CSS 211 - Introduction to Network Security

Chapter 3 - Application and Networking-Based Attacks

Objectives:

This lesson introduces the student to two major types of attacks. Objectives important to this lesson:

  1. Server-side web application attacks
  2. Client-side attacks
  3. Overflow attacks
  4. Networking-based attacks
Concepts:

Chapter 3 begins with the idea that the Internet is probably the wonder of the 20th century, but in addition to its benefits, it has provided the risk of being exploited to thousands of networks that might otherwise have avoided such exposure. The chapter discusses two major types of attacks: application attacks and network attacks.

Application Attacks

Before discussing particular attack types, the text diagrams a simple system that includes clients and servers on a network, each of which runs an operating system and applications, and each of which contains data. The author's point is that each of these system elements provides an attacker with a vector for exploits.

The first application attack category presented is attacks on server-side web applications. The author considers them to be particularly vulnerable to attack because "many traditional network security devices ignore the content of HTTP traffic" (page 95). In general, server-side applications run like the diagram on page 94: a client (a browser) makes a request or sends data to a web server, which forwards the request to an application server (which could be on the same computer or not) which probably accesses a database or other network assets.

The text explains that since HTTP content (data) is commonly not examined, it is a common vector for an attack. Four variations are discussed:

  • Cross Site Scripting (XSS), is a method of using Javascript or ActiveX to send information to an attacker. If a web site asks users to fill out a form, to enter text in a field, or to input information that will be displayed to other users when requested, the attacker can append a script to the text that is entered, which is intended to run on the dynamic web page that is displayed to that user or the next. A Facebook page, for example, would be an ideal place to put such a script so that it runs on the computer of each user who views the attacker's page.

    A better name for this technique would be Javascript injection, because the attacker is causing his script to be injected into the web page the victim sees. The text offers an example of another kind of vulnerable site: one that redisplays user input that generates an error, such as redisplaying a user's login ID and password that did not work.

    To defend against cross site scripting:
    • web masters should determine that their web pages validate input, do not echo bad input to the user, and do not allow input of code where it does not belong
    • web server administrators should make sure web services and database programs are up to date on patches
    • users should never click an embedded link in an email message without being sure where that link leads

    The text mentions another concept in this discussion that relates to all attack types. When an attack is made using a previously unknown vulnerability, it is called a zero day attack. The author explains that the name may mean that we have had zero days to prepare for the attack. Any attack on a vulnerability that security professionals did not know about is a zero day attack.
  • SQL Injection - SQL is Structured Query Language, which is used to manipulate, manage, and report on database files. The CIS 331 class at Baker is about using this language as a database administrator. The link provided here goes to my class notes for that course. Our text goes over a few examples of the syntax for some SQL commands. The general format for retrieving data is like this:

    SELECT column list FROM data table WHERE conditional test ;

    SELECT is followed by a list of columns, which may be any columns (fields) in the table being accessed, separated by commas. If you want all columns, you can use a wildcard character. In most versions of SQL, the wild card for "all" is the asterisk. FROM is followed by the name of the table to be read. WHERE is optional, and can be used to specify which rows (cases, records) to retrieve. If the WHERE clause is not used, all rows will be be retrieved.

    A comprehensive discussion of SQL is beyond the scope of this class.

    Some of the dangers of allowing an attacker to run SQL commands on the system are access to data, loss of data, and loss of data integrity. SQL can also make calls to the operating system of the host computer.

    Four defenses against SQL injection are listed:

    • validate input, rejecting SQL commands and scripts
    • provide drop down lists of choices for users (prepared statements) instead of allowing free form entry
    • do not assign more privileges than the users need
    • do not ask users for SQL commands (yes, some systems have allowed users to do this)
    • don't give your data tables and fields obvious names: a SELECT command must call a table and its columns by their correct names, or the command will fail
  • XML - Extensible Markup Language is like HTML in some ways: it uses tags (words in angle brackets) to describe data. It is often used in conjunction with databases, and an XML injection can place a new entry in a database, such as an entry for a user, to establish an ID on the system for a hacker. See this article about XML injection testing for some examples.
  • Directory Traversal/Command Injection - The idea here is to find a way to switch from the current directory on a web server to a directory where the attacker can issue (inject) a command to copy, delete, or run a file that can cause the desired mayhem.

