Session 3: Application and Networking-Based Attacks PDF - Cybersecurity

Summary

This document is a set of slides from Victoria University covering application and network-based attacks. The slides cover topics like XSS, SQL injection, XML injection, and other security threats, along with examples. The content includes explanations and examples related to cybersecurity.

Full Transcript

NIT2102
Cyber Security Essentials
Session 3: Application and Networking-Based Attacks

Acknowledgment: Cengage’s Instructor Materials

Prepared By: Dr. Khandakar Ahmed

VICTORIA UNIVERSITY - RTO Code 3113,
CRICOS Provider Code 00124K (Melbourne), 02475D (Sydney)
Copyright

COMMONWEALTH OF AUSTRALIA
Copyright Regulations 1969
Warning
This material has been reproduced and communicated to you by
or on behalf of Melbourne Institute of Technology pursuant to
Part VB of the Copyright Act 1968 (The Act).

The material in this communication may be subject to copyright
under the Act. Any further copying or communication of this
material by you may be the subject of copyright protection
under the Act.

DO NOT REMOVE THIS NOTICE

Compiled By: Dr. Khandakar Ahmed MAR/2021 2
Copyright Acknowledgement

Acknowledgement of Copyright
The following slides are subject to copyright and are
provided with the permission of the Publisher.

The Copyright Act 1968 (The Act) applies.

Compiled By: Dr. Khandakar Ahmed MAR/2021 3
Objectives

List and explain the different types of server-side
web applications attacks
Define client-side attacks
Explain how overflow attacks work
List different types of networking-based attacks

**Instructor will spend 2 – 2.30 hours for this workshop slides leaving 1.30 ~ 2.00 hours for lab including
submission

Compiled By: Dr. Khandakar Ahmed MAR/2021 4
Application Attacks

Attacks on the applications in a networked
computer system can be directed toward the
server, the client, or both

Compiled By: Dr. Khandakar Ahmed MAR/2021 5
Server-Side Web Application Attacks

Securing server-side web applications of often
considered more difficult than protecting other
systems
Traditional network security devices can block
traditional network attacks, but cannot always block
web application attacks
Many network security devices ignore the content of HTTP
traffic
Zero-day attack - an attack that exploits previously
unknown vulnerabilities, victims have not time to
prepare for or defend against the attack

Compiled By: Dr. Khandakar Ahmed MAR/2021 6
Server-Side Web Application Attacks

Many server-side web application attacks target the input
that the applications accept from users
Such common web application attacks are:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal [Out of the scope of this session,
students can study on their own]

Compiled By: Dr. Khandakar Ahmed MAR/2021 7
Cross-Site Scripting (XSS)

Injecting scripts into a Web application server to
direct attacks at unsuspecting clients

Compiled By: Dr. Khandakar Ahmed MAR/2021 8
Cross-Site Scripting (XSS)

When victim visits injected Web site:
Malicious instructions are sent to victim’s browser
Some XSS attacks are designed to steal information:
Retained by the browser when visiting specific sites
An XSS attack requires a website meets two criteria:
Accepts user input without validating it
Uses input in a response

Compiled By: Dr. Khandakar Ahmed MAR/2021 9
Cross-Site Scripting (XSS)

Compiled By: Dr. Khandakar Ahmed MAR/2021 10
Type of Cross-Site Scripting (XSS)

Compiled By: Dr. Khandakar Ahmed MAR/2021 11
SQL Injection

Targets SQL servers by injecting malicious
commands into them
SQL (Structured Query Language)
Used to manipulate data stored in relational database
Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated

Compiled By: Dr. Khandakar Ahmed MAR/2021 12
SQL Injection

Forgotten password example (cont’d.):
– Attacker enters email field in SQL statement
– Statement is processed by the database
– Example statement:
SELECT fieldlist FROM table WHERE
field = ‘whatever’ or ‘a’=‘a’
– Result: All user email addresses will be displayed

Compiled By: Dr. Khandakar Ahmed MAR/2021 13
SQL Injection

Compiled By: Dr. Khandakar Ahmed MAR/2021 14
XML Injection

Markup language
Method for adding annotations to text
HTML
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML
Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags

Compiled By: Dr. Khandakar Ahmed MAR/2021 15
XML Injection

XML injection attack
Similar to SQL injection attack
Attacker discovers a Web site that does not filter user
data
Injects XML tags and data into the database
XPath injection
Specific type of XML injection attack
Attempts to exploit XML Path Language queries that are
built from user input

Compiled By: Dr. Khandakar Ahmed MAR/2021 16
In Class Group Activity 1 [10 minutes]

Group Activity –
Instructor will divide student into 3-4 groups and will
send them to breakout room.
Each group will try to find example of one of the
following attacks – XSS, SQL Injection, XML Injection [5
minutes]
One student presents the group key discussion points to
the class [1 minute/Group]
Instructor feedback

Compiled by: Khandakar Ahmed MAR/2021
Client-Side Application Attacks

Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client
applications that interact with a compromised
server or process malicious data
The client initiates connection with the server,
which could result in an attack

Compiled By: Dr. Khandakar Ahmed MAR/2021 18
Client-Side Attacks

Drive-by download
Client computer is compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server
Gain access to server’s operating system
Attackers craft a zero pixel Iframe (short for inline frame)
to avoid visual detection
Embed an HTML document inside main document
Client’s browser downloads malicious script
Instructs computer to download malware

Compiled By: Dr. Khandakar Ahmed MAR/2021 19
Client-Side Attacks

Header manipulation
HTTP header contains fields that characterize data being
transmitted
Headers can originate from a Web browser
Browsers do not normally allow this
Attacker’s short program can allow modification
Examples of HTTP header manipulation
Referrer
Accept-language
Response splitting

Compiled By: Dr. Khandakar Ahmed MAR/2021 20
Client-Side Attacks

Referer field indicates the site that generated the
Web page
Attacker can modify this field to hide the fact it came
from another site
Accept-language field contents may be passed
directly to an SQL database
Attacker could inject SQL command by modifying this
header
Response splitting is one of the most common HTTP
header manipulation attacks

Compiled By: Dr. Khandakar Ahmed MAR/2021 21
Client-Side Attacks

Cookies
Cookies store user-specific information on user’s local
computer
Types of cookies:
First-party cookie - cookie created by Web site user is
currently viewing
Third-party cookie - site advertisers place a cookie to
record user preferences
Session cookie - stored in RAM and expires when
browser is closed

Compiled By: Dr. Khandakar Ahmed MAR/2021 22
Client-Side Attacks

Types of cookies (cont’d):
Persistent cookie - recorded on computer’s hard drive
and does not expire when the browser closes
Also called a tracking cookie
Locally shared object (LSO) - can store up to 100 KB of
data form a website
More complex than the simple text found in a regular cookie
Also called a Flash cookie

Compiled By: Dr. Khandakar Ahmed MAR/2021 23
Client-Side Attacks

Cookies pose security and privacy risks
First-party cookies may be stolen and used to
impersonate the user
Used to tailor advertising
Can be exploited by attackers
Attachments
Files that are coupled with email messages
Malicious attachments are commonly used to spread
viruses, Trojans, and other malware

Compiled By: Dr. Khandakar Ahmed MAR/2021 24
Client-Side Attacks

Session Hijacking
– Attacker attempts to impersonate user by stealing or
guessing session token
– Session token is a random string assigned to an
interaction between user and web application
An attacker can attempt to obtain the session
token:
– By using XSS or other attacks to steal the session token
cookie from the victim’s computer
– Eavesdropping on the transmission
– Guessing the session token
Compiled By: Dr. Khandakar Ahmed MAR/2021 25
Client-Side Attacks

