Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 05_ocred.pdf

Chat with Document Download

Document Details

barrejamesteacher

Uploaded by barrejamesteacher

EC-Council

Tags

cybersecurity information security ssrf attack

Related

Full Transcript

Exam 212-82 Certified Cybersecurity Technician Information Security Attacks Server-Side Request Forgery (SSRF) Attack O O Attackers exploit SSRF vulnerabilities in a public web server to send crafted requests to the internal or back end servers Once the attack is successfully performed, the attacker...

Exam 212-82 Certified Cybersecurity Technician Information Security Attacks Server-Side Request Forgery (SSRF) Attack O O Attackers exploit SSRF vulnerabilities in a public web server to send crafted requests to the internal or back end servers Once the attack is successfully performed, the attackers can perform various activities such as port scanning, network scanning, IP address discovery, reading web server files, and bypassing host-based authentication e “ed ¢ Ve “::m e’ \\c‘).,o‘ @ et seg\d‘»\“e‘a\;-\?_?.-‘ {1 (= {=! Attacker g “.‘3.-"‘ Firewall blocks direct communication with the internal server et etot® ',.--"‘\\e"‘“.-"‘;bac\""’ Rty o® Firewall ot® SaF oo 4. e o0°°) A £ - e Internal server :1 responds with : data & v. Web Server 3 Web server sends i request on behalf : of the user Database Server Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited. Server-Side Request Forgery (SSRF) Attack Attackers exploit server-side request forgery (SSRF) vulnerabilities, which evolve from the unsafe use of functions in an application, in public web servers to send crafted requests to the internal or backend servers. Internal servers are usually implemented by firewalls to prevent the network from unwanted traffic inflows. Therefore, attackers leverage SSRF vulnerabilities in Internet-facing web servers to gain access to the backend servers that are protected by a firewall. The backend server believes that the request is made by the web server because they are on the same network and responds with the data stored in it. Generally, server-side requests are initiated to obtain information from an external resource and feed it into an application. For instance, a designer can utilize a URL such as https://xyz.com/feed.php?url=externalsite.com/feed/to to obtain a remote feed. If attackers can alter the URL input to the localhost, then they can view all the local resources on the server. This is how SSRF vulnerabilities evolve. Once the attack is successfully performed, attackers can perform various activities such as port scanning, network scanning, IP address discovery, reading of web server files, bypassing of hostbased authentication, interaction with critical protocols, and remote code execution. Module 02 Page 241 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 -"7 “...’ 3“9 pe ® (9 \}“\\ he® et Set\“"d@ “e““\“?“' o*® oV e o o -. - ‘c ” * e o* 03‘-3.\Sse A."‘... Web Server e. : Internal server E E Web server sends responds with : : request on behalf “.".“ac\“o -'.“ 3-.".o data ‘\" - s e. = n of the user V il ‘o" o e ,.-".““e L '-“.' * et oo Attacker Firewall blocks direct communication with Internal Firewall Database Server the internal server Figure 2.38: Demonstration of SSRF attack Module 02 Page 242 Certified Cybersecurity Technician Copyright © by EGC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Application-level DoS Attack O Attackers exhaust available server resources by sending hundreds of resource-intensive TN ctwv requests such as retrieving 153 PRrveladbey %0 large image files or requesting dnwss Sn St ] B WPews St e e 8 e & maleresne 0 o oo Q i ) @ Disk Bandwidth dynamic pages that require expensive search operations on the backend of database servers Targets CPU, Memory, and Sockets < Database Bandwidth ** Worker Processes oo Why are Applications Vulnerable to DoS? Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures ++* Reasonable Use of Expectations *+ Application Environment Bottlenecks +* Implementation Flaws +* Poor Data Validation Copyright © by EC-Council. All Rights Reserved. Reproductionis Strictly Prohibited Application-level DoS Attack Attackers exhaust available server resources by sending hundreds of resource-intensive requests such as retrieving large image files or requesting dynamic pages that require expensive search operations on the backend of database servers. Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures. This type of attack targets CPU, memory, sockets, disk bandwidth, database bandwidth, worker processes, etc. Web applications can be vulnerable to DoS attacks due to various factors, such as application environment bottlenecks, implementation flaws, and poor data validation. The following are some examples of application-level DoS. User Registration DoS The attacker creates a program to submit registration forms repeatedly, adding a large number of spurious users to the application. User Enumeration When a user enters an incorrect username-password pair, if an application responds with a message specifying which of the two is incorrect, an attacker can automate the process of attempting common usernames from a dictionary file to identify valid users of the application. Login Attacks The attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond. Module 02 Page 243 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Account Lock Out Attacks The attacker may enumerate usernames through another wvulnerability in the application, and then attempt to authenticate the site using valid usernames and incorrect passwords, which locks the accounts after a specified number of failed attempts. At this point, legitimate users cannot use the site. Module 02 Page 244 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 XML External Entity (XXE) Injection O XML External Entity attack is a server-side request forgery (SSRF) attack that can occur when a misconfigured XML parser allows applications to parse XML input from an unreliable source O Attackers can refer a victim’s web application to an external entity by including the reference in the malicious XML input O When this malicious input is processed by the weakly configured XML parser of a target web application, it enables the attacker to access protected files and services from servers or connected networks R— > Maliclous :‘;:I:!:Pfl/e-rtifiodhuh:.eulnl