2.4 Application attacks

Question 1

Injection attacks

Answer 1

• Code injection
  –Adding your own information into a data stream
• Enabled because of bad programming
  –The application should properly handle input and
  output
• So many different injectable data types
  –HTML, SQL, XML, LDAP, etc.

Question 2

SQL injection

Answer 2

• SQL - Structured Query Language
  –The most common relational database management
  system language
• SQL injection (SQLi)
  –Put your own SQL requests into an existing application
  –Your application shouldn’t allow this
• Can often be executed in a web browser
  –Inject in a form or field

Question 3

Buffer overflows

Answer 3

• Overwriting a buffer of memory
  –Spills over into other memory areas
• Developers need to perform bounds checking
  –The attackers spend a lot of time looking for openings
• Not a simple exploit
  –Takes time to avoid crashing things
  –Takes time to make it do what you want
• A really useful buffer overflow is repeatable
  –Which means that a system can be compromised

Question 4

Replay attack

Answer 4

• Useful information is transmitted over the network
  –A crafty hacker will take advantage of this
• Need access to the raw network data
  –Network tap, ARP poisoning,
  –Malware on the victim computer
• The gathered information may help the attacker
  –Replay the data to appear as someone else
• This is not an on-path attack
  –The actual replay doesn’t require the original
  workstation

Question 5

Privilege escalation

Answer 5

Gain higher-level access to a system– Exploit a vulnerability– Might be a bug or design flaw
* Higher-level access means more capabilities– This commonly is the highest-level access– This is obviously a concern
* These are high-priority vulnerability patches– You want to get these holes closed very quickly– Any user can be an administrator
* Horizontal privilege escalation– User A can access user B resources

Question 6

Mitigating privilege escalation

Answer 6

• Patch quickly - Fix the vulnerability
• Updated anti-virus/anti-malware software– Block known vulnerabilities
• Data Execution Prevention– Only data in executable areas can run
• Address space layout randomization– Prevent a buffer overrun at a known memory address– Elevation of privilege vulnerability
• CVE-2023-29336– Win32k Elevation of Privilege Vulnerability– May 2023
• Win32k Kernel driver– Server 2008, 2008 R2, 2012, 2012 R2, 2016– Windows 10
• Attacker would gain SYSTEM privileges– The highest level access

Question 7

Cross-site requests

Answer 7

• Cross-site requests are common and legitimate– You visit ProfessorMesser.com– Your browser loads text from ProfessorMesser.com– Your browser loads a video from YouTube– Your browser loads pictures from Instagram
• HTML on ProfessorMesser.com directs requests
  from your browser– This is normal and expected– Most of these are unauthenticated requests

Question 8

The client and the server

Answer 8

• Website pages consist of client-side code and
  server-side code– Many moving parts
• Client side– Renders the page on the screen (HTML, JavaScript)
• Server side– Performs requests from the client (HTML, PHP)– Transfer money from one account to another– Post a video on YouTube

Question 9

Cross-site request forgery

Answer 9

• One-click attack, session riding– XSRF, CSRF (sea surf)
• Takes advantage of the trust that a web application
  has for the user– The web site trusts your browser– Requests are made without your consent or your
  knowledge– Attacker posts a Facebook status on your account
• Significant web application development oversight– The application should have anti-forgery techniques added – Usually a cryptographic token to prevent a forgery

Question 10

Directory traversal

Answer 10

• Directory traversal / path traversal– Read files from a web server that are outside of the
  website’s file directory– Users shouldn’t be able to browse the Windows folder
• Web server software vulnerability– Won’t stop users from browsing past the web server root
• Web application code vulnerability– Take advantage of badly written code

Question 11

Cross Site request forgery

Answer 11

1. Attacker creates a funds transfer request. 2. Request is sent as a hyperlink to a user who
   may already be logged
   into the bank web site. 3. Visitor clicks the link and unknowingly sends the transfer request to the bank web site. 4. Bank validates the transfer and sends the visitors funds to the attacker.