    The text tells us that a web server is typically restricted to the root folder. This is true, but it does not mean what you might think if you have never set up a web server. A web site is a set of pages that can be stored in a folder anywhere in the file system on a computer acting as a web server. Setting up the site includes telling the web server program what folder the site starts in, and what its URL will be, which effectively sets a false root for the site. To a customer browsing a site, the folder appears to be at the root of a hard drive, but it may in fact be several layers removed from that spot.
The second category of attacks discussed is attacks on client-side applications. These attack applications running on a client device.
  • The text describes a drive-by download as an attack that injects content on a web page, which is then used to infect the machine being used by someone who views that page.
  • HTTP header manipulation involves changing the typical header in a web page so that one or more attacks can take place. The text describes three techniques:
    • Referer - This field typically holds the address of the page that held the link that led to the current page. The manipulator changes this to throw off the browser's suspicion.
    • Accept-Language - Typically holds a list of languages used for content, but can hold an SQL injection command that a manipulator hopes will be handed to the local database.
    • Response splitting - The manipulator injects a CRLF (carriage return, line feed) command into a header, which allows the creation of new code in the header
  • cookies - The text defines a cookie as a file that a web site places on a user's computer, typically for the purpose of identifying the user on a return visit. A cookie could be called a first-party cookie if it is being used by the web site that wrote it on your machine. It is a third-party cookie if the same cookie is being accessed by any other web site (or entity).

    The text points out that a separate entity might examine your cookies to tell where you have been on the Internet, what you have looked at or told other web sites, and make guesses about what advertising to show you. The text does not describe any kind of attack associated with cookies. It does mention that you could configure a browser to disable cookies, or to delete them when the browser is closed. The latter is a better option if your company uses processes that require cookies.

    • A session cookie is described as a cookie held only in RAM, useful to the web site currently being visited. It can be deleted by closing the browser or by the expiration of a timeout.

    • A persistent cookie is also called a tracking cookie, which is saved on a hard drive until the user erases it, or causes the browser to do so.

    • In its discussion of Locally Shared Objects (LSOs), the text tells us that they are also called Flash cookies, which are larger, more complex files that are saved by the Adobe Flash player. It also tells us that LSOs can be up to 100 KB in size, and that typical cookies are only 4 KB or less.
  • Attachments - The text is talking about files attached to email. The classic email that invites or exhorts a recipient to open an attachment (to view a picture, watch a video, or read a file) is often attached to an executable that includes a virus. The text is worried that most people would open an attachment even it they don't know the sender. That is true, but it ignores the fact that some viruses (and some attackers) will send out email that looks like it is from someone you know. The return address is no guarantee of authenticity.
  • Session hijacking - An online session between two parties engaged in any transfer of data should include a session token, a "unique" series of characters that is meant to identify the session to each party in the exchange. Computer systems can conduct multiple sessions at the same time, so each participant needs to identify the session a transmission is meant to be part of. A session token is meant to be a differentiator, not a security measure, so an eavesdropper may be able to capture a token, and use it to impersonate one end of the session or the other. The text mentions that we might wonder whether to consider this kind of attack as happening on the client side or the server side. We should be aware that CompTIA considers it a client-side attack.
  • Malicious add-ons - The text differentiates between plug-ins, which are functions added to your browser for a specific web page, and add-ons, which are mini-programs that can be used by multiple web pages in multiple sites. Add-ons are also called extensions, and are added separately to each browser you may use. A common add-on type is an ActiveX control, which leads to the problem. How do you know whether the program (add-on, extension) you are being asked to load is safe? Do you trust the web site that you are viewing? Are you being protected from evil downloads by good security software?

The next category of attacks may be targeted at servers or at clients. Impartial overflow attacks send data that will overflow a specific memory space. Why? To leave a memory area that has restrictions. Let's consider the two of the types the text mentions.

  • When programs run on a well managed operating system, they run in memory address ranges (buffers) that are allocated for their use. Well behaved programs do not attempt to use memory outside their allocated buffers. When they do reach for addresses outside allocated ranges, this is a buffer overflow. This can be enough to stop a computer from running, depending on what is in the memory that is overwritten.

    As the text explains, an attacker may overflow a buffer to change the value of a pointer stored in it. (A pointer is a variable that remembers a memory address.) How does that hurt or help? Well, the pointer that the attacker is changing holds the address of the process that is legitimately using that memory. Change the pointer to the address of the attacker's malware, and you have given the malware control of the memory that was overflowed, and access to the data stored in it. More importantly, you have given the malware the ability to overwrite the data with more program code. You should see how this might allow malware to take over what a legitimate program was doing, or to gain space to load more of itself.
  • Integer overflow attacks use a trick that has to do with the memory space allocated to integers (whole numbers), and to other variable types, for that matter. Memory that is allocated for an integer variable has a limit on the largest number it can hold. For instance, if we are talking about a short, unsigned integer in the C or C++ languages, then it can only hold values from 0 to 65535, inclusive. For signed types, the lowest possible value is a negative number instead of 0.

