Security+ Guide to Network

Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks

Objectives
List and explain the different types of server-side
web application attacks
Define client-side attacks
Explain how overflow attacks works
List different types of networking-based attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Conceptual Networked System

Network used to connect different clients and
servers together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit
Attacks on the applications in a networked
computer system can be directed toward the
server, the client, or both
Security+ Guide to Network Security Fundamentals, Fifth Edition

Conceptual Networked Computer

System (Figure 3-1)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Attacks

Content provided for users who are surfing the
Web is generated by a software application
running on a server
In providing web services to clients, web servers
also expose those same services to attackers
Important characteristic of server-side web
applications to create dynamic content based on
inputs from user

Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Process

Clients web browser makes a request using the
Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web
application servers
Application servers run the specific web apps,
which in turn are directly connected to databases on
internal network
Information from databases retrieved and returned to
web server so dynamic information can be sent back
to the users web browser
Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application

Infrastructure (Figure 3-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Securing Web Applications

Securing server-side web applications often
considered more difficult than protecting other
systems
Traditional network security devices cannot always
block web application attacks because many
traditional network security devices ignore the
content of HTTP traffic, which is the vehicle of web
application attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

Zero Day Attacks

Many web application attacks (as well as other
application attacks) exploit previously unknown
vulnerabilities
Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend

Security+ Guide to Network Security Fundamentals, Fifth Edition

Common Application Attacks

Many server-side web application attacks target the
input that the applications accept from users
Common web application attacks:

Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal

Security+ Guide to Network Security Fundamentals, Fifth Edition

10

Cross-Site Scripting
Not all attacks on websites are designed to steal
content or deface it
Some attacks use web server as a platform to
launch attacks on other computers that access it
Cross-site scripting (XSS) - Injects scripts into
web application server to direct attacks at
unsuspecting clients
Many web applications are designed to customize
content for user by taking what user enters and
then displaying that input back to user
Security+ Guide to Network Security Fundamentals, Fifth Edition

11

Customized Responses (Table 3-1)

Security+ Guide to Network Security Fundamentals, Fifth Edition

12

Cross-Site Scripting Platform

Cross-site scripting attacks occur when attacker
takes advantage of web applications that accept
user input without validation and then present back
to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment
that becomes part of an automated response
An attacker can use this vulnerability in XSS attack
by tricking valid website into feeding malicious script
to another users web browser to execute
Security+ Guide to Network Security Fundamentals, Fifth Edition

13

Bookmark Page That Accepts User

Input (Figure 3-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition

14

Input Used In Response (Figure 3-4)

Security+ Guide to Network Security Fundamentals, Fifth Edition

15

SQL Injection
SQL (Structured Query Language) - Used to
manipulate data stored in relational database
SQL Injection - Targets SQL servers by
introducing malicious commands

Security+ Guide to Network Security Fundamentals, Fifth Edition

16

Forgotten Password Example

Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated
Attacker enters email field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field
= whatever or a=a
Result is all user email addresses will be displayed
Security+ Guide to Network Security Fundamentals, Fifth Edition

17

SQL Injection Statements (Table 3-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition

18

XML (Extensible Markup Language)

Markup language - Method for adding annotations
to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format

XML (Extensible Markup Language):

Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
Security+ Guide to Network Security Fundamentals, Fifth Edition

19

XML Attack
XML Attack - Similar to SQL injection attack
Attacker discovers Web site that does not filter user
data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack
Attempts to exploit XML Path Language queries

Security+ Guide to Network Security Fundamentals, Fifth Edition

20

Directory Traversal/Command
Injection
Web server users typically restricted to root
directory
Users may be able to access subdirectories but not
parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or
takes advantage of vulnerability to move from root
directory to restricted directories
Command injection - Attacker enters commands
to execute on server or view confidential files
Security+ Guide to Network Security Fundamentals, Fifth Edition

21

Directory Traversal Attack (Figure 3-6)

Security+ Guide to Network Security Fundamentals, Fifth Edition

22

Client-Side Application Attacks

Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client
applications:
Interacting with a compromised server
Client initiates connection with server, which could
result in an attack

Security+ Guide to Network Security Fundamentals, Fifth Edition

23

Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server
to gain access to servers operating system
Attackers craft a zero pixel frame to avoid visual
detection
Embed an HTML document inside main document
Clients browser downloads malicious script
Instructs computer to download malware
Security+ Guide to Network Security Fundamentals, Fifth Edition

24

HTTP Header
HTTP header consists of fields that characterize
data being transmitted
Header fields are comprised of:
Field name
Colon
Field value

Example Content-length: 49.

HTTP header field names and values may be any
application-specific strings, but core set
standardized by Internet Engineering Task Force
Security+ Guide to Network Security Fundamentals, Fifth Edition

25

HTTP Header Fields (Table 3-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition

26

Header Manipulation
HTTP header manipulation - Attack modifies
HTTP headers
HTTP header manipulation is not actual attack but
rather vehicle through which other attacks like
(XSS) can be launched.
HTTP header manipulation allows an attacker to
pass malicious instructions from own malicious
website or through an infected site to the web
browser via HTTP headers

Security+ Guide to Network Security Fundamentals, Fifth Edition

27

HTTP Header Attacks

Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer
field to hide fact came from another site
Accept-Language Because some web applications
pass contents of field directly to database attacker
can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response

Security+ Guide to Network Security Fundamentals, Fifth Edition

28

Cookies
Cookies - Store user-specific information on users
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store users travel itinerary
Personal information provided when visiting a site

Only Web site that created a cookie can read it

Security+ Guide to Network Security Fundamentals, Fifth Edition

29

Types of Cookies
First-party cookie - Cookie created by Web site
user currently visiting
Third-party cookie - Site advertisers (third parties)
place cookie to record user preferences
Session cookie - Stored in RAM and expires when
browser is closed
Persistent cookie - Recorded on computers hard
drive and does not expire when browser closes

Security+ Guide to Network Security Fundamentals, Fifth Edition

30

Locally Shared Object (LSO)

Locally shared object (LSO) or Flash cookie named after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times
data as regular cookie)
Cannot be deleted through browser's normal
configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user
deleted or blocked
Security+ Guide to Network Security Fundamentals, Fifth Edition

31

Risks of Cookies
Cookies have security and privacy risks
First-party cookies can be stolen and used to
impersonate the user
Third-party cookies can be used to track the
browsing or buying habits of a user
When multiple websites are serviced by a single
marketing organization, cookies can be used to
track browsing habits on all clients site

Security+ Guide to Network Security Fundamentals, Fifth Edition

32

Attachments
Attachments - Files that are coupled to email
messages
Malicious attachments commonly used to spread
viruses, Trojans, and other malware when opened
Most users routinely open any email attachment
received even if from an unknown sender
Attackers often include information in the subject
line that entices even reluctant users to open the
attachment, such as a current event

Security+ Guide to Network Security Fundamentals, Fifth Edition

33

Session Token
User accessing secure web application needs be
verified to prevent an imposter from jumping in to
interaction
Session token - Verification through which random
string assigned to interaction between user and web
application currently being accessed (session)
Web application server assigns a unique session
token
Each subsequent request from users web browser to
web application contains session token verifying user
identity
Security+ Guide to Network Security Fundamentals, Fifth Edition

34

Session Hijacking
Session hijacking - Attacker attempts to
impersonate the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victims computer
Eavesdropping on the transmission
Guessing the session token (successful if generation
of session tokens not truly random)

Security+ Guide to Network Security Fundamentals, Fifth Edition

35

Session Hijacking Attack (Figure 3-7)

Security+ Guide to Network Security Fundamentals, Fifth Edition

36

Plug-Ins and Add-Ons

Tools be added to enhance users interaction with
website through web browser
Plug-in - Third-party library (Java, Adobe Flash
player, Apple QuickTime, Adobe Acrobat Reader)
that attaches to web browser and can be embedded
inside a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality
to the web browser itself

Security+ Guide to Network Security Fundamentals, Fifth Edition

37

Malicious Add-Ons
Attackers can create malicious add-ons to launch
attacks against users computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called
ActiveX applications
ActiveX controls can be invoked from webpages
through the use of a scripting language or directly by
HTML command
Security+ Guide to Network Security Fundamentals, Fifth Edition

38

Impartial Overflow Attacks

Impartial attacks can target either server or client
Many these attacks designed to overflow areas of
memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.

Security+ Guide to Network Security Fundamentals, Fifth Edition

39

Buffer Overflow Attack

Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
Data overflows into adjacent memory locations
Attacker can change return address of memory
location of code and redirect to memory address
containing malware code

Security+ Guide to Network Security Fundamentals, Fifth Edition

40

Buffer Overflow Attack (Figure 3-8)

Security+ Guide to Network Security Fundamentals, Fifth Edition

41

Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used
to store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum
value

Security+ Guide to Network Security Fundamentals, Fifth Edition

42

Integer Overflow Attack

Example:
8-bit signed integer has a maximum value of 127 and
a minimum value of 128
If the value 127 is stored in a variable and 1 is added
to it, the sum exceeds the maximum value for this
integer type
Wraps around to become 128.

Integer overflow attack - Attacker changes value

of variable to something outside the range
programmer had intended by using an integer
overflow
Security+ Guide to Network Security Fundamentals, Fifth Edition

43

Arbitrary/Remote Code Execution

Heap spray - Targeted to insert data only in certain
parts of memory
Arbitrary/remote code execution - Allows
attacker to run programs and execute commands
on different computer
Once under the attackers control, computer can
perform virtually any command from the attacker
Arbitrary/remote code execution attacks often take
advantage of malicious attachments like Microsoft
Visio file or PDF file
Security+ Guide to Network Security Fundamentals, Fifth Edition

44

Network Attacks
Attackers place high priority on targeting networks
Exploiting single vulnerability may expose
hundreds or thousands of devices to an attacker
Types of attacks that target a network or network
process:

Denial of service
Interception
Poisoning
Attacks on access rights

Security+ Guide to Network Security Fundamentals, Fifth Edition

45

Denial of Service (DoS)

Denial of service (DoS) - Attempts to prevent
system from performing normal functions
Distributed denial of service (DDoS) - Uses
thousands zombie computers in botnet
Ping flood attack - Ping utility used to send large
number of echo request messages and overwhelms
server
Smurf attack - Ping request with originating address
changed (spoofing) and appears as if target
computer is asking for response from all computers
on the network
Security+ Guide to Network Security Fundamentals, Fifth Edition

46

SYN Flood Attack

SYN flood attack - Takes advantage of procedures
for establishing connection
Attacker sends SYN segments in IP packets to server
but modifies source address of each packet to
computer addresses that do not exist or cannot be
reached
Server continues to wait for a response (which is not
coming) while receiving more false requests and
keeping more lines open for responses
Server ultimately runs out of resources and can no
longer respond to legitimate requests
Security+ Guide to Network Security Fundamentals, Fifth Edition

47

SYN Flood Attack (Figure 3-9)

Security+ Guide to Network Security Fundamentals, Fifth Edition

48

Interception
Man-in-the-middle - Interception of legitimate
communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active
attack alters contents of transmission before sending
to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before
sending it to the recipient for use at a later time (the
man-in-the-middle replays it)
Security+ Guide to Network Security Fundamentals, Fifth Edition

49

ARP Poisoning
ARP poisoning
Attacker modifies MAC address in ARP cache to
point to different computer

Table 3-4 ARP poisoning attack

Security+ Guide to Network Security Fundamentals, Fifth Edition

50

Attacks From ARP Poisoning (Table 35)

Table 3-5 Attacks from ARP poisoning

Security+ Guide to Network Security Fundamentals, Fifth Edition

51

DNS Poisoning
Domain Name System - Current basis for name
resolution to IP address
DNS poisoning - Substitutes DNS addresses to
redirect computer to another device
DNS poisoning
Two locations for DNS poisoning:
Local host table
External DNS server

Security+ Guide to Network Security Fundamentals, Fifth Edition

52

Sample HOSTS file (Figure 3-11)

Security+ Guide to Network Security Fundamentals, Fifth Edition

53

DNS Poisoning (Figure 3-12)

Security+ Guide to Network Security Fundamentals, Fifth Edition

54

Attacks on Access Rights

Privilege escalation - Exploiting software
vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower
privilege uses privilege escalation to grant self
access functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted
privileges accesses the different restricted functions
of a similar user

Security+ Guide to Network Security Fundamentals, Fifth Edition

55

Transitive Trust
Transitive - Relation with a property so that if a
relation exists been A and B, and there is also a
relation between B and C, then there is a relation
between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts
Carol, then Alice trusts Carol

Security+ Guide to Network Security Fundamentals, Fifth Edition

56

Transitive Access
Transitive trust can result in transitive access:
System 1 can access System 2, and because
System 2 can access System 3, then System 1 can
access System 3
Intention may not be for System 1 to access
System 3, but instead for System 1 to be restricted
to accessing only System 2
Inadvertent and unauthorized access can result in
serious security risks

Security+ Guide to Network Security Fundamentals, Fifth Edition

57

Security+ Guide to Network

Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks