Lecture 5-2.txt

Full Transcript

concept and prevention

Web vulnerability

Web vulnerabilities are weaknesses in websites or web applications that
hackers can exploit to gain unauthorized access, steal data, or perform
other malicious activities.

-always validate and sanitize user inputs to prevent SQL injections and
XSS attacks. - use https instead of http so that data is encrypted in
transit and protected against man-in-the-middle attacks. -Implement
strong authentication (like 2FA) and ensure users have access only to
what they need. -Regularly patch and update your software to fix known
vulnerabilities.

SQL attack

An SQL attack, like SQL Injection, happens when a hacker manipulates a
web application's SQL queries to access or manipulate the database
improperly. This can lead to unauthorized data access, data deletion, or
even complete control over the database. It happens when a hacker inputs
sql commands into user inputs.

-Validate and sanitize all user inputs to ensure they are safe and
expected. -Avoid displaying detailed error messages to users, as they
can reveal vulnerabilities. -Conduct regular security checks and code
reviews to identify and fix potential vulnerabilities.

File upload

File upload vulnerabilities occur when an application allows users to
upload files without properly validating them. Hackers can exploit this
to upload malicious files, such as scripts or executables.

-Only allow specific file types (e.g., images, PDFs) -Use antivirus or
security tools to scan uploaded files for malware. -Restrict the maximum
file size to prevent denial-of-service attacks. -Rename uploaded files
to prevent path traversal and overwriting issues. -Store uploaded files
in a directory outside the web root to prevent direct access. -Ensure
proper permissions and access controls on uploaded files.

Command execution

Command execution vulnerabilities occur when an application allows user
input to execute system-level commands(commands interact directly with
the operating system to carry out tasks) on the server. If not properly
handled, hackers can exploit this to run arbitrary commands, potentially
taking control of the server, accessing sensitive data, or disrupting
services.

-Strictly validate and sanitize all user inputs to ensure they don't
contain malicious code. -Wherever possible, avoid executing system
commands based on user input. -Use a whitelist of allowed commands, and
restrict input to predefined, safe options. -Ensure that the application
runs with the least privileges required. -properly escape and quote
inputs to prevent injection. -Keep logs of executed commands and monitor
for unusual activity

Local File Inclusion (LFI)

Reading local files which are on the same server. It works by exploiting
a web application that allows user input to control file paths. Here's a
simple breakdown: User Input: The application takes user input for a
file path. For example, index.php?page=home.php. Manipulation: The
attacker manipulates this input to include a sensitive file. For
example, index.php?page=/etc/passwd. Inclusion: The web server processes
the manipulated input and includes the specified file. In this case, it
might expose the contents of /etc/passwd.

-Strictly validate and sanitize all user inputs to ensure they don't
contain harmful file paths or characters like../. -Only allow specific,
trusted files to be included, and reject any others. Use a whitelist of
acceptable file paths or names. -Disabling functions that allow file
inclusion (like include, require in PHP) can help. -Restrict the
application's access to only the directories it needs. -Use absolute
file paths instead of relative paths to prevent path traversal attacks.
-Ensure that detailed error messages (which might reveal server paths)
are not exposed to users. Log them securely instead.

Remote File Inclusion

Remote File Inclusion (RFI) vulnerabilities occur when an application
allows users to include and execute files from external, remote sources
through user input. The remote file can be a malicious one placed in the
attacker's server. The remote file is usually obtained in the form of an
HTTP/HTTPS URL.

-Ensure that all user inputs are thoroughly validated and sanitized
-Only allow the inclusion of trusted, predefined files. Use a whitelist
approach to ensure that only safe files can be included. -Limit the
directories and files that can be included by the application, using
proper file permissions and configurations. -Avoid displaying detailed
error messages that might reveal information about the server or how to
exploit the vulnerability. -Use absolute paths to trusted local files
instead of allowing dynamic or user-controlled paths, which might be
manipulated. -Disable allow\_url\_fopen & allow\_url\_include in the PHP
setting.

Cross-Site Scripting (XSS)

It allows an attacker to inject a script code (such as JavaScript code)
into a webpage so that the code is executed on the client machine,
whenever the page is loaded. (The code is not executed on the server.)

Two main types of XSS

Reflected (non-persistent) XSS: An attacker tricks a user into clicking
a malicious link or submitting a form with malicious JavaScript code.
The example URL: http://victim.com/page.php?somevar=

Stored (persistent) XSS: More dangerous. The attacker injects the
website with a malicious script that can steal website users' session
cookies. The injected code is executed every time the page is loaded on
any user's machine.

Comparison with the reflected XSS: The reflected XSS can finish one time
for one user. However, the stored XSS will last for multiple times for
multiple users of the infected website.

-Minimise the manipulation of user input on html. -Escape any untrusted
input before inserting it into the html page so that each of the
exploitable characters is converted into a corresponding HTML encoding
-Set the HttpOnly and Secure flags on cookies to prevent them from being
accessed via JavaScript and only sent over HTTPS. -Avoid using inline
JavaScript or directly embedding user inputs in your scripts, as this
can open up vulnerabilities. -Conduct regular security testing,
including automated and manual tests, to identify and fix potential XSS
vulnerabilities.

Basics of WiFi

Ad-Hoc Mode:

Peer-to-Peer: Devices connect directly to each other without needing a
router or access point. Temporary Networks: Useful for quick, temporary
networks like sharing files between two laptops. No Central Management:
Each device communicates with every other device within range.
Infrastructure Mode:

Centralized: Devices connect to a central access point (like a router),
which manages the network. Common in Homes/Offices: Most home WiFi
networks use this mode. Better Range and Management: The access point
handles traffic, which can help with range and network management.
Monitor Mode:

Sniffing/Monitoring: Allows a device to listen to all traffic on a
channel without connecting to a network. No Transmissions: The device
doesn't send any data, just listens. Used for Network Analysis: Useful
for debugging, security audits, or analyzing network traffic.

WEP (Wired Equivalent Privacy) is an older security protocol for WiFi
networks, designed to provide a level of security similar to a wired
network. It was one of the first standards for securing wireless
networks, but it's known for being very vulnerable.

Vulnerability -IV is only 24-bits long so it is short and reused. (salt)
- weak algorithm problems: The encryption algorithm RC4 is known to be
weak. (lock) The integrity check algorithm CRC-32 is also known to be
weak. (tape)

WPA (WiFi Protected Access) has the same goal as WEP (Wired Equivalent
Privacy) but it provides much stronger security. The client and access
point share the common secret (passphrase) called "PMK (Pairwise Master
Key)" from which two entities will develop keys for encryption and
authentication. The structures of WPA and WPA2 are essentially the same
except that WPA2 is based on stronger crypto functions like AES, CBC-MAC
and etc.

Functionalities

1. Stronger encryption: WPA uses the Temporal Key Integrity Protocol
for encryption, which is a big step up from WEP.
2. WPA includes a more secure Message Integrity Check (MIC) to prevent
an attacker from altering and re-sending data packets.
3. WPA was designed to be implemented on existing hardware with a
firmware update, meaning many older devices could use it without
needing to upgrade the hardware.

Vulnerabilities

1. TKIP, while better than WEP, still has some vulnerabilities. It was
designed as a temporary solution to be compatible with older
hardware, which limited its security potential. Over time,
weaknesses were found, making it less secure than modern standards.
2. If a weak or common passphrase is used, WPA-PSK can be vulnerable to
brute-force attacks. Attackers can guess the passphrase by trying
different combinations until they find the correct one.
3. WPA is vulnerable to certain types of replay attacks where an
attacker can capture and retransmit data packets. Although WPA has
protections like TKIP to reduce this risk, it's not foolproof.
4. In some cases, if a network supports both WPA and WPA2, an attacker
might force a client to use the weaker WPA standard instead of the
more secure WPA2, making the network more vulnerable.
5. if the authentication server is not secure or if the client devices
are not properly configured to verify the server's identity, it can
open up the network to attacks.

Four-Way Handshake in WPA: Message 1: The AP generates a random string
called the ANonce (AP Nonce) and sends it to the client.

Message 2: The client device now has the ANonce and its own random
string called the SNonce (Supplicant Nonce). It generates a Pairwise
Transient Key (PTK) using: The ANonce The SNonce The client's MAC
address The AP's MAC address The pre-shared key (PSK) The client then
sends the SNonce and a Message Integrity Code (MIC) back to the AP,
ensuring that the message hasn't been tampered with.

Message 3: The AP now has both the ANonce and the SNonce, and it can
generate the same PTK. It uses the PTK to encrypt the Group Temporal Key
(GTK) and sends it to the client, along with another MIC to ensure the
integrity of the message.

Message 4: The client sends an acknowledgment to the AP, indicating that
it has successfully received the GTK and the handshake is complete.

PMK (Pairwise Master Key) is a passphrase pre-shared between AP and
Client. Problem: People can use weak passphrases! PTK (Pairwise
Transient Key) is derived from PMK.

PMK guessing attack When a device connects to a WPA/WPA2 network, a
4-way handshake occurs between the client and the access point (AP).
During this handshake, information is exchanged that includes a hashed
version of the PMK. An attacker can capture this handshake using tools
like Wireshark or aircrack-ng. They can take the captured data and
attempt to guess the passphrase offline. The attacker guesses different
passphrases, combines each guess with the SSID, and hashes it to see if
it matches the PMK in the captured handshake. If the WiFi passphrase is
weak (e.g., a common word or short password), the attacker can try many
guesses quickly using a dictionary attack (testing against a list of
common passwords) or a brute-force attack (trying all possible
combinations). If the correct passphrase is guessed, the PMK will match,
and the attacker will have successfully cracked the WiFi network.

KRACK: The attack targets the way WPA2 handles key installation. During
the four-way handshake, the client and access point exchange messages to
confirm and install encryption keys. KRACK exploits a flaw where the
client or AP might reinstall the same key multiple times due to improper
handling of the key installation process.In the handshake process, the
attacker forces the client to reinstall an already-used key by replaying
handshake messages. This forces the key to be used again, potentially
resetting its state. By replaying, decrypting, or modifying encrypted
messages using the reinstalled key, the attacker can access unencrypted
data. They can also inject malicious data into the communication stream.

WPA Enterprise is a security mode designed for enterprise environments,
providing a more robust and scalable solution compared to WPA-Personal.
Instead of using a single shared passphrase (like in WPA-Personal), WPA
Enterprise uses individual authentication credentials for each user or
device, which enhances security.

Purpose RADIUS (Remote Authentication Dial-In User Service) is the
backbone of WPA Enterprise. It's a protocol that handles authentication,
authorization, and accounting (AAA) for users who connect to a network.

Operation When a user or device tries to connect to a WPA Enterprise
network, they don't just provide a passphrase. Instead, they typically
enter a username and password (or use a digital certificate) to
authenticate. The client device (like a laptop) communicates with the
Access Point (AP) to start the authentication process. The AP doesn't
handle authentication by itself but forwards the credentials to a RADIUS
server. The RADIUS server receives the authentication request from the
AP. It checks the credentials against a user database, like Active
Directory, LDAP, or another authentication service. If the credentials
are valid, the RADIUS server sends an "Access-Accept" message back to
the AP, allowing the user to connect. If not, it sends an
"Access-Reject" message. Once authenticated, the RADIUS server can also
manage the session, including tracking usage (for accounting) and
controlling access to network resources based on policies. After
successful authentication, the RADIUS server helps establish the
encryption keys that will secure the wireless session.
-----------------------------------------------------------------------------

File inclusion vulnerability is a web vulnerability that affects web
applications that run scripts. It's when an attacker manipulates file
paths to access files or directories outside the intended folder. This
can lead to unauthorized access to sensitive files, code execution, and
more. It's a serious security issue in web applications.

Prevention against file inclusion vulnerability: Use static file
inclusion. The PHP function \$\_GET\[\] should not be used to take any
page as input for parameter page.

Why is wireless less secure? The WiFi networks broadcast data through
the public waves rather than over network cable. In order to intercept
data on a wired network, an intruder has to gain a physical access to
the network by connecting over the Ethernet LAN. In order to do the same
on a wireless network, the intruder can just sit down and receive the
signal even if the data are encrypted.

There are three wireless networking modes - üAd-hoc mode: This mode does
not require any equipment except for wireless adapters (wireless NICs).
This is based on point-to-point (peer-to-peer style) communication,
which is suitable for small network.

üInfrastructure mode: An AP (access point a.k.a "wireless router") can
provide Internet connectivity to multiple clients. All the clients
communicate with the AP. In order for the clients to use the Internet
provided by a specific AP, they need to know SSID (Service Set
IDentifier), which can be up to 32 bits and can be easily sniffed.
Infrastructure mode is much more flexible in size than ad-hoc mode.

üMonitor mode: When a wireless card is in monitor mode, it can capture
and see traffic from all nearby wireless networks, not just the network
it is connected to.

OSA (Open System Authentication) mode: When a client (like a laptop or
smartphone) wants to connect to an access point (AP), it sends an
authentication request frame. The request includes the Service Set
Identifier (SSID), which is the name of the wireless network. The access
point checks the SSID in the request. If the SSID matches the network's
SSID, the AP sends back an authentication success frame. After
successful authentication, the client sends an association request frame
to the AP. The AP responds with an association response frame,
completing the connection process.

"Sharing key and Encrypt" mode: A client should share a key with an AP
ahead of time. Using some challenge and response protocol, authenticate
the client and encrypt the traffic once the authentication is
successful.

MIC (Message Integrity Code) attack on the four-way handshake works - To
perform the attack, you first need to capture the four-way handshake
messages exchanged between the client and the access point (AP). This is
typically done using tools that monitor wireless traffic. The MIC is a
value that ensures the integrity of messages. It's calculated using the
Pairwise Transient Key (PTK) and the client's nonce (SNonce). MIC =
hash(PTK \|\| SNonce), where \|\| denotes concatenation and hash
represents a cryptographic hash function. The attacker's goal is to
determine the correct PTK that produces the given MIC. Since the MIC is
a function of the PTK and SNonce, if you have the MIC, you can try
different PTKs to match the MIC. To find the correct PTK, you would
perform a brute-force attack on the PMK (Pairwise Master Key), which is
derived from the PSK (pre-shared key). This involves guessing the PMK by
trying different passphrases. The ANonce (AP's nonce), SNonce (client's
nonce), and MAC addresses (AP-MAC and S-MAC) are all known and captured
during the handshake. These values, along with the captured MIC, are
used to test different PMK values to find one that matches the MIC.

How to mitigate it: Use a complex passphrase. The primary defense is to
use a strong, complex passphrase for the PSK. A more complex passphrase
increases the difficulty of the brute-force attack, making it
impractical to guess the correct PMK in a reasonable time.

In a key reinstallation attack, the adversary tricks a victim into
reinstalling an already-in-use key. This can be achieved by manipulating
and replaying cryptographic handshake messages. The vulnerability stems
from the fact that associated parameters including IV (initialization
vector) are reset to their initial values when the victim reinstalls the
key.