Compiled By: Dr. Khandakar Ahmed MAR/2021 26
Client-Side Attacks

Malicious Add-ons
Plug-in - a third party library that attaches to a web
browser and can be embedded inside a webpage
Add-ons or extensions - add functionality to the web
browser
Add-ons can do the following:
Create additional web browser toolbars
Change browser menus
Be aware of other tabs open in the same browser
Process the content of every webpage that is loaded

Compiled By: Dr. Khandakar Ahmed MAR/2021 27
Client-Side Attacks

Security risks exist when using add-ons
Attackers can create malicious add-ons to launch attacks
against the user’s computer
Malicious add-ons can be written by using
Microsoft’s Active X
ActiveX is a set of rules for how applications under the
Microsoft Windows OS should share information
Attackers can take advantage of vulnerabilities in
ActiveX to perform malicious attacks on a computer

Compiled By: Dr. Khandakar Ahmed MAR/2021 28
Networking-Based Attacks

Attackers place a high priority on targeting
networks
Exploiting a single vulnerability may expose hundreds or
thousands of devices to an attacker
Types of networking-based attacks:
Denial of service
Interception
Poisoning
Attacks on access rights

Compiled By: Dr. Khandakar Ahmed MAR/2021 29
Denial of Service (DoS)

Denial of service (DoS)
A deliberate attempt to prevent authorized users from
accessing a system by overwhelming it with requests
Most DoS attacks today are distributed denial of
service (DDoS)
Using hundreds or thousands of zombie computers in a
botnet to flood a device with requests

Compiled By: Dr. Khandakar Ahmed MAR/2021 30
Denial of Service (DoS)

Ping flood attack
The ping utility is used to send large number of ICMP
echo request messages
In a ping flood attack, multiple computers rapidly send a
large number of ICMP echo requests to a server
Server will drop legitimate connections and refuse new
connections

Compiled By: Dr. Khandakar Ahmed MAR/2021 31
Denial of Service (DoS)

Smurf attack
Tricks devices into responding to false requests to an
unsuspecting victim
An attacker broadcasts a ping request to all computers
on the network but changes the address from which the
request came from (called spoofing)
Appears as if victim’s computer is asking for response
from all computers on the network
All computers send a response to the victim’s computer
so that it is overwhelmed and crashes or becomes
unavailable to legitimate users

Compiled By: Dr. Khandakar Ahmed MAR/2021 32
Denial of Service (DoS)

SYN flood attack
Takes advantage of procedures for initiating a session
In a SYN flood attack against a web server:
The attacker sends SYN segments in IP packets to the
server
Attacker modifies the source address of each packet to
computer addresses that do not exist or cannot be
reached

Compiled By: Dr. Khandakar Ahmed MAR/2021 33
Denial of Service (DoS)

Compiled By: Dr. Khandakar Ahmed MAR/2021 34
Interception

Some attacks are designed to intercept network
communications
Man-in-the-Middle attacks
Interception of legitimate communication and forging a
fictitious response to the sender
Two computers are sending and receiving data with a
computer between them
In a passive attack, data is captured and recorded before
sending it on to the original recipient
In an active attack contents of transmission are altered
before they are sent to the recipient

Compiled By: Dr. Khandakar Ahmed MAR/2021 35
Interception

Compiled By: Dr. Khandakar Ahmed MAR/2021 36
Interception

Replay attacks
Attacker makes copy of transmission before sending it to
the original recipient
Uses copy at a later time
Example: capturing logon credentials
More sophisticated replay attacks
Attacker captures network device’s message to server
and then later sends original, valid message to server
Establishes a trust relationship between attacker and
server

Compiled By: Dr. Khandakar Ahmed MAR/2021 37
Poisoning

Poisoning
The act of introducing a substance that harms or
destroys
Two types of attacks inject “poison” into a normal
network process to facilitate an attack:
ARP poisoning
DNS poisoning

Compiled By: Dr. Khandakar Ahmed MAR/2021 38
Poisoning

ARP Poisoning
Attacker modifies MAC address in ARP cache to point to
different computer

Compiled By: Dr. Khandakar Ahmed MAR/2021 39
Poisoning

Compiled By: Dr. Khandakar Ahmed MAR/2021 40
Poisoning

DNS poisoning
Domain Name System is the current basis for name
resolution to IP address
DNS poisoning substitutes DNS addresses to redirect a
computer to another device
Two locations for DNS poisoning
Local host table
External DNS server

Compiled By: Dr. Khandakar Ahmed MAR/2021 41
Poisoning

Compiled By: Dr. Khandakar Ahmed MAR/2021 42
In Class Group Activity 2 [10 minutes]

Group Activity –
The same group now will discuss on one of the following
topics - Denial of service, Interception, Poisoning & Attacks on
access rights. [5 minutes]
One student will present the group’s key discussion points [1
minute/Group]
Instructor feedback

**Instructor may alter the group activity and design a different one that is suitable to topics covered in this session

Compiled by: Khandakar Ahmed MAR/2021
Summary

Web application flaws are exploited through
normal communication channels, making web
applications more difficult to protect
An XSS attack uses Web sites that accept user input
without validating it
Uses server to launch attacks on computers that access
it
Client-side attacks target vulnerabilities in client
applications
Client interacts with a compromised server

Compiled By: Dr. Khandakar Ahmed MAR/2021 44
Summary

Session hijacking is an attack in which an attacker
steals a session token and impersonates user
A buffer overflow attack attempts to compromise a
computer by pushing data into inappropriate
memory locations
A Denial of Service attack attempts to overwhelm a
system so that it cannot perform normal functions
In ARP and DNS poisoning, valid addresses are
replaced with fraudulent addresses
Access rights and privileges may also be exploited

Compiled By: Dr. Khandakar Ahmed MAR/2021 45
Lab Overview

Practice XSS using
DVWA in
Metasploitable
Cross Site Scripting
Practice XSS in a
dedicated vulnerable
testphp website
Server Side Web
Application Attack
Practice SQL Injection
Attack using DVWA in
Metasploitable
SQL Injection Attack

**Instructor will spend 5 ~ 10 minutes SQLMAP + Launch
giving an overview of lab attack using SQLMAP

Compiled By: Dr. Khandakar Ahmed MAR/2021 46
Exercise 3.1 - XSS at Kali Linux

This lab will demonstrate how to find a vulnerable website using a particular search
pattern. However, ethically it is not recommended to practice launching an attack
on real website. Therefore, first we will be using Damn Vulnerable Web
Application (DVWA) in Metasploitable and access it from Kali Linux to practice
and understand different type of XSS attacks. Second, we will practice further in a
dedicated vulnerable live testphp website.

Please open “Lab 3 Working Procedure Step by Step Instructions.pdf” provided under laboratories module. The
instruction will guide you in completing lab.

Compiled By: Dr. Khandakar Ahmed MAR/2021 47
Exercise 3.2 – SQL Injection Attack

In this exercise, first we will see how we can manipulate
SQL query and launch SQL injection using DVWA in
metasploitable. In the second part of this lab, we will use
SQLMap to launch the SQL injection attack. You follow
the video demonstration to complete this exercise.
Please open “Lab 3 Working Procedure Step by Step Instructions.pdf” provided under laboratories module. The
instruction will guide you in completing lab.

You can also watch video demonstration available in pre-class activities of Session 3. Step by Step instruction will also point you to the
relevant video to watch and complete lab.

Compiled By: Dr. Khandakar Ahmed MAR/2021 48
Working Procedures

**Submit your work through the ‘Assessment 1 Practical Lab
Work’ before you leave the class.

**The report should include screenshots and working procedures as an evidence of the
completion of your lab task and is expected to be completed by lab hours.

Compiled By: Dr. Khandakar Ahmed MAR/2021 49