Malicious code and

Application
Attacks

chapter 21 Review

Rashid
24/09/21

© Rashid Siddiqui
 Malware -
Malicious software
📟
WHERE
⇐i•ñ •ñ••
Like
biological virus
, computer virus ~ DOES COME ¥08 ,☒
,

CODE
has two main fxn Propagation MALICIOUS from ?
•• $2

sn .

Payload Execution

Virus
propagation techniques These viruses attack the

small code is stored in MBR

MBR

and the rest

A
portion of ,

Master Boot Record Viruses in media MBR viruses

by redirecting
storage .
act the

File lnfector Viruses infected boot sector which loads the

system to an
,

Macro viruses virus into memory before loading the OS from the

Service Injection Viruses

Legitimate boot sector

File infect different types of executable

lnfector Viruses files and
trigger when 0s

to execute them
attempts
contained
Companion viruses self executable
files .
Take
filenames of legitimate
files ( similar filenames)
Macro Viruses
Exploits Macros .

Restricting the use

of untrusted macros to run

without explicit contains them

Service
user
permission
Injection Viruses Malicious code
injects itself into trusted runtime
process
of the OS such as svchost exe win
logon exe
explorer exe
-
.

,
.

, ,

Virus
Technologies

Multi
patriate viruses stealth viruses Polymorphic viruses Encrypted
viruses

use more than one

prop
Hides
by actually Modify their own Use
cryptographic
code as it travels
technique tampering 0s to
techniques to hide

fool Av that
everything from one
system to from detection
is
fine .

another

Logic Bombs Malicious code

objects that lie dormant until they are
triggered
by the occurrences
of conditions like time ,
one or more
program
launch , website certain
logon keystroke etc .

© Rashid Siddiqui
 Trojan Horses A software
program
that
appears benevolent but

carries malicious
a behind the scene
payload .

Remote Access
RATS -

Trojans opens
backdoor into a
system .

Trojans and other Malware s that

perform cryptocurrency mining are also known as
crypto malware
intervention
Worms -

Propagate themselves w/o any human

.

User
might consent

spyware -
monitors action and 1-✗
important information to remote
systems to install ,
but they
Adware -

display advertisements on infected computers carry out function iñat

Potentially unwanted
Programs ( PHP) takes adv
of 3rd Party plugins ( web .
Browser)user do not wish to

Ransomware use encryption as a

weapon to ransom authorise

Malicious
scripts Taking advantage of existing automation and
scripts
File less malware Run entirely in memory ,
do not create
any file / log on disk hence undetected
,

Zero -

Day Attacks Exploits Zero -

Day vulnerability
Delay b/w discov of a slowness in
applying
new malicious code and updates
issuance Patches
of

Malware Prevention Eradication Disinfects the affected file and restore the machine

Anti malware software s Quarantine user examines quarantine files manually

Deletion If the file exceeds a
predefined danger threshold

signature Heuristic

Based Mechanism

Integrity Monitoring Tools to monitor file modifications Maintains database of hash

designed .
a

values for all files stored on the

System
Endpoint Detection and
Response Analyse endpoint memory filesystem
,
and network actvt

Automatically isolate potential malicious actvt

Analytic focus on
endpoint Integration c- threat intelligence source to obtain real
into malicious behavior elsewhere
time
insight on

HEBA -
User and Entity Behavior Analysis internet .

other incident
Integration c-
response mechanism

Analytic focus on end user

© Rashid Siddiqui
 Application Attacks

Buffer Overflow vulnerability exist lack

of validation
for user
input
Remediation Value should be within

value should not be Variable type the

size
parameter control
should match Dataflow
longer than the
buffer
STATE
space Timing system
Attack state
Transition
TOCT -104 -
Time of check to Time of Use -
Race Condition
Replace original
object in the time difference b/w TOC 1- TO
the &

Require in-depth knowledge of program and system under attack

Backdoors Undocumented cmd sequences that allow individuals c-

Knowledge of
the backdoor to normal restrictions
bypass access

Privilege Escalation and Rootkits

are used to achieve

A
specific example of Injection Vulnerabilities
Code Injection Attack
SQL Injection Blind code
injection Attacks
Attack
Timing based
Sol
Injection Any env that inserts

Blind content based Amount

of time required to
process user -

supplied input into

SQL code written by

Injection a
query can be used as a channel an
app
Preparator sends
input to the for retraining info from a database
developer may
be vulnev

web
application that tests whether to code
injection attacks

the
application
i

is
interpreting
injected code
before attempting LDAP injection XML
injection DLL injection
to
carry out an attack
Input validation , input escaping and defensive coding
are essential to eliminate these threats .

Command
Injection attacks →
Application code reaches back to the OS
to execute level
a command ,
causing 0s

changes
.

© Rashid Siddiqui
 Authorisation Vulnerabilities
Exploiting
Insecure Direct Object Reference authorisation
Lack of specific for object access
-

Directory Traversal -
A mis
configuration /vulnerability cñ allows users to
navigate the

directory structure and access files that should remain secure .

File Inclusion -
Next level
of Directory Traversal Attack - File inclusion attack actually
execute the code contained within a
file - File Inclusion vain is

exploited by web shell .

Local File Inclusion Attack Remote File Inclusion Attack

Exploiting Web Application Vulnerability

Cross -
Site
Scripting Attack When web application allow an attacker to

perform HTML
injection .

Reflected XSS Stored / Persistent xss

Application allows reflected stores ✗SS code on a remote server

input .

Remediate
using input by
some ✗ SS attack work

validation , input pattern modifying Document object model

0M ] environment within the

matching output encoding
,
.

user 's browser . These attack don't

Transforms potentially appear in HTML code .

dangerous content into safe form

Request Frogery Exploits trust relationship and attempt to have users

unwittingly execute commands against a remote server

CSRFIXSRF SSRF
cross - site server-side

Tricking a user
Tricking a server
© Rashid Siddiqui
 ✗ SS attack exploits the TRUST that a user has in a website to execute

code on the users

computer
v5
✗ SRF trust
exploits
-

attack the that remote site have in to execute

user 's
system
command on user 's
behalf .

Reasonable assumption -
users are often logged into many different websites
at the same time .

Attackers then embed code in one website that sends a

command to another website

✗SRF Protection tokens verify referring

secure
,
URL that it is
originated
from their own site and received
from end user only .

SSRF These attacks are

possible when a web
application accepts URLs
from a user as an
input and then retreives information from
the URL .

Session Communication
Hijacking Interception and session takeover

authorised
and
assuming identity of the user .

Authentication
Making Attacker as Using Cookie Remediate
using
replay authentication
a server
capturing Data anti
- -

technique
.

Cookie
a-
-

Expiry within

I reasonable time .

#
Application Security Controls
Meta characters

Input validation -

Input white listing / Allow list

-

Should occur at server side

Client side validation is useful for providing users c-

feedback on their input .

Input Blacklisting -

Restrictions of HTML tags ,

Sol Commands

Parameter Pollution -

depends on
defects in web
platforms that don't
© Rashid Siddiqui
handle multiple copies of the same
parameter properly
Web Application Firewalls -
Works at
application layer of 051 Model
Does validation
input -
White
listing / Blacklisting
Database Security
Parameterised Queries Sal statement
Developer prepares a
,
and then
into
allows user
input to be
passed that statement
protects Applications as carefully defined variables that do not allow
Attacks codes
against Injection the insertion of

stored Procedures Here SQL code is not contained within the

but is stored the database
application ,
on server .

Protects client does not send the

against The directly SQL code to

injection attacks and ,

database server

Client sends to the servers then

improves database arguments which
-

inserts those pre compiled query

performance
as well
arguments into a

template
'
=

Obfuscation and
camouflage
Data minimization Tokenization
Hashing
collect only data Replaces Pll c- a
Replace sensitive

needed
unique identifier information c- salted hash

Code Security
Code
Signing Digitally signing the code as a
proof of code 's
authorship
legitimacy and
integrity .

Code reuse SDKS

Software diversity Avoid spot

code
Repositories centralised location for storage and Mgmt of source code

Version control ,
promotes code reuse help avoid the
problem
-

of dead code

© Rashid Siddiqui
 Integrity measurement
using cryptographic
hash to verify code release

Application Resilience
Scalability Elasticity
Vertical
scaling scaling UP Automatic
Provisioning
-
-
-

Horizontal out and de

scaling scaling provisioning
-
-

Capability of incremental
addition common features of
of resources
Cloud
Platforms

Secure
Coding Practices

Source Code Comments Remove comments from Production Web

Apps
-
Executable files auto remove comments
comments software version Eh is
Keep secure in a
-

stored securely

Error information
handling use minimum necessary for the user

to understand the
problem
Hard coded credentials → Take care in not
storing credentials CT can

backdoor
fxn as a

Inclusion the service access credentials in

of
-

the Code

Memory Management

Resource Exhaustion Uncontrolled or unchecked use

of computing resources by Apps
Memory Leak
App fails to return memory to the system ,
perhaps by losing
written
track
of objects

Pointer De
referencing Null
pointer exception can
provide an attacker access to

debugging information ,
that may be used
for
Mag allow an attacker to reconnaissance of the
application 's
security
bypass security controls
© Rashid Siddiqui