This blog post summarizes the
attacks described in OWASP and is a continuation of the security series of blog
posts.
OWASP Top 10
Application Security Risks - 2010
Attacks
Attacks are the
techniques that attackers use to exploit the vulnerabilities in
applications. Anatomy of an Attack
- Survey and assess
- Exploit and penetrate
- Escalate privileges
- Maintain access
- Deny service
Threats
Top network level threats include:
- Information gathering
- Sniffing
- Spoofing
- Session hijacking
- Denial of service
Top host level threats include:
- Viruses, Trojan horses, and worms
- Footprinting ( ping sweep,
NETBIOS enumeration).
- Profiling
- Password cracking
- Denial of service
- Arbitrary code execution
- Unauthorized access
For details on categorizing threats,
please refer Appendix A in the blog post on "<TODO>Information
security, threats, risks"
The below is a
summary of the known attacks in their respective categories:
Abuse of
Functionality
Account
lockout attack
Attacker attempts
to lock out all user accounts, typically by failing login more times than the
threshold defined by the authentication system
Cache
Poisoning
This attack is
rather difficult to carry out in a real environment. The list of conditions is long and hard to accomplish by the
attacker. However it's easier to use this technique than Cross-User Defacement.
To successfully carry out such an attack, an
attacker:
- Finds the vulnerable service
code, which allows them to fill the HTTP header field with many headers.
- Forces the cache server to
flush its actual cache content, which we want to be cached by the servers.
- Sends a specially crafted
request, which will be stored in cache.
- Sends the next request. The
previously injected content stored in cache will be the response to this
request.
A Cache Poisoning attack is possible
because of HTTP Response
Splitting and flaws in the web application. It is crucial from
the attacker's point of view that the application allows for filling the header
field with more than one header using CR (Carriage Return) and LF (Line Feed)
characters.
Cross-User Defacement
This attack is rather difficult to
carry out in the real environment. An attacker can make a single request
to a vulnerable server that will cause the sever to create two responses, the
second of which may be misinterpreted as a response to a different request,
possibly one made by another user sharing the same TCP connection with the
sever.
Mobile code:
invoking untrusted mobile code
By intercepting client traffic
using the man-in-the-middle technique,
a malicious user could modify the original mobile code with arbitrary
operations that will be executed on the client’s machine under his credentials.
To solve this issue, it’s necessary
to use some type of integrity mechanism to assure that the mobile code has not
been modified.
Mobile code:
non-final public field
This attack aims to manipulate non-final public variables
used in mobile code, by injecting malicious values on it, mostly in Java and
C++ applications.
When a public member variable or class used in mobile code
isn’t declared as final, its values can be maliciously manipulated by any
function that has access to it in order to extend the application code or
acquire critical information about the application.
Mobile code: object
hijack
This attack consists of a technique to create objects
without constructors’ methods by taking advantage of the clone() method of
Java-based applications.
If a certain class implements cloneable() method declared as
public, but doesn’t has a public constructor method nor is declared as final,
it is possible to extend it into a new class and create objects using the
clone() method.
Data Structure
Attacks
Buffer overflow
attack
Buffer overflow errors are characterized by the overwriting
of memory fragments of the process, which should have never been modified
intentionally or unintentionally. Overwriting values of the IP (Instruction
Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation
faults, and other errors to occur. Usually these errors end execution of the
application in an unexpected way. Buffer overflow errors occur when we operate
on buffers of char type.
Buffer Overflow via
Environment Variables
Same as above except used with Env vars.
Overflow Binary
Resource File
The source of a buffer overflow may be input data. When it
comes from the Overflow Binary Resource File, the attacker has to
modify/prepare the binary file in such a way that the application, after
reading this file, has become prone to a classic Buffer overflow
attack. The only difference between this attack and the classic one
is the source of the input data. Common examples are specially crafted MP3,
JPEG or ANI files, which cause buffer overflows.