    An integer overflow would occur if a value stored in that unsigned integer variable was increased so that it would logically be greater than 65535, Since it is not allowed to be larger than that number, it would wrap around to the lowest possible value and begin filling the bucket again with the amount that was greater than 65535.

    The text describes three ways to use this feature: changing the value of a variable holding length of a buffer, so that the buffer is overwritten; changing the value of a variable holding a customer's bill, so that a negative value is reached, causing a refund to the customer; changing the amount of money in a bank transfer from positive to negative, so money is gained instead of lost.

On page 109, the author moves on to networking-based attacks.

  • Denial of Service (DoS) -

    In a Denial of Service (DoS) attack, multiple computers are typically used to tie up all available connections to a system, preventing real users from making a connection or receiving service. The text states that when a botnet is used, the attack can be called a Distributed Denial of Service (DDoS) attack.

    One method takes advantage of typical connection behavior. The attacking computer sends a request to connect, a SYN signal. The victim system replies with an ACK (acknowledgment) and a SYN request to complete the connection. The victim waits for a return ACK from the attacker which is never sent. By itself, this is not a problem, as the connection is eventually dropped. However, imagine it happening thousands of times a second. A real requester stands little chance of getting into the system. This is called a SYN flood attack.

    Another method described is to send ping signals to many devices, but to wrap them so they look like they are from the device that is about to become your victim server. Ping is a flexible command. Among other things, you can tell it how many times to repeat. Send to lots of devices with lots of repeats, and you may flood the victim with responses from other devices. This is called a smurf attack. (Smurf.c was the name of the source code file used to stage a famous attack of this sort.)

  • Interception attacks

    Man-in-the-Middle attack: Students should be able to find information about this kind of attack online with regard to voting machines. A passive attack intercepts messages, saves and transmits them to an attacker, and passes the messages on in the system right away. An active attack would intercept a message, change it, and then send the changed version along. You can see how this kind of attack on election data would have effective results.

    A variation of the Man-in-the-Middle is a replay attack. Consider the example in the book, in which a man-in-the-middle device intercepts login traffic so that it can replay that traffic later to pretend to be the same user logging in at that later time.

  • Poisoning Attacks

    ARP Poisoning - Address Resolution Protocol (ARP) is used on IP networks to make a broadcast request about a known IP address, asking for the associated MAC address. It is done because MAC addresses are used for internal network communications. In an ARP Poisoning attack, the attacker sends a false MAC address to the requester, letting every device on the network believe that the device the attacker has chosen has been assigned the IP address that was broadcast.

    DNS Poisoning -DNS Poisoning consists of lying to a workstation or a server. The domain name systems works by taking a domain name from a user (like www.cnn.com) and translating it into an IP address (like 157.166.226.26). The IP address is what the browser actually uses to read the page at the web site. (How did I get that address? I pinged the domain name.)

    An attacker would find a way to feed the browser a false IP address, taking it to a web page of the attacker's choice. One way to do that is to put a false entry in the host table that is probably saved on the user's computer. Probably? Well, yes. In my work environment, we store host tables on our network and configure the computers to read those tables on boot. In our case, that would be the target, not the file on the user's PC which is replaced on boot with the network version. The same principle is involved. The DNS resolver (the device making the request) is satisfied with an answer at the first hierarchical level where one is found. A request only goes up the hierarchy until it is answered, so if the answer is on the user's PC it would look no farther. An example of a hosts (yes, that is really its whole name) file is shown on page 115. Common locations for such files are in the tip that appears on page 116.

  • Attacks on Access Rights

    Privilege escalation - The text makes a distinction between a user (or a process) that obtains higher privileges than their own (vertical privilege escalation) and one who obtains privileges that are different from their own (horizontal privilege escalation). It goes without saying that an attacker will not do either for a good reason.

    Transitive Access - Transitive access might be thought of as a kind of inheritance. If a user has rights to one system, and that system has rights to another system, it follows that the user has rights to the second system.


Week 2, Assignment 1 (Individual):

Answer the 20 review questions for chapter 3 that begin on page 122. Turn in your answers by the beginning of the next class.

Week 2, Assignment 2 (Group):

Carry out Project 3-3 and Project 3-4 that start on page 127 in the textbook. Submit a summary of what you did, what results you saw, and what you expect the effect of a successful attacker using this approach might be.Turn in the record of your observations by the beginning of the next class.