CSS 211 - Introduction to Network Security
Chapter 3 - Application and Networking-Based Attacks
This lesson introduces the student to two major types of
attacks. Objectives important to this
- Server-side web application attacks
- Client-side attacks
- Overflow attacks
- Networking-based attacks
begins with the idea that
the Internet is probably the wonder of the 20th century, but in
addition to its benefits, it has provided the risk of being exploited
to thousands of networks that might otherwise have avoided such
exposure. The chapter discusses two major types of attacks: application
attacks and network attacks.
Before discussing particular attack types, the text diagrams a
simple system that includes clients
and servers on a network, each of which runs an operating system and applications, and each of which
contains data. The author's
point is that each of these system elements provides an attacker with a
vector for exploits.
The first application attack category presented is attacks on server-side web applications. The
author considers them to be particularly vulnerable to attack because
"many traditional network security devices ignore the content of HTTP
traffic" (page 95). In general, server-side applications run like the
diagram on page 94: a client
(a browser) makes a request or
sends data to a web server, which forwards the
request to an application server
(which could be on the same computer or not) which probably accesses a database or other network assets.
The text explains that since HTTP content (data) is commonly
not examined, it is a common vector for an attack. Four variations are
- Cross Site Scripting (XSS),
an attacker. If a web site asks users to fill out a form,
to enter text in a field, or to input information
that will be displayed to other users when requested,
the attacker can append a script to the text that is
entered, which is intended to run on the dynamic web page that is
displayed to that user or the next. A Facebook page, for example, would
ideal place to put such a script so that it runs on the computer of
each user who views the attacker's page.
A better name for this technique would
causing his script to be injected into the web page the victim sees.
The text offers an example of another kind of
vulnerable site: one that redisplays user input that generates an
error, such as redisplaying a user's login ID and password that did not
To defend against cross site scripting:
- web masters should determine that their web pages
validate input, do not echo bad input to the user, and do not allow input of
code where it does not belong
- web server administrators should make sure web services
and database programs are up to date on patches
- users should never click an embedded link in an email
message without being sure where that link leads
The text mentions another concept in this discussion that relates
to all attack types. When an attack is made using a previously
vulnerability, it is called a zero day attack. The author
the name may mean that we have had zero days to prepare for the attack.
Any attack on a vulnerability that security professionals did not know
about is a zero day attack.
- SQL Injection - SQL is Structured Query
Language, which is used to manipulate, manage, and report on database
files. The CIS 331 class at Baker is
about using this language as a database administrator. The link
provided here goes to my class notes for that course. Our text goes
over a few examples of the syntax for some SQL commands. The general
format for retrieving data is
SELECT column list FROM data
table WHERE conditional test ;
SELECT is followed
by a list of columns, which may be any
columns (fields) in the table being accessed, separated by commas. If
you want all columns, you can use a wildcard character. In most versions of SQL,
the wild card for "all" is the asterisk. FROM is followed by the name of the table to be read. WHERE is optional, and
can be used to specify which rows (cases, records) to retrieve. If the WHERE clause is
not used, all rows will be be retrieved.
A comprehensive discussion of SQL is beyond the scope of
Some of the dangers of allowing an attacker to run SQL
commands on the system are access to data, loss
of data, and loss of data integrity. SQL can also
make calls to the operating system
of the host computer.
Four defenses against SQL
- validate input, rejecting SQL commands and scripts
- provide drop down lists of choices for users (prepared
statements) instead of allowing free form entry
- do not assign more privileges than the users need
- do not ask users for SQL commands (yes, some systems have
allowed users to do this)
- don't give your data tables and fields obvious names: a
SELECT command must call a table and its columns by their correct
names, or the command will fail
The second category of attacks discussed is attacks on client-side applications.
These attack applications running on a client device.
- XML - Extensible
Markup Language is like HTML in some ways: it uses tags (words in angle
brackets) to describe data. It is often used in conjunction with
databases, and an XML injection can place a new entry in a database,
such as an entry for a user, to establish an ID on the system for a
hacker. See this article about XML
injection testing for some examples.
- The idea here is to find a way to switch from the current directory
on a web server to a directory where the attacker can issue (inject) a
command to copy, delete, or run a file that can cause the desired mayhem.
The text tells us that a web server is typically restricted to the root folder.
