Cyber Security

Week 03

By: Tahir Sabtain Syed

 Application Attacks
• Attacks that target applications
– Category continues to grow
– Web application attacks
– Client-side attacks
– Buffer overflow attacks
• Zero day attacks
– Exploit previously unknown vulnerabilities
– Victims have no time to prepare or defend

2
 Web Application Attacks
• Web applications an essential element of
organizations today
• Approach to securing Web applications
– Hardening the Web server
– Protecting the network

– http://techcrunch.com/2011/03/08/report-number-of-
malware-infected-web-sites-has-doubled-in-past-
year/

3
Figure 3-1 Web application infrastructure

4
 Web Application Attacks (cont’d.)
• Common Web application attacks
– Cross-site scripting
– SQL injection
– XML injection
– Command injection / directory traversal

5
 Cross-Site Scripting (XSS)
• Cross-Site Scripting (XSS) is a type of security
vulnerability that occurs when a web application
allows users to inject malicious scripts into web
pages
• Injecting scripts into a Web application server
– Directs attacks at clients

6
 Cross-Site Scripting (cont’d.)
• When victim visits injected Web site:
– Malicious instructions sent to victim’s browser
• Browser cannot distinguish between valid code and
malicious script
• Requirements of the targeted Web site
– Accepts user input without validation
– Uses input in a response without encoding it
• Some XSS attacks designed to steal information:

7
Figure 3-4 Bookmark page that accepts user input
without validating and provides unencoded response

8
Figure 3-5 Input used as response

9
 SQL Injection
• Targets SQL servers by injecting commands
• SQL (Structured Query Language)
– Used to manipulate data stored in relational
database
• Forgotten password example
– Attacker enters incorrectly formatted e-mail address
– Response lets attacker know whether input is being
validated
• http://www.youtube.com/watch?v=jMQ2wdOmMIA
• http://www.youtube.com/watch?
v=yZ8aDFs0Z38&feature=related
10
 SQL Injection (cont’d.)
• Forgotten password example (cont’d.)
– Attacker enters email field in SQL statement
– Statement processed by the database
– Example statement:
SELECT fieldlist FROM table WHERE field
= ‘whatever’ or ‘a’=‘a’
– Result: All user email addresses will be displayed

11
 XML Injection
• Markup language
– Method for adding annotations to text
• HTML
– Uses tags surrounded by brackets
– Instructs browser to display text in specific format
• XML
– Carries data instead of indicating how to display it
– No predefined set of tags
• Users define their own tags

12
 XML Injection (cont’d.)
• XML attack
– Similar to SQL injection attack
– Attacker discovers Web site that does not filter user
data
– Injects XML tags and data into the database

13
 Command Injection /
Directory Traversal
• Web server users typically restricted to root
directory
• Users may be able to access subdirectories:
– But not parallel or higher level directories
• Sensitive files to protect from unauthorized user
access
– Cmd.exe can be used to enter text-based
commands
– Passwd (Linux) contains user account information

14
 Command Injection /
Directory Traversal (cont’d.)
• Directory traversal attack
– Takes advantage of software vulnerability
– Attacker moves from root directory to restricted
directories

15
 Client-Side Attacks
• Web application attacks are server-side attacks
• Client-side attacks target vulnerabilities in client
applications
– These attacks aim to exploit vulnerabilities in the
software and behavior of users themselves

16
 Client-Side Attacks (cont’d.)
• Drive-by download
– Client computer compromised simply by viewing a
Web page
– This attack occurs when a user visits a compromised
or malicious website, and the malware is delivered to
their system through vulnerabilities in the web
browser, browser plugins, or other software
components.

17
 Client-Side Attacks (cont’d.)
• Header manipulation
– HTTP header contains fields that characterize data
being transmitted
– Headers can originate from a Web browser
• Browsers do not normally allow this
• Attacker’s short program can allow modification

18
 Client-Side Attacks (cont’d.)
• Referer field indicates site that generated the Web
page
– Attacker can modify this field to hide fact it came
from another site
– Modified Web page hosted from attacker’s computer
• Accept-language
– Some Web applications pass contents of this field
directly to database
– Attacker could inject SQL command by modifying
this header

19
 Client-Side Attacks (cont’d.)
• Cookies and Attachments
– Cookies store user-specific information on user’s
local computer
• Web sites use cookies to identify repeat visitors
• Examples of information stored in a cookie
– Travel Web sites may store user’s travel plans
– Personal information provided when visiting a site
• Only the Web site that created a cookie can read it

20
 Client-Side Attacks (cont’d.)
• First-party cookie
– Cookie created by Web site user is currently visiting
• Third-party cookie
– Site advertisers place a cookie to record user
preferences
• Session cookie
– Stored in RAM and expires when browser is closed

21
 Client-Side Attacks (cont’d.)
• Persistent cookie
– Recorded on computer’s hard drive
– Does not expire when browser closes
• Secure cookie
– Used only when browser visits server over secure
connection
– Always encrypted

22
 Client-Side Attacks (cont’d.)
• Flash cookie
– Uses more memory than traditional cookie
– Cannot be deleted through browser configuration
settings
• Cookies pose security and privacy risks
– May be stolen and used to impersonate user
– Used to tailor advertising
– Can be exploited by attackers

23
 Client-Side Attacks (cont’d.)
• Session hijacking
– In a session hijacking attack, the attacker gains
control of the user's session ID, allowing them to
impersonate the legitimate user and perform actions
on their behalf.
• Malicious add-ons
– Browser extensions provide multimedia or interactive
Web content
– Active X add-ons have several security concerns

24
 Client-Side Attacks (cont’d.)
• Buffer overflow attacks
– Process attempts to store data in RAM beyond
boundaries of fixed-length storage buffer
– Data overflows into adjacent memory locations
– May cause computer to stop functioning
– Attacker can change “return address”
• Redirects to memory address containing malware
code

25
 Network Attacks
• Denial of service (DoS)
– Attempts to prevent system from performing normal
functions
– Ping flood attack
• Ping utility used to send large number of echo request
messages
• Overwhelms Web server
– Smurf attack
• Ping request with originating address changed
• Appears as if target computer is asking for response
from all computers on the network

26
 Network Attacks
• Denial of service (DoS) (cont’d.)
– SYN flood attack
• Takes advantage of procedures for establishing a TCP
connection
• http://www.youtube.com/watch?
v=cfoqQ8mHafM&feature=related
• Distributed denial of service (DDoS)
– Attacker uses many zombie computers in a botnet to
flood a device with requests
– Virtually impossible to identify and block source of
attack
27
 Interception
• Man-in-the-middle
– Interception of legitimate communication
– Forging a fictitious response to the sender
– Passive attack records transmitted data
– Active attack alters contents of transmission before
sending to recipient
• Replay attacks
– Similar to passive man-in-the-middle attack

28
 Interception (cont’d.)
• Replay attacks (cont’d.)
– Attacker makes copy of transmission
• Uses copy at a later time
– Example: capturing logon credentials
• More sophisticated replay attacks
– Attacker captures network device’s message to
server
– Later sends original, valid message to server
– Establishes trust relationship between attacker and
server

29