Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 07_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Application Programming Interface (API) Attacks R ‘ Insecure Direct Object References NS (IDOR) Invalid Input Attacks LJ Insecu.re Session/Authentication Handling a Injection Attacks n Login/Credential Stuffing Attacks 4 Insecure SSL Configuration a API DDoS Attacks Copyright© by EC-{ L All Rights Reserved. Reproduction Is Strictly Prohibited. Application Programming Intexface (API) Attacks Fuzzing Attackers use the fuzzing technique to repeatedly send some random input to the target API to generate error messages that reveal critical information. To perform fuzzing, attackers use automated scripts that send numerous requests with varying combinations of input parameters. Attackers use tools such as Fuzzapi to perform fuzzing on the target API. Invalid Input Attacks In some scenarios, fuzzing is difficult to perform due to its structure. In such cases, attackers will give invalid inputs to the API, such as sending text in place of numbers, sending numbers in place of text, sending a greater number of characters than expected, and sending null characters, etc., to extract sensitive information from unexpected system behavior and error messages. At the same time, attackers also manipulate the HTTP headers and values targeting both API logic and the HTTP protocol. Injection Attacks Similar to traditional web applications, APIs are also vulnerable to various injection attacks. For example, consider the following normal URL: http://billpay.com/api/vl/cust/459 For the abovementioned URL, the API retrieves the customer details based on the customer ID 459 from the database using the following SQL query: “WSELECT * FROM Customers where custID=’"” + custID + “'’'” Here, the custID is replaced with 459 “WSELECT * FROM Module 02 Page 252 Customers where custID=’459'" Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 In the abovementioned URL, assume that an attacker injects the malicious input http://billpay.com/api/vl/cust/ '%200r%20'1l'='1 The resultant malicious SQL query is “WSELECT * FROM Customers The abovementioned information, where custID=‘' or ‘1’ = ‘1’” query returns details of all the customers in the database. an attacker may further delete or modify the data in the database Using this or use the customers' information to perform other malicious activities on the database server. These API injection attacks are performed not only using SQL but also using JSON, JavaScript, XPath, XSLT, etc., which require parsers/processors for execution. Note: Similar to injection attacks, web APIs are also vulnerable to XSS and CSRF attacks Insecure SSL Configuration Vulnerabilities in SSL configuration may allow attackers to perform MITM attacks. For example, using self-signed SSL certificates for secure APl access may allow attackers to perform an MITM attack. An attacker may sniff the traffic between an API and a client, manipulate the client-side certificate, and start monitoring or manipulating the encrypted traffic between the client and the API. Insecure Direct Object References (IDOR) In general, direct object references are used as arguments for API calls, and access rights are not imposed on the objects for which a user does not have access. These vulnerabilities can be identified through APl metadata and exploited by attackers to identify the parameters and try all possible values for the parameters to access the data to which the user does not have access. Insecure Session/Authentication Handling Vulnerabilities such as the reuse of session tokens, sequential session tokens, token timeout, unencrypted session token, and session token embedded long session into a URL, allow attackers to hijack and take over the client session and steal or manipulate the messages between the client and the API. Login/Credential Stuffing Attacks Attackers often target login and validating systems because attacks on these systems are difficult to detect and stop using typical API security solutions. Attackers perform login attacks or credential stuffing attacks to exploit password reuse across multiple platforms. Most users use the same passwords to access different web services. Attackers can take advantage of credentials stolen from one account and use them to validate other services. Credential stuffing attacks do not involve password guessing or brute-forcing the passwords; instead, attackers try to automate all the previously identified pairs of credentials using automated tools such as Sentry MBA, SNIPR, and PhantomlS, to break into an account. These attacks can also be performed to disrupt APl-based services by preventing valid users from signing in, thereby degrading the user experience and functionality of the front-facing APIs. Module 02 Page 253 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 API DDoS Attacks The DDoS attack involves saturating an APl with a massive volume of traffic from multiple infected computers (botnet) to delay the API services to legitimate users. Although many rate limit constraints are implemented to protect the server against crashing, they may not prevent the service delay (APl response), thereby degrading the API’s user experience. Attackers often carry out these attacks using botnets that are created to discover and stay within the API rate limit control to increase the possibility of an attack. Along with the regular traffic from legitimate users, attackers’ requests can also bypass API security management systems, load balancers, and other security implementations. Module 02 Page 254 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Secure Sockets Layer (SSL) Stripping 0 SSL stripping, also known as S ' ling, is a technique of demoting the website security from HTTPS to the less secure HTTP 0 An SSL stripping attack circumvents the security enforced by SSL certificates over HTTPS sites and exposes websites to d: 1anipulati ping, forcing them to redirect to a malicious HTTP server o The user requests www.certifiedhacker.com from the server o.................................................................................................................. > The attacker establishes. a hidden connection with the user to send an “..insecure site using HTTP The attacker sends “http://www.certifiedhacker.com” to the user, who logs in and exposes their : : § and user c\\e“ f‘d : e ‘-' o ¢ e \.a\(f‘,.-" v s Server e &e\‘.'f..-' “e°&6°$.~" P. (4) A. the secure connection : & between the server., credentials The attacker disrupts 2t < “\\G'ff- ' %" o @ The attacker establishes a secure connection with the server using HTTPS https://www.certifiedhacker.com riy Attacker Copyright © by I L All Rights Reserved. Reproduction s Strictly Prohibited Secure Sockets Layer (SSL) Stripping SSL stripping, also known as SSL downgrading, is a technique of demoting the website security from Hypertext Transfer Protocol Secure (HTTPS) to the less secure Hypertext Transfer Protocol (HTTP). Client—server communications use application protocols such as HTTPS and HTTP. In HTTPS, data are transmitted through a secure tunnel called SSL or Transport Layer Security (TLS); HTTPS is more secure than HTTP, which transmits data in the form of plaintext. An SSL stripping attack circumvents the security enforced by SSL certificates over HTTPS sites and exposes websites to data manipulation and eavesdropping, forcing them to redirect to a less-secure, malicious HTTP server. For example, when a user sends a URL request through a web browser, it first displays “HTTP,” before the user is redirected to a secure HTTPS site. This allows attackers to act as a man in the middle between the user and the actual server to perform an SSL stripping attack, thereby misguiding users into connecting to an insecure website (HTTP) that resembles the legitimate site (HTTPS). As HTTP does not generate alerts or warn users of being routed to an illegitimate site, attackers can intercept and collect the users’ credentials without their knowledge. How SSL Stripping Works Suppose a user sends a request to access their certified hacker account on the website “www.certifiedhacker.com” over HTTPS. An attacker, with the intention of stealing the user’s credentials, establishes a hidden connection with the user by discarding a secure connection between the server and user. Thus, when the user attempts to access the website, they are directed to an insecure site created by the attacker using HTTP. This, in turn, allows the attacker to interfere and act as a gateway between the user and server. Once the attacker receives the request from the client, they share the packet with the server on behalf of the user, establishing an SSL-encrypted connection with the server. Instead of sending responses to the Module 02 Page 255 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 user directly, the web server responds to the attacker’s request with the secure URL “https://www.certifiedhacker.com.” Now, the attacker downgrades the web-server response from “https://www.certifiedhacker.com” to “http://www.certifiedhacker.com” and sends it to the user. The user assumes the response to be legitimate, accesses the site, and provides their login credentials. This allows the attacker to gain confidential details of the user such as credentials and personal information to perform further attacks on the target server. o The user requests www.certifiedhacker.com from the server @ User..... The attacker establishes a hidden connection., With the user to send an **+. insecure site using HTTP The attacker sends ey “http://www.certifiedhacker.com” to the e user, who logs in and exposes their = credentials i { : The attacker disrupts the secure connection between the server and user., s.“(\"— e o < % ,;‘\’b‘e -\\\\“,\."" ae *e\."“."' eg\"zéq‘b‘:_.-" «\ope"‘ ~*" The attacker establishes a secure "i."‘ *o0, P connection with the server using HTTPS https://www.certifiedhacker.com ‘A Attacker Figure 2.42: SSL stripping attack Module 02 Page 256 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.