SY0-501 Section 3.5- Explain types of application attacks.

Applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and discussion forums are being used by small and large organizations. Every week hundreds of vulnerabilities are being reported in these web applications, and are being actively exploited. The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions. All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, Perl, etc) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors.

The most exploited vulnerabilities are:

PHP Remote File Include:

PHP is the most common web application language and framework in use today. By default, PHP allows file functions to access resources on the Internet using a feature called “allow_url_fopen”. When PHP scripts allow user input to influence file names, remote file inclusion can be the result. This attack allows (but is not limited to):

– Remote code execution

– Remote root kit installation

– On Windows, internal system compromise may be possible through the use of PHP’s SMB file wrappers

SQL Injection: Injections, particularly SQL injections, are common in web applications. Injections are possible due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. SQL injections allow attackers:

– To create, read, update, or delete any arbitrary data available to the application

– In the worst case scenario, to completely compromise the database system and systems around it

Cross-site scripting

Can occur when a Web application sends user data to a Web browser without first encoding or validating it. Flaws in XSS allow attackers to pass in a script as user data that is then executed in the user’s browser. Possible consequences include user session hijack, phishing, the introduction of worms and website defacement.

Cross-site request forgeries (CSRF):

CSRF forces legitimate users to execute commands without their consent. This type of attack is extremely hard to prevent unless the application is free of cross-site scripting vectors, including DOM injections. With the rise of Ajax techniques, and better knowledge of how to properly exploit XSS attacks, CSRF attacks are becoming extremely sophisticated, both as an active individual attack and as automated worms, such as the Samy MySpace Worm.

Directory Traversal:

Directory traversal (file access via “..” or many encoded variants) allows attackers access to controlled resources, such as password files, configuration files, database credentials or other files of the attacker’s choosing.

Buffer overflow

The Buffer Overflow attack can be applied in different areas : users entries, parameters Example: Note that the shell code first contains a large number of characters, as well as code in binary and executable form near the end. In this example, the overflow is in the name of the parameter and not in its value, which illustrate how many numerous the overflow possibilities are.

Integer overflow

An integer overflow, like a buffer overflow, involves putting too much information into too small of a space. In this case, the space is that set aside for numbers. For example, using 8 bits, it is possible to express any number in binary from 0 to 255. If only 8 bits are set aside and the user enters a value of 256 to be converted to binary, it exceeds what can be stored, represented, and so forth, and results in an integer overflow. Depending on how the code is written, it is possible that the program would store only the last eight digits (of what now requires nine—100000000) and thus the value would be accepted, processed, and stored as zero.

Zero day

A zero day attack, also known as a zero hour attack, takes advantage of computer vulnerabilities that do not currently have a solution. Typically, a software company will discover a bug or problem with a piece of software after it has been released and will offer a patch — another piece of software meant to fix the original issue. A zero day attack will take advantage of that problem before a patch has been created. It is named zero day because it occurs before the first day the vulnerability is known. In most cases, a zero day attack will take advantage of a bug that neither the software’s creators nor users are aware of. In fact, this is precisely what malicious programmers hope to find. By finding software vulnerabilities before the software’s makers find them, a programmer can create a virus or worm that exploits that vulnerability and harms computer systems in a variety of ways.

Cookies and attachments

Cookies are text files that a browser maintains on the user’s hard disk in order to provide a persistent, customized web experience for each visit. A cookie typically contains information about the user. For example, a cookie can contain a client’s history to improve customer service. The next time you return to that store, the server can read your cookie and customize what it presents to you. Cookies can also be used to timestamp a user to limit access. A financial institution may send your browser a cookie once you’ve authenticated. The server can read the cookie to determine when a session is expired. Obviously, cookies are considered a risk because they have the potential to contain your personal information, which could get into the wrong hands, and are highly treasured by advertisers today.

If security is your utmost concern, the best protection is to not allow cookies to be accepted. Almost every browser offers the option of enabling or disabling cookies. If you enable them, you can usually choose whether to accept or reject all or only those from an originating server. Know that if you disallow cookies, users will not be able to visit a lot of sites. A compromise is to allow only session cookies.

Locally Shared Objects and Flash Cookies

A Locally Shared Object (LSO) is also commonly known as a Flash Cookie and is nothing more than data stored on a user’s computer by Adobe Flash. Often this is used to store data from games that have been played through Flash or user preferences, and it can represent a security/privacy threat.

Malicious Add-Ons

There are any numbers of add-ons that have the potential to harm a system. Some do so unintentionally through poor programming, and some are truly malicious add-ons; the difference between them is intent.

Consider a Java applet, for example. This is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they’re becoming one of the most popular tools used for website development.

Java-enabled applications can accept programmed instructions (Java scripts) from a server and control certain aspects of the client environment. Java requires you to download a virtual machine in order to run the Java applications or applets. Java scripts run on the client.

The applets run in a restricted area of memory called the sandbox. The sandbox limits the applet’s access to user areas and system resources. An applet that runs in the sandboxis considered safe, meaning that it won’t attempt to gain access to sensitive system areas. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside the sandbox. When this occurs, the applet is unsafe and may perform malicious operations. Attackers on client systems have exploited this weakness. From a user’s stand-point, the best defense is to make certain that you run only applets from reputable sites with which you’re familiar. From an administrator’s standpoint, you should make certain that programmers adhere to programming guidelines when creating such applets. Similarly, ActiveX is a technology that was implemented by Microsoft to customize controls, icons, and other features, which increases the usability of web-enabled systems. ActiveX runs on the client. It uses a method called Authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server.

ActiveX components are downloaded to the client hard disk, potentially allowing additional security breaches. Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don’t understand these confirmation messages when they appear, and they automatically accept the components. Automatically accepting an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used because an ActiveX control contains programming instructions that can contain malicious code or create vulnerabilities in a system. We highly recommend that you configure browsers so that they do not allow ActiveX to run without prompting the user because of the potential security hole that could be opened.

Session Hijacking

The term session hijacking describes when the item used to validate a user’s session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party. To use an overly simplistic analogy, imagine that you just finished a long phone conversation with a family member and then accidentallyleft your smartphone in the room while stepping outside. If Jim were to pick up that phone and press redial, the family member would see the caller ID, know that they had just been talking with you, and falsely assume that you were calling back. If Jim could imitate your voice, he could rattle off numerous nasty comments that would jeopardize your relationship with that family member. This same premise could be true if someone could fool a host into thinking it was still talking to your computer rather than theirs.

Numerous types of attacks use session hijacking, including man-in-the-middle and sidejacking. A weakness in a Firefox extension made news when it became known that an exploit made it possible for public Wi-Fi users to fall prey to this type of attack (Firesheep was an extension created to take advantage of the weakness). Some of the best ways to prevent session hijacking are to encrypt the sessions, encourage users to log out of sites when finished, and perform secondary checks on the identity of the user.

Header Manipulation

When used with XSRF, the attacker can even change a user’s cookie. Internet Explorer 8 and above include InPrivate Filtering to help prevent some of this. By default, your browser sends information to sites, as they need it—think of requesting a map from a site; it needs to

Arbitrary code execution / remote code execution

Though long frowned upon, it is possible for a programmer to create a means by which a program that they write can remotely accept commands and execute them. These commands can be unrelated to the actual program accepting them, and they can run on the host machine within a shell, command interpreter, and so on. When this is done, it is known as either arbitrary code execution (since it is taking any arbitrary commands fed to it) or remote code execution—both meaning the same thing. As if this issue is not bad enough in and of itself, the host program can be running with elevated privileges and capable of doing far more harm than what the user might otherwise be limited to.