CompTIA Security+ SYO-401

Certification Training
9225 Learners
View Course Now!
33 Chapters +

Explain types of Application Attacks Tutorial

2 Cross-Site Scriting, SQL, LDAP, and XML Injection

In this topic, we will study Cross-site Scripting, SQL Injection, LDAP Injection, XML Injection, and ways to prevent injection. Cross-site scripting or XSS attack is the method wherein attackers take advantage of client-side vulnerability of web servers, and inject malicious script in the content sent to users and visitors. So, how do attackers inject malicious content into websites? Attackers deploy smart methods such as CGI scripts, server software vulnerabilities, SQL injection attacks, frame exploitation, DNS redirects, and cookie hijacks. Additionally, attackers can launch the XSS attack through a malformed email, which can be redirected to the attacker’s website by many ways. The aftermath of XSS attacks include identity theft, credential theft, data theft, financial losses, or implementing the remote-control software on visiting clients. To protect from these attacks, organizations must continuously deploy steps to update their web servers, apply security patches, use firewall to block unwanted traffic, and take action against any suspicious activity. As a web user, you can defend this attack by regularly updating your system, deploying an antivirus software, avoiding unauthorized websites, and using security add-ons for web browsers. Older websites included static web pages. However, with changing times and users asking for more information and control, developers came up with web applications, where the content is dynamically retrieved from database servers. This means, every time a user logs on to his bank account with the given username and password, the web application stores the credentials, and on request, accesses the data from the database server. And if the user refreshes the page, or requests for some other information, the web application uses the same credentials, and retrieves the updated information from the database. In the entire transaction, the web application plays an important role, as it directly communicates with the database. If the web application functions properly, it accepts only authorized requests. However, if there is flaw in the web application, it allows the attacker to manipulate data using SQL injection attack. An attacker launches the SQL injection attack by entering invalid data on webpages, and gains unauthorized access over a database. SQL injection can be further classified into Simple SQL Injection and Blind SQL Injection. The former is an error-based or message-based attack, where the attacker receives an error or a message in response to the SQL queries sent to the server. Whereas the latter is a blind attack. Here, the attacker is unaware of what is happening on the server, but still performs the SQL injection. The result may favor the attacker, but the SQL server does not reply with a message or an error. LDAP provides a mechanism to connect, search, and modify Internet directories. LDAP injection is similar to SQL injection. But, instead of attacking the database server, the attacker targets the host Operating System, and tries to execute certain LDAP commands on the server to get the desired output. The success ratio of LDAP injection increases if the front-end of web servers use a script to craft LDAP statements based on the values entered by the user. In XML injection, the attacker targets XML application that works in the backend. In this attack, attacker may insert malicious XML codes in SOAP requests to generate errors in the XML parsing logic. XML injection causes XML poisoning that creates Denial-of-Service attack, and compromises confidential information. Moreover, the injection inserts malicious content into the resulting message or document. Let’s now see how to protect against injection attacks. The common ways to avoid the injection attacks are: Input Validation and Privilege Management. In Input Validation, developers are expected to define the input data while developing web pages. This prevents the attacker from entering special characters to perform an injection attack. Privilege Management is granting users with minimum or limited rights to perform database operations. It is observed that most programmers use admin rights to configure even the basic database functions. This gives the attacker an opportunity to inject malicious scripts.

3 Directory Traversal, Buffer Overflow, and Integer Overflow

In this topic, you will learn about Directory Traversal or Command Injection, Buffer Overflow, and Integer Overflow. Directory traversal attack enables the attacker to traverse through the directory structure of the target server. In addition to traversing the directory, it grants the attacker the ability to perform command injection. With the modified URL, the attacker traverses out of the directory and enters the main OS folder to get hold of the command prompt executable. The attacker can create commands using the privilege of the IIS service or by using the limitations of a URL. In the Buffer Overflow attack, the attackers exploit an existing vulnerability such as a flaw, bug, error, and oversights in the target application. So, how does this attack actually take place? The attacker first carefully examines the load-bearing capacity of the application. Then, submits data that is beyond the capacity of the application or application’s process. However, the attack fails if the targeted application process is coded to handle excess data. Else, the excess data is moved to the CPU, and executed with all system privileges. This grants the attacker an entry to the CPU, and executes scripts and commands with unrestricted access. The Buffer Overflow attack may result in program crashing, system freezing, data corruption, user privilege escalation, opening a port, disabling a service, or any activity desired by the attacker. As a first countermeasure, it is important to update the software with the required security patches. Then, ensure the software runs properly, and appropriate input-validation checks must be implemented to verify the details before accepting any entered data. According to static and dynamic memory allocation, this attack can be categorized into, Stack Buffer Overflow and Heap Buffer Overflow. Stack buffer overflow occurs when the program uses a fixed code to be copied during runtime. This means the program has limited functions, and the complete code is loaded into memory when it is executed for the first time. Heap buffer overflow occurs when the program uses multiple instances of an application. Based on the instance during runtime, it calls a different code to load into the memory. An integer overflow is similar to buffer overflow, but it is related to integers. Integer overflow occurs if a mathematical operation in the given set of numbers exceeds the given range. For instance, an 8-bit value only holds the numbers in the range 0 to 255, and if an additional number is added to the maximum value, it results in integer overflow. Following the above example, even if the resulting value is greater than 255, it retains the maximum value and produces the same value as a result. This may lead to missing or lost information. In another case, if the program produces a negative value, and the program logic assumes the number to be always positive, then a negative value will have security breaches in the result. To avoid integer overflow, as a programmer, you should follow two important steps: • Understand the numeric limitations of the code and the platform. • Adopt coding techniques to test the occurrence of integer-overflow.

4 Cookies and attachements, and Locally Shared Objects or Flash Cookies

In this topic, you will learn about Cookies and Attachments, and Locally Shared Objects or Flash Cookies. Cookies are readymade software parameters that make browsing faster and easier. They make browsing easier by saving the user preferences and inputs. Hence the user need not enter the details again. But, most cookies are not encrypted or weakly encrypted. This acts as an invitation for attackers, who are able to steal or retrieve the required user-related information. Moreover, a malicious attack on cookies disrupts its actual purpose, and the user experiences slow browsing. Session cookies or third-party cookies are used to hijack a session at the application layer, and can attack any session on banking, shopping, and other mailing sites. As a countermeasure, block all third-party cookies from all sites and first-party cookies from untrusted sites. Emails are one of the preferred mediums adopted by attackers to send malicious software such as viruses, worms, Trojans, backdoors, rootkits, logic bombs, botnets, and other malwares. To overcome such attacks, you must first scan the attachment using an antivirus. By default, most of the email service providers block users to send .bat, .exe, .sh, and other executables as an attachment. Another way to avