Application Attacks
- Buffer overflow
- Injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF or XSRF)
- Privilege escalation
Search “OWASP top ten” for risks related to applications.
Buffer Overflow Attacks
When more data are written to a buffer than it can hold
An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.
Injections
Occur when un-trusted data is sent to an interpreter as part of a command or query. The most common fall into the following categories:
- Escape characters not filtered correctly
- Type handling not properly done
- Conditional errors
- Time delays
The way to defend against this attack is always to filter input
Examples: SQL Injection, OS, LDAP, XML
Coss-site scripting (XSS) & Cross-site request forgery (CSRF/XSRF)
Cross-site scripting (XSS): occur whenever an application includes un-trusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript
Example: “Ron<SCRIPT>alert(‘heIIo’)</SCRIPT>Woemer”
Cross-site request forgery (CSRF/XSRF): an attack that forces an end user to execute unwanted actions on a web application. Also known as a session riding or one-click attack.
Privilege Escalation
The act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
Application Attacks – Prevention and Response
- Good coding practices – See OWASP
- Filter and validate any user input
- Use a Web Application Firewall (WAF)
- Build security into the Software Development Life Cycle (SDLC)
- Have an incident response plan in place
0 Days Attack
An attack that exploits a previously unknown security vulnerability.
It may take advantage of a security vulnerability on the same day that the vulnerability becomes generally known.
Example : Stuxnet
Prevention:
- Defense in depth
- Patch
- Updated AV
Impersonation / Masquerading / Replay Attacks
The act if pretending to be someone or something to gain unauthorized access to a system.
Capturing network traffic via eavesdropping, then reestablishing a communications session by replaying captured traffic using spoofed authentication credentials.
Prevention: Token authentication (Kerberos), MFA/TFA, Encryption, Sequenced session identification
Driver Manipulation
- Driver: A program that controls a device (printers, media, keyboards, etc.)
- Shimming: creating a library—or modifying an existing one—to bypass a driver and perform a function other than the one for which the API was created.
- Refactoring: set of techniques used to identify the flow and then modify the internal structure of code without changing the code’s visible behavior
Cryptographic attacks
- Birthday: an attack on cryptographic hash that looks for hash collisions — exploiting the 1-to-1 nature of hashing functions.
- Known plain text/cipher text: The attacker attempts to derive a cryptographic key by using pairs of known plain text along with the corresponding cipher text.
- Frequency analysis: Looking at the blocks of an encrypted message to determine if any common patterns exists
Password Cryptographic Attacks,
- Dictionary: systematically entering each word in a dictionary as a password
- Brute force: systematically attempting all possible combinations of letters, numbers, and symbols. Usually automated.
- Rainbow tables: all of the possible password hashes are computed in advance and those hash values are compared with the password database.
- Pass the hash: An attacker attempts to authenticate to a remote server or service by intercepting password hashes on a network.