This is true, but it does not mean what you might think if you have
never set up a web server. A web site is a set of pages that can be
stored in a folder anywhere in
the file system on a computer acting as a web server. Setting up the
site includes telling the web server program
what folder the site starts
in, and what its URL
will be, which effectively sets a false root for the site. To a
customer browsing a site, the folder appears to be at the root of a
hard drive, but it may in fact be several layers removed from that spot.
- The text describes a drive-by
as an attack that injects content on a web page, which is then used to
infect the machine being used by someone who views that page.
- HTTP header manipulation
involves changing the typical header in
a web page so that one or more attacks can take place. The text
describes three techniques:
- Referer - This
field typically holds the address of the
page that held the link that led to the current page. The manipulator
changes this to throw off the browser's suspicion.
- Accept-Language -
Typically holds a list of languages
used for content, but can hold an SQL injection command that a
manipulator hopes will be handed to the local database.
- Response splitting
- The manipulator injects a CRLF
(carriage return, line feed) command into a header, which allows the
creation of new code in the header
- cookies - The text
defines a cookie as a file
that a web site places on a user's computer, typically for the purpose
of identifying the user on a return visit. A cookie could be called a first-party
cookie if it is being used by the web site that wrote it on
your machine. It is a third-party cookie if the same
cookie is being accessed by any other web site (or entity).
The text points out that a separate entity might examine
cookies to tell where you have been on the Internet, what you have
looked at or told other web sites, and make guesses about what advertising
to show you. The text does not describe any kind of
attack associated with cookies. It does mention that you could
configure a browser to disable cookies, or to delete
them when the browser is closed. The latter is a better option if your
company uses processes that require cookies.
A session cookie
is described as a cookie held only in RAM, useful to the web site
currently being visited. It can be deleted by closing the browser or by
the expiration of a timeout.
A persistent cookie
is also called a tracking cookie,
which is saved on a hard drive until the user erases it, or causes the
browser to do so.
- In its discussion of Locally
Shared Objects (LSOs),
the text tells us that they are also called Flash cookies,
which are larger, more complex
files that are saved by the Adobe Flash
player. It also tells us that LSOs
can be up to 100 KB in size,
and that typical cookies are
only 4 KB or less.
- Attachments - The
text is talking about files
attached to email. The classic email that invites or exhorts a
recipient to open an attachment (to view a picture, watch a video, or
read a file) is often attached to an executable that includes a virus.
The text is worried that most people would open an attachment even it
they don't know the sender. That is true, but it ignores the fact that
some viruses (and some attackers) will send out email that looks like
it is from someone you know. The return address is no guarantee of
- Session hijacking -
An online session between two parties engaged in any transfer of data
should include a session token,
a "unique" series of characters that is meant to identify the session
to each party in the exchange. Computer systems can conduct multiple
sessions at the same time, so each participant needs to identify the
session a transmission is meant to be part of. A session token is meant
to be a differentiator, not a security measure, so an eavesdropper may
be able to capture a token, and use it to impersonate
one end of the session or the other. The text mentions that we might
wonder whether to consider this kind of attack as happening on the client side or the server side. We should be aware that
CompTIA considers it
a client-side attack.
- Malicious add-ons -
The text differentiates between plug-ins, which are functions added to
your browser for a specific web page, and add-ons, which are
mini-programs that can be used by multiple web pages in multiple sites.
Add-ons are also called extensions, and are added separately to each
browser you may use. A common add-on type is an ActiveX control, which
leads to the problem. How do you know whether the program (add-on,
extension) you are being asked to load is safe? Do you trust the web
site that you are viewing? Are you being protected from evil downloads
by good security software?
The next category of attacks may be targeted at servers or at
clients. Impartial overflow attacks
send data that will overflow a specific memory space. Why? To leave a
memory area that has restrictions. Let's consider the two of the types
the text mentions.
- When programs run on a well managed operating system, they
in memory address ranges (buffers) that are allocated
for their use. Well behaved programs do not attempt to use memory outside
their allocated buffers. When they do reach for addresses outside
allocated ranges, this is a buffer overflow. This can
be enough to stop a computer from running, depending on what is in the
memory that is overwritten.
As the text explains, an attacker may overflow a buffer to
change the value of a pointer stored in it. (A
pointer is a variable that remembers a memory address.)
How does that hurt or help? Well, the pointer that the attacker is
changing holds the address of the process that is legitimately using
that memory. Change the pointer to the address of the attacker's malware,
and you have given the malware control of the memory that was
overflowed, and access to the data stored in it. More
importantly, you have given the malware the ability to overwrite the
data with more program code. You should see how this might allow
malware to take over what a legitimate program was doing, or to gain
space to load more of itself.