Embedded Malicious
Code
Cross-Site Request
Forgery (CSRF) or One-Click
Attack or XSRF
CSRF is an attack which forces an end user
to execute unwanted actions on a web application in which he/she is currently
authenticated. With a little help of social engineering (like sending a link
via email/chat), an attacker may force the users of a web application to
execute actions of the attacker's choosing. A successful CSRF exploit can
compromise end user data and operation in case of normal user. If the targeted
end user is the administrator account, this can compromise the entire web
application.
Sometimes, it is possible to store the CSRF
attack on the vulnerable site itself. Such vulnerabilities are called Stored
CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in
a field that accepts HTML, or by a more complex cross-site scripting attack. If
the attack can store a CSRF attack in the site, the severity of the attack is
amplified.
These are also known by a number of other
names, including XSRF, "Sea Surf", Session Riding, Cross-Site
Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as
a One-Click attack
Logic/time bomb
This is a threat agent.
Replicating (virus)
Trojan Horse
A Trojan Horse is a program that
uses malicious code masqueraded as a trusted application. The malicious code
can be injected on benign applications, masqueraded in e-mail links, or
sometimes hidden in JavaScript pages to make furtive attacks against vulnerable
internet Browsers.
Other details can be found in Man-in-the-browser
attack.
The 7 Main Types of Trojan Horse
1.
Remote Access
Trojan (RAT)
2.
Data Sending
Trojan
3.
Destructive Trojan
4.
Proxy Trojan
5.
FTP Trojan
6.
Security
software disabler Trojan
7.
Denial-of-Service
attack Trojan
Exploitation of
Authentication
Session fixation
Session Fixation is an attack that
exploits a vulnerability in web applications that don't generate a new
sessionid after login and use an existent session id.
The attack consists of inducing a
user to authenticate himself with a known session ID, and then hijacking the
user-validated session by the knowledge of the used session ID. The attacker
has to provide a legitimate Web application session ID and try to make the
victim's browser use it.
The session fixation attack is a
class of Session Hijacking,
which steals the established session between the client and the Web Server
after the user logs in. Instead, the Session Fixation attack fixes an
established session on the victim's browser, so the attack starts
before the user logs in.
There are several techniques to
execute the attack; it depends on how the Web application deals with session
tokens. Below are some of the most common techniques:
• Session token in the URL argument: The Session ID is sent to the victim in a hyperlink.
• Session token in a hidden form
field: In this method, the victim
must be tricked to authenticate in the target Web Server, using a login form
developed for the attacker. The form could be hosted in the evil web server or
directly in html formatted e-mail.
• Session ID in a cookie:
o Client-side script
Most browsers support the execution
of client-side scripting. In this case, the aggressor could use attacks of code
injection as the XSS (Cross-site
scripting) attack to insert a malicious code in the hyperlink sent to the
victim and fix a Session ID in its cookie. Using the function document.cookie,
the browser which executes the command becomes capable of fixing values inside
of the cookie that it will use to keep a session between the client and the Web
Application.
o <META> tag
<META> tag also is considered
a code injection attack, however, different from the XSS attack where
undesirable scripts can be disabled, or the execution can be denied. The attack
using this method becomes much more efficient because it's impossible to
disable the processing of these tags in the browsers.
o HTTP header response
This method explores the server
response to fix the Session ID in the victim's browser. Including the parameter
Set-Cookie in the HTTP header response, the attacker is able to insert the
value of Session ID in the cookie and sends it to the victim's browser.
Session hijacking
attack
This attack compromises the session
token by stealing or predicting a valid session token to gain unauthorized
access to the Web Server.
The session token could be
compromised in different ways; the most common are:
§ Predictable session token;
§ Session Sniffing;
§ Client-side attacks (XSS, malicious JavaScript Codes,
Trojans, etc);
Session Prediction
The session prediction attack focuses on
predicting session ID values that permit an attacker to bypass the
authentication schema of an application. By analyzing and understanding the
session ID generation process, an attacker can predict a valid session ID value
and get access to the application.
Injection
Argument Injection
or Modification
type of Injection
attack. Modifying or injecting data as an argument may lead to very similar,
often the same, results as in other injection attacks. It makes no difference
if the attacker wants to inject the system command into arguments or into any
other part of the code.
Blind SQL Injection
Blind
SQL injection is identical to normal SQL
Injection except that when an
attacker attempts to exploit an application, rather then getting a useful error
message, they get a generic page specified by the developer instead. This makes
exploiting a potential SQL Injection attack more difficult but not impossible.
Blind XPath
Injection
The attacker
may be successful using two methods: Boolenization and XML Crawling. By adding
to the XPath syntax, the attacker uses additional expressions (replacing what
the attacker entered in the place of login to the specially crafted
expression).
· Boolenization
Using the "Boolenization" method the attacker may find
out if the given XPath expression is True or False. Let's assume that the aim
of the attacker is to log in to the account.
·
XML
Crawling
To
get to know the XML document structure the attacker may use:
o
count(expression)
o
stringlength(string)
o
substring(string,
number, number)
Code Injection
Code
Injection is the general name for a lot of types of attacks which depend on
inserting code, which is interpreted by the application. Such an
attack may be be performed by adding strings of characters into a cookie or
argument values in the URI. This attack makes use of lack of accurate
input/output data validation, for example:
- If a site uses the include() function,
which operates on variables sent with the GET method, and there is no
validation performed on them, then the attacker may try to execute
different code other than the author of the code had in mind.
- When a programmer uses the eval()
function and operates on the data inside it, and these data may be altered
by the attacker, then it's only one step closer to Code Injection.
Command Injection
The
purpose of the command injection attack is to inject and execute commands
specified by the attacker in the vulnerable application. There is a
variant of the Code Injection attack.
An OS command injection attack occurs when an attacker attempts to
execute system level commands through a vulnerable application. Applications
are considered vulnerable to the OS command injection attack if they utilize
user input in a system level command.
Comment Injection
Attack
Comments
injected into an application through input can be used to compromise a system.
As data is parsed, an injected/malformed comment may cause the process to take
unexpected actions that result in an attack.
- sql comments which serve like sql
injection attacks
- html comments which could comment the
rest of html output.
Cross-site
Scripting (XSS)
Cross-Site
Scripting attacks are a type of injection problem, in which malicious scripts
are injected into the otherwise benign and trusted web sites.
Cross-Site Scripting
(XSS) attacks occur when:
1.
Data enters a Web
application through an untrusted source, most frequently a web request.
1.
The data is included in
dynamic content that is sent to a web user without being validated for
malicious code.
The malicious content
sent to the web browser often takes the form of a segment of JavaScript, but
may also include HTML, Flash or any other type of code that the browser may
execute. The variety of attacks based on XSS is almost limitless, but they
commonly include transmitting private data like cookies or other session
information to the attacker, redirecting the victim to web content controlled
by the attacker, or performing other malicious operations on the user's machine
under the guise of the vulnerable site.
Stored attacks are those where the injected code is permanently stored on
the target servers, such as in a database, in a message forum, visitor log,
comment field, etc. The victim then retrieves the malicious script from the
server when it requests the stored information.
Reflected attacks are those where the injected code is reflected
off the web server, such as in an error message, search result, or any other
response that includes some or all of the input sent to the server as part of
the request. Reflected attacks are delivered to victims via another route, such
as in an e-mail message, or on some other web server. When a user is tricked
into clicking on a malicious link or submitting a specially crafted form, the
injected code travels to the vulnerable web server, which reflects the attack
back to the user’s browser. The browser then executes the code because it came
from a "trusted" server.
DOM
based XSS attacks involve using
the client side JavaScript to process the untrusted user input.
The most severe XSS attacks involve disclosure
of the user’s session cookie, allowing an attacker to hijack the user’s session
and take over the account. Other damaging attacks include the disclosure of end
user files, installation of Trojan horse programs, redirect the user to some
other page or site, or modify presentation of content. An XSS vulnerability
allowing an attacker to modify a press release or news item could affect a
company’s stock price or lessen consumer confidence.
A good practice to follow is to review the code
and search for all places where input from an HTTP request could possibly make
its way into the HTML output.
Nessus, Nikto, and some other available tools can help scan a
website for these flaws
Custom Special
Character Injection
The
software does not properly filter or quote special characters or reserved words
that are used in a custom or proprietary language or representation that is
used by the product. That allows attackers to modify the syntax, content, or
commands before they are processed by the end system.
Direct Dynamic Code
Evaluation ('Eval Injection')
This attack consists of
a script that does not properly validate user inputs in the page parameter. A
remote user can supply a specially crafted URL to pass arbitrary code to an
eval() statement, which results in code execution.
Note 1: This attack will
execute the code with the same permission like the target web service,
including operation system commands.
Note 2: Eval injection
is prevalent in handler/dispatch procedures that might want to invoke a large
number of functions, or set a large number of variables.
Similar to the above XSS
and other injections.
Direct Static Code
Injection
This attack consists of
a script that does not properly validate user inputs in the page parameter. A
remote user can supply a specially crafted URL to pass arbitrary code to an
eval() statement, which results in code execution.
Note 1: This attack will
execute the code with the same permission like the target web service,
including operation system commands.
Note 2: Eval injection
is prevalent in handler/dispatch procedures that might want to invoke a large
number of functions, or set a large number of variables.
Format string
attack
probably c/C++ specific.
The
attack could be executed when the application doesn’t properly validate the
submitted input. In this case, if a Format String parameter, like %x, is
inserted into the posted data, the string is parsed by the Format Function, and
the conversion specified in the parameters is executed. However, the Format
Function is expecting more arguments as input, and if these arguments are not
supplied, the function could read or write the stack.
Full Path
Disclosure
Full
Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to
the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such
as using the load_file() (within a SQL
Injection) query to view the page
source, require the attacker to have the full path to the file they wish to
view.
For
instance, sending invalid argument to a page loading web site might display the
full path of the non-existent page.
LDAP injection
LDAP
Injection is an attack used to exploit web based applications that construct
LDAP statements based on user input. When an application fails to properly
sanitize user input, it’s possible to modify LDAP statements using a local
proxy. This could result in the execution of arbitrary commands such as
granting permissions to unauthorized queries, and content modification inside
the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
Example:
The LDAP query is
narrowed down for performance and the underlying code for this function might
be the following:
String ldapSearchQuery = "(cn=" + $userName +
")";
System.out.println(ldapSearchQuery);
If the variable
$userName is not validated, it could be possible accomplish LDAP injection, as
follows:
§ If a user puts “*” on box search, the system may
return all the usernames on the LDAP base
§ If a user puts “jonys) (| (password = * ) )”, it
will generate the code bellow revealing jonys’ password ( cn = jonys ) ( |
(password = * )
Parameter Delimiter
This
attack is based on the manipulation of parameter delimiters used by web
application input vectors in order to cause unexpected behaviors like access
control and authorization bypass and information disclosure, among others.
Example:
Attacker can simply provide
a value with the delimiter in it and extra commands or information. The web app
would process it as if it were part of regular data.
Regular expression
Denial of Service - ReDoS
The Regular
expression Denial of Service (ReDoS) is a Denial
of Service attack, that exploits
the fact that most Regular Expression implementations may reach extreme
situations that cause them to work very slowly (exponentially related to input
size). An attacker can then cause a program using a Regular Expression to enter
these extreme situations and then hang for a very long time.
The
attacker might use the above knowledge to look for applications that use
Regular Expressions, containing an Evil Regex, and send a
well-crafted input, that will hang the system. Alternatively, if a Regex itself
is affected by a user input, the attacker can inject an Evil Regex,
and make the system vulnerable.
Resource Injection
This
attack consists of changing resource identifiers used by an application in
order to perform a malicious task. When an application permits a user input to
define a resource, like a file name or port number, this data can be
manipulated to execute or access different resources.
In
order to be properly executed, the attacker must have the possibility to
specify a resource identifier through the application form and the application
must permit its execution
The
resource injection attack focuses on accessing other resources than the local
filesystem, which is different attack technique known as a Path
Manipulation attack.
Server-Side
Includes (SSI) Injection
The
Server-Side Includes attack allows the exploitation of a web application by
injecting scripts in HTML pages or executing arbitrary codes remotely. It can
be exploited through manipulation of SSI in use in the application or force its
use through user input fields.
In any
case, the attack will be successful only if the web server permits SSI
execution without proper validation. This can lead to access and manipulation
of file system and process under the permission of the web server process
owner.
Example
( showing the SSI code on the server side) : Windows:
List files of directory:
< !--#exec cmd="dir" -->
Special Element
Injection
Special Element
Injection is a type of injection attack that exploits a weakness related to
reserved words and special characters.
Every programming
language and operating system has special characters considered as reserved
words for it. However, when an application receives such data as user input, it
is possible to observe unexpected behavior in the application when parsing this
information. This can lead to information disclosure, access control and
authorization bypass, code injection, and many other variants.
According to the
characters used, the Special Element Injection attack can be performed using
macro symbols, parameter delimiter and null characters/null bytes, among
others.
Parameter Delimiter is
another variant of Special Element Injection.
SQL Injection
A SQL injection attack consists of insertion or
"injection" of a SQL query via the input data from the client to the
application. A successful SQL injection exploit can read sensitive data from
the database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the DBMS), recover
the content of a given file present on the DBMS file system and in some cases
issue commands to the operating system. SQL injection attacks are a type
of injection
attack, in which SQL commands are
injected into data-plane input in order to effect the execution of predefined
SQL commands.
Threat Modeling
- SQL injection attacks allow
attackers to spoof identity, tamper with existing data, cause repudiation
issues such as voiding transactions or changing balances, allow the
complete disclosure of all data on the system, destroy the data or make it
otherwise unavailable, and become administrators of the database server.
- SQL Injection is very common
with PHP and ASP applications due to the prevalence of older functional
interfaces. Due to the nature of programmatic interfaces available, J2EE
and ASP.NET applications are less likely to have easily exploited SQL
injections.
- The severity of SQL Injection
attacks is limited by the attacker’s skill and imagination, and to a
lesser extent, defense in depth countermeasures, such as low privilege
connections to the database server and so on. In general, consider SQL
Injection a high impact severity.
Web Parameter
Tampering
The Web Parameter
Tampering attack is based on the manipulation of parameters exchanged between
client and server in order to modify application data, such as user credentials
and permissions, price and quantity of products, etc. Usually, this information
is stored in cookies, hidden form fields, or URL Query Strings, and is used to
increase application functionality and control.
This attack can be
performed by a malicious user who wants to exploit the application for their
own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle
attack. In both cases, tools likes Webscarab and Paros proxy are
mostly used.
The attack success
depends on integrity and logic validation mechanism errors, and its
exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path
disclosure attacks.
XPATH Injection
Similar
to SQL Injection, XPath Injection attacks occur when a web site uses
user-supplied information to construct an XPath query for XML data. By sending
intentionally malformed information into the web site, an attacker can find out
how the XML data is structured, or access data that he may not normally have
access to. He may even be able to elevate his privileges on the web site if the
XML data is being used for authentication (such as an XML based user file).
Because
there is no level access control it's possible to get the entire document. We
won't encounter any limitations as we may know from SQL injection attacks.
Path
Traversal Attack
This
category of attacks exploit various path
vulnerabilities to access files
or directories that are not intended to be accessed. This attack works on
applications that take user input and use it in a "path" that is used
to access a filesystem. If the attacker includes special characters that modify
the meaning of the path, the application will misbehave and may allow the
attacker to access unauthorized resources. This type of attack has been
successful on web servers, application servers, and custom code.
Path
Traversal
A Path
Traversal attack aims to access files and directories that are stored outside
the web root folder. By browsing the application, the attacker looks for
absolute links to files stored on the web server. By manipulating variables
that reference files with “dot-dot-slash (../)” sequences and its variations,
it may be possible to access arbitrary files and directories stored on file
system, including application source code, configuration and critical system
files, limited by system operational access control. The attacker uses “../”
sequences to move up to root directory, thus permitting navigation through the
file system.
Probabilistic
Techniques
Brute force attack
the attacker is
trying to bypass security mechanisms while having minimal knowledge about them.
Brute-force attacks are
mainly used for guessing passwords and bypassing access control. Very often the
target of an attack are data in forms (GET/POST) and users' Session-IDs.
Cash Overflow
A Cash Overflow attack
is a Denial of Service attack
specifically aimed at exceeding the hosting costs for a cloud application,
either essentially bankrupting the service owner or exceeding the application
cost limits leading the Cloud Service Provider disabling the application.
Cryptanalysis
Cryptanalysis is a
process of finding weaknesses in cryptographic algorithms and using these
weaknesses to decipher the ciphertext without knowing the secret key (instance
deduction). Sometimes the weakness is not in the cryptographic algorithm
itself, but rather in how it is applied that makes cryptanalysis successful
An attacker may have other goals as well, such
as:
§ Total Break - Finding the secret key.
§ Gobal Deduction - Finding a functionally
equivalent algorithm for encryption and decryption that does not require
knowledge of the secret key.
§ Information Deduction - Gaining some information
about plaintexts or ciphertexts that was not previously known.
§ Distinguishing Algorithm - The attacker has the
ability to distinguish the output of the encryption (ciphertext) from a random
permutation of bits.
Denial of Service
The
Denial of Service (DoS) attack is focused on making unavailable a resource
(site, application, server) for the purpose it was designed. There are many
ways to make a service unavailable for legitimate users by manipulating network
packets, programming, logical, or resources handling vulnerabilities, among
others.
DoS User Specified
Object Allocation
result: Out of memory.
DoS User Input as a Loop
Counter
result:unnecessary
execution
DoS Storing too Much
Data in Session
DoS Locking Customer
Accounts
DoS Failure to Release
Resources
DoS Buffer Overflows
Protocol
Manipulation
HTTP Request Smuggling
To exploit the HTTP
Request Smuggling, some specific conditions must exist, such as the presence of
specific proxy system and version such as SunOne Proxy 3.6 (SP4) or
FW-1/FP4-R55W beta or an XSS vulnerability in the web server.
Basically the attack
consists of submitting an HTTP request that encapsulates a second HTTP request
in the same header, as shown below.
GET /some_page.jsp?param1=value1¶m2=
Content-Type: application/x-www-form-
Content-Length: 0
Foobar: GET /mypage.jsp HTTP/1.0
Cookie: my_id=1234567
Authorization: Basic ugwerwguwygruwy
In this case, the first
HTTP header is parsed by the proxy system and the second by the final system,
permitting the attacker to bypass the proxy’s access control.
Also...
HTTP
Request Smuggling is an attack technique that abuses the discrepancy in parsing
of non RFC compliant HTTP requests between two HTTP devices (typically a
front-end proxy or HTTP-enabled firewall and a back-end web server) to smuggle
a request to the second device "through" the first device. This
technique enables the attacker to send one set of requests to the second device
while the first device sees a different set of requests. In turn, this
facilitates several possible exploitations, such as partial cache poisoning,
bypassing firewall protection and XSS.
HTTP Response
Splitting
HTTP response splitting
occurs when:
- Data enters a web application
through an untrusted source, most frequently an HTTP request.
- The data is included in an HTTP
response header sent to a web user without being validated for malicious
characters.
HTTP response splitting
is a means to an end, not an end in itself. At its root, the attack is
straightforward: an attacker passes malicious data to a vulnerable application,
and the application includes the data in an HTTP response header.
To mount a successful
exploit, the application must allow input that contains CR (carriage return,
also given by %0d or \r) and LF (line feed, also given by %0a or
\n)characters into the header. These characters not only give attackers control
of the remaining headers and body of the response the application intends to
send, but also allow them to create additional responses entirely under their
control.
Traffic flood
Traffic Flood is a type
of DoS attack targeting web servers. The attack explores the way that the TCP
connection is managed. The attack consists of the generation of a lot of
well-crafted TCP requisitions, with the objective to stop the Web Server or
cause a performance decrease.
The attack explores a
characteristic of the HTTP protocol, opening many connections at the same time
to attend a single requisition. This special feature of the http protocol,
which consists of opening a TCP connection for every html object and closing
it, could be used to make two different kinds of exploitations. The Connect
attack is done during the establishment of the connection, and the Closing
attack is done during the connection closing.
Examples:
Connect attack
This type of attack
consists of establishing a big number of fake TCP connections with an
incomplete HTTP request until the web server is overwhelmed with connections
and stops responding.
The aim of the
incomplete HTTP request is to keep the web server, with the TCP connection in
Established state, waiting for the completion of the request, as shown in
figure 1. Depending on the implementation of the web server, the connection
stays in this state until there is a timeout of the TCP connection or of the
web server. In this way it’s possible to establish a great number of new connections
before the first ones begin to timeout. Moreover, the generation rate of new
connections grows faster than the expiring ones.
The attack could also
affect a firewall that implements a proxy like access control as Checkpoint
FW1.
Closing Attack
The Closing Attack is
done during the ending steps of a TCP connection, exploring how some web
servers deal with the finalization of the TCP connection especially with the
FIN_WAIT_1 state. The attack, as explained by Stanislav Shalunov, "comes
in two flavors: mbufs exhaustion and process saturation.
When doing mbufs
exhaustion, one wants the user-level process on the other end to write the data
without blocking and closing the descriptor. The kernel will have to deal with
all the data, and the user-level process will be free, so that more requests
can be sent this way and eventually consume all the mbufs or all physical
memory, if mbufs are allocated dynamically.
When doing process
saturation, one wants user-level process to block while trying to write data.
The architecture of many HTTP servers will allow serving only a certain number
of connections at a time. When this number of connections is reached, the
server will stop responding to legitimate users. If the server doesn't put a
bound on the number of connections, resources will still be tied up and
eventually the machine comes to a crawling halt.
Asymmetric resource
consumption
An
attacker can force a victim to consume more resources than should be allowed
for the attacker's level of access. The program can potentially fail to release
or incorrectly release a system resource.
Spoofing
Man-in-the-middle
attack
The
man-in-the middle attack intercepts a communication between two systems.The
MITM attack is very effective because of the nature of the http protocol and
data transfer which are all ASCII based.
MITM
Attack tools
There are several tools to
realize a MITM attack. These tools are particularly efficient in LAN network
environments, because they implement extra functionalities, like the arp spoof
capabilities that permit the interception of communication between hosts.
- PacketCreator
- Ettercap
- Dsniff
- Cain e Abel
MITM
Proxy only tools
Proxy tools only permit
interactiion with the parts of the HTTP protocol, like the header and the body
of a transaction, but do not have the capability to intercept the TCP
connection between client and server. To intercept the communication, it’s
necessary to use other network attack tools or configure the browser.
- OWASP WebScarab
- Paros Proxy
- Burp Proxy
- ProxyFuzz
- Odysseus Proxy
- Fiddler (by Microsoft)
Sniffing
Attacks
Network
Eavesdropping
Network Eavesdropping or
network sniffing is a network layer attack consisting of capturing packets from
the network transmitted by others' computers and reading the data content in
search of sensitive information like passwords, session tokens, or any kind of
confidential information.
The attack could be done using
tools called network sniffers. These tools collect packets on the network and,
depending on the quality of the tool, analyze the collected data like protocol
decoders or stream reassembling.
Depending on the network
context, for the sniffing to be the effective, some conditions must be met:
•
LAN environment with HUBs
This is the ideal case because
the hub is a network repeater that duplicates every network frame received to
all ports, so the attack is very simple to implement because no other condition
must be met.
•
LAN environment with switches
To be effective for
eavesdropping, a preliminary condition must be met. Because a switch by default
only transmits a frame to the port, a mechanism that will duplicate or will
redirect the network packets to an evil system is necessary. For example, to
duplicate traffic from one port to another port, a special configuration on the
switch is necessary. To redirect the traffic from one port to another, there
must be a preliminary exploitation like the arp spoof attack. In this attack,
the evil system acts like a router between the victim’s communication, making
it possible to sniff the exchanged packets.
•
WAN environment
In this case, to make a network
sniff it's necessary that the evil system becomes a router between the client
server communications. One way to implement this exploit is with a DNS spoof
attack to the client system.
Network Eavesdropping is a
passive attack which is very difficult to discover. It could be identified by
the effect of the preliminary condition or, in some cases, by inducing the evil
system to respond a fake request directed to the evil system IP but with the
MAC address of a different system.
Resource
Manipulation
Double
Encoding
This attack technique consists
of encoding user request parameters twice in hexadecimal format in order to
bypass security controls or cause unexpected behavior from the application.
It's possible because the webserver accepts and processes client requests in
many encoded forms.
By using double encoding it’s
possible to bypass security filters that only decode user input once. The
second decoding process is executed by the backend platform or modules that
properly handle encoded data, but don't have the corresponding security checks
in place.
Attackers can inject double
encoding in pathnames or query strings to bypass the authentication schema and
security filters in use by the web application.
There are some common
characters sets that are used in Web applications attacks. For example, Path Traversal attacks use “../”
(dot-dot-slash) , while XSS attacks
use “<” and “>” characters. These characters give a hexadecimal
representation that differs from normal data.
For example, “../”
(dot-dot-slash) characters represent %2E%2E%2f in hexadecimal
representation. When the % symbol is encoded again, its representation in
hexadecimal code is %25. The result from the double encoding process
”../”(dot-dot-slash) would be %252E%252E%252F:
Forced
browsing
Forced browsing is an attack
where the aim is to enumerate and access resources that are not referenced by
the application, but are still accessible.
An attacker can use Brute Force techniques
to search for unlinked contents in the domain directory, such as temporary
directories and files, and old backup and configuration files. These resources
may store sensitive information about web applications and operational systems,
such as source code, credentials, internal network addressing, and so on, thus
being considered a valuable resource for intruders.
This attack is performed
manually when the application index directories and pages are based on number
generation or predictable values, or using automated tools for common files and
directory names.
This attack is also known as
Predictable Resource Location, File Enumeration, Directory Enumeration, and
Resource Enumeration.
Repudiation
Attack
A
repudiation attack happens when an application or system does not adopt
controls to properly track and log users' actions, thus permitting malicious
manipulation or forging the identification of new actions. This attack can be
used to change the authoring information of actions executed by a malicious
user in order to log wrong data to log files. Its usage can be extended to
general data manipulation in the name of others, in a similar manner as spoofing
mail messages. If this attack takes place, the data stored on log files can be
considered invalid or misleading.
Consider
a web application that makes access control and authorization based on
SESSIONID, but registers user actions based on a user parameter defined on the
Cookie header
Setting
Manipulation
This attack aims to modify
application settings in order to cause misleading data or advantages on the
attacker's behalf. He may manipulate values in the system and manage specific
user resources of the application or affect its functionalities.
An attacker can exploit several
functionalities of the application using this attack technique, but it would
not possible to describe all the ways of exploration, due to innumerable
options that attacker may use to control the system values.
Using this attack technique, it
is possible to manipulate settings by changing the application functions, such
as calls to the database, blocking access to external libraries, and/or
modification log files.
Spyware
Spyware is a program that
captures statistical information from a user's computer and sends it over
internet without user acceptance. This information is usually obtained from
cookies and the web browser’s history. Spyware can also install other software,
display advertisements, or redirect the web browser activity. Spyware differs
from a virus, worm, and adware in various ways. Spyware does not self-replicate
and distribute itself like viruses and worms, and does not necessarily display
advertisements like adware. The common characteristics between spyware and
viruses, worms, and adware are:
1.
exploitation
of the infected computer for commercial purposes
2.
the
display, in some cases, of advertisements
Unicode
Encoding
The
attack aims to explore flaws in the decoding mechanism implemented on
applications when decoding Unicode data format. An attacker can use this
technique to encode certain characters in the URL to bypass application
filters, thus accessing restricted resources on the Web server or to force browsing
to protected pages.
Path Traversal attack
URL with Unicode Encoding(original
url: http://vulneapplication/../../appusers.txt) :
http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt
