Application Attacks

• Social engineering, Malware, and password attacks do not always

lead to the ultimate objective.
• Often attackers combine these types of attacks with subsequent
application and service attacks.
• As more applications are migrated into a browser, attackers have an
increasingly large attack surface area.
• Attackers can intercept and interact with user input and for directed
attacks against web-based resources.
RACE CONDITIONS
• A race condition involves the way a program executes sequences of
code.
• A race condition typically occurs when code sequences are competing
over the same resource or acting concurrently.
• Time-of-check to time-of-use (TOCTOU) is an example of a race
condition;
• It is an asynchronous attack that exploits timing.
• TOCTOU takes advantage of the time delay between the checking of
something and the usage of something.
• These out-of-sequence actions can result in system crashes, loss of
data, unauthorized access, and privilege escalation.
IMPROPER SOFTWARE HANDLING
• Software should be designed to ensure proper handling of input into
the system, as well as proper error handling.
• Both of the following software errors can have operational impacts on
an organization and its users, as well as security impacts:
▪ Improper input handling: Solutions that don’t properly validate
input into the system can affect data flow and expectations; this is called
improper error handling. An attacker might be able to gain control of a
system or inject code for remote execution.
▪ Improper error handling: When software is not designed to properly handle
errors, the result might be release of message and diagnostic information that is
sensitive to the inner workings of the systems. This data can disclose details to
an end user and allow an attacker to gain sufficient information to advance an
attack.
RESOURCE EXHAUSTION

• Computing systems often have finite hardware resources available.

• If software does not properly manage resources such as memory,
CPU, and storage, a system might completely consume or exhaust
its resources.
• The most obvious impact of such a situation is denial of service.
• Resource exhaustion can also result from other unexpected events
and attacks.
• For example, a memory leak.
OVERFLOWS

• Buffer overflows cause disruption of service and lost data.

• An overflow occurs when the data presented to an application or
service exceeds the storage space that has been reserved in memory
for that application or service.
• Poor application design might allow the input of 100 characters into a
field linked to a variable that is capable of holding only 50 characters.
• The overflow portion of the input data must be discarded or somehow
handled by the application;
• Otherwise, the extra data overwrites some portions of memory that
other applications use and then causes failures and crashes.
• A buffer overflow can result in the following:
▪ Data or memory storage may be overwritten.
▪ An attack may overload the input buffer’s capability to cope with the additional
data, resulting in denial of service.
▪ The originator might execute arbitrary code, often at a privileged level.
• An integer overflow is another type of overflow that is specific to whole
numbers, known as integers.
• Overflows present an opportunity for compromise using privilege
escalation.
• Good quality assurance and secure programming practices can thwart
buffer overflows.
• Currently, the most effective ways to prevent an attacker from exploiting
software are to keep the software patched and updated and to monitor
the web for newly discovered vulnerabilities.
CODE INJECTIONS

• Arbitrary code execution can occur when an attacker is able to

execute programs and commands on an attacked machine.
• Preventing these attacks begins with using secure coding practices.
• Unfortunately, end users are sometimes at the mercy of their
software vendors.
• Therefore, it is important for end users to keep their systems patched
and for organizations to pay attention to the types of software
vulnerabilities.
• Injection attacks can result in modification or theft of data.
• Examples of common code injection techniques include the following:

▪ Cross-site scripting (XSS): By placing a malicious client-side script

on a website, an attacker can cause an unknowing browser user to
conduct unauthorized access activities, expose confidential data, and log
successful attacks back to the attacker without users being aware of their
participation.
▪ SQL injection: In this type of attack, malicious code is inserted into
strings that are later passed to a database server. The SQL server then
parses and executes this code.
▪ LDAP injection: With this type of attack, which is similar to SQL
injection, malicious input is applied to a directory server, which may
result in unauthorized queries, granting of permissions, and even
password changes.
▪ XML injection: An attacker can manipulate the logic of an application
in order to perform unauthorized activity or gain unauthorized access by
inserting Extensible Mark-up Language (XML) into a message.
▪ DLL injection: DLL injection involves inserting malicious code into a
running process. This code injection technique takes advantage of
dynamic link libraries (DLLs), which applications load at runtime. A
successful attack occurs when the legitimate process hooks into the
malicious DLLs and then runs them.
• These attacks take advantage of coding flaws, which are
preventable.
• In fact, many application and web development frameworks
provide built-in resources and tools to prevent such errors.
DRIVER MANIPULATION

• Driver manipulation is a process that can legitimately be done to

help improve performance, ensure compatibility, and improve
security.
• However, the manipulation of device drivers also has the potential
to do the opposite and even completely subvert a system.
• A driver manipulation attack is often a result of malicious code
written specifically for system device drivers in order to modify their
behaviour.
• Two concepts related to driver manipulation are important:
▪ Shimming: In the case of incompatible device drivers, a developer can
either write a shim (a piece of code between two components that is
then capable of intercepting calls) to provide compatibility or rework the
existing driver through refactoring. Shimming can also be used as a
sophisticated hack that involves installing a shim. Once calls are
intercepted, the shim can handle the operation, make changes, and even
redirect the call.

▪ Refactoring: Refactoring helps improve the manageability of code,

which also helps reduce complexity and improve code extensibility
without changing its outward behaviour. Malware can potentially exploit
poorly written code that is not refactored and look for vulnerabilities. In
addition, a skilled attacker could refactor code and trick the underlying
system into using the manipulated driver with malicious intent.
REQUEST FORGERIES

• There are two kinds of request forgeries;

▪ Cross-site request forgery (CSRF or XSRF)
▪ Server-side request forgery (SSRF)
• Both of these attacks are made possible by a web server being
improperly configured in the way it handles URLs.
• A cross-site request forgery (CSRF) causes end users to execute
unwanted actions on a site they are already logged in to.
• The attacker prepares a specially crafted URL that is initiated on the
client side, from the web browser.
• This could result in the user changing her own password to something
the attacker knows or taking some other desired action.
An attacker uses CSRF to trick a victim into
unknowingly posting a social media status
update
• A server-side request forgery (SSRF), unlike a CSRF, is initiated from a
web server through a vulnerable web application.
• An SSRF attack is done for the purpose of compromising information
from the web server or enabling other attacks.
• An SSRF attack exploits trust relationships.
• For example, the vulnerable web application trusts requests coming
from the local server on which it’s hosted.
• An SSRF then forces the web server to make a web request, either
back to itself or to another server.
Attacker exploits a vulnerable web server to make a request,
unknowingly, on the victim’s behalf, as the victim web app server trusts
the vulnerable web app server
• Proper input validation is vital to preventing SSRF vulnerabilities in
web applications.
• In addition, a list of allowed domains and protocols should be
required.
• This list, known as a whitelist, allows only the domains and protocols
specified to be fetched locally or from remote resources.
DIRECTORY TRAVERSAL
• Web and application servers vulnerable to directory traversal can
potentially expose system directories and files.
• Directory traversal could allow an attacker to simply view the source
code for a website’s public directories and files.
• Or an attacker might be able to look at the path for an image on the
site and see, for example, the path
https://example.com/images/image.png.
• An attacker who tries to go to http://example.com/images/ should be
denied access.
REPLAY ATTACK
• In a replay attack, packets are captured by using sniffers.
• After the pertinent information is extracted, the packets are placed
back on the network.
• This type of attack can be used to replay bank transactions or other
similar types of data transfer, in the hopes of replicating or changing
activities such as deposits or transfers.
• Protecting yourself against replay attacks involves some type of time
stamp associated with the packets or time valued, nonrepeating
serial numbers.
• Secure protocols such as IPsec prevent replays of data traffic in
addition to
providing authentication and data encryption.
SECURE SOCKETS LAYER (SSL) STRIPPING

• Essentially, secure web transactions between a client and a server occur

over the Hypertext Transfer Protocol over SSL/TLS (HTTPS) protocol.
• They incorporate encryption through either SSL or TLS.
• Most websites today use HTTPS.
• With Secure Sockets Layer (SSL) stripping, an attacker strips—or
removes—the encryption between the client and the website.
• By acting as a proxy or middleman, the attacker can establish a secure
connection between himself and the server.
• Countermeasures: First, most websites have incorporated HTTPS by
default.
• Morden browsers have introduced features that make it clear to users
when HTTPS has been removed.
Summary of an SSL stripping attack