- Integer overflow attacks
use a trick that has to do with the memory space allocated to integers
(whole numbers), and to other variable types, for that matter. Memory
that is allocated for an integer variable has a limit on the largest number it can
hold. For instance, if we are talking about a short, unsigned integer
in the C or C++ languages, then it can only hold values from 0 to
65535, inclusive. For signed types, the lowest possible value is a
negative number instead of 0.
An integer overflow would occur if a value stored in that unsigned
integer variable was increased so that it would logically be greater
than 65535, Since it is not allowed to be larger than that number, it
would wrap around to the lowest possible value and begin filling the
bucket again with the amount that was greater than 65535.
The text describes three ways to use this feature: changing the value
of a variable holding length of a buffer, so that the buffer is
overwritten; changing the value of a variable holding a customer's
bill, so that a negative value is reached, causing a refund to the
customer; changing the amount of money in a bank transfer from positive
to negative, so money is gained instead of lost.
On page 109, the author moves on to networking-based attacks.
- Denial of Service (DoS) -
In a Denial of Service (DoS)
computers are typically used to tie up all available connections to a
system, preventing real users from making a connection or receiving
service. The text states that when a botnet is used,
the attack can be called a Distributed Denial of Service
One method takes advantage of typical
connection behavior. The attacking computer sends a request to connect,
a SYN signal. The victim
system replies with an ACK
and a SYN request to complete
the connection. The victim waits for a return
ACK from the attacker which is never
sent. By itself, this is
not a problem, as the connection is eventually dropped. However,
imagine it happening thousands
of times a second. A real requester
stands little chance of getting into the system. This is called a SYN flood attack.
Another method described is to send ping signals to many
but to wrap them so they look like they are from the device that is
about to become your victim server.
Ping is a flexible command. Among other things, you can tell it how
many times to repeat. Send to lots of devices with lots of repeats, and
you may flood the victim with responses from other devices. This is
called a smurf attack.
(Smurf.c was the name of the source code file used to stage a famous
attack of this sort.)
- Interception attacks
Man-in-the-Middle attack: Students should be
able to find information about this kind of attack online with regard
to voting machines. A passive attack intercepts
messages, saves and transmits them to an attacker, and passes the
messages on in the system right away. An active
attack would intercept a message, change it, and then send the changed
version along. You can see how this kind of attack on election data
would have effective results.
A variation of the Man-in-the-Middle is a replay
attack. Consider the example in the book, in which a man-in-the-middle
device intercepts login traffic so that it can replay that traffic later
to pretend to be the same user logging in at that later time.
- Poisoning Attacks
ARP Poisoning - Address Resolution Protocol (ARP) is used on IP networks to make
a broadcast request about a known IP
address, asking for the associated
It is done because MAC addresses are used for internal network
communications. In an ARP Poisoning attack, the attacker sends a false
MAC address to the requester, letting every device on the network
believe that the device the attacker has chosen has been assigned the
IP address that was broadcast.
DNS Poisoning -DNS
Poisoning consists of lying to a workstation or a server. The
domain name systems works by taking a domain name from a user (like www.cnn.com) and translating it into an
IP address (like 18.104.22.168).
The IP address is what the browser actually uses to read the page at
the web site. (How did I get that address? I pinged the domain name.)
An attacker would find a way to feed the browser a false
taking it to a web page of the attacker's choice. One way to do that is
to put a false entry in the host table that is probably saved
on the user's computer. Probably? Well, yes. In my work environment, we
store host tables on our network
and configure the computers to read those tables on
boot. In our case, that
would be the target, not the file on the user's PC which is replaced on
boot with the network version. The same principle is involved. The DNS
resolver (the device making the request) is satisfied with an answer at
the first hierarchical level where one is found. A request only goes up
the hierarchy until it is answered, so if the answer is on the user's
PC it would look no farther. An example of a hosts
(yes, that is really its whole name) file is shown on page 115. Common
locations for such files are in the tip that appears on page 116.
- Attacks on Access Rights
- The text makes a distinction between a user (or a process) that
obtains higher privileges than
their own (vertical privilege
escalation) and one who obtains privileges that are different from their own (horizontal privilege escalation). It
goes without saying that an attacker will not do either for a good
Transitive Access -
Transitive access might be thought of as a kind of inheritance.
If a user has rights to one system, and that system has rights to
another system, it follows that the user has rights to the second