a stack buffer overflow attack is implemented.
8. What are the impacts in buffer overflow vulnerability?
9. Explain in detail about exploiting stack overflows with example.
10. How to protect stack overflow attack?
11. What is XSS or Cross Site Scripting?
12. What information can an attacker steal using XSS?
13. What are the types of XSS?
14. What is stored XSS?
15. What is reflected XSS?
16. What is DOM- based XSS?
17. What is cross site scripting? How can it be prevented?
18. Why is cross site scripting dangerous?
19. How often do you find DOM-based XSS vulnerabilities?
20.What is <SQL injection=?
21. How can you detect SQL injection? What is the most common SQL injection tool?
22. What is injection attack?
23. What is code injection attack?
24. How can SQL injection be prevented?
25. How do we prevent SQL injection in our applications?
26. Explain what is phishing? How can it be prevented?
27. What is the difference between spam and phishing?
28.How do I avoid becoming a victim of a phishing scam?
29. What are the different types of phishing?
30.What are some examples of phishing?
31. What is a phishing attempt?
32. What are three characteristics of a phishing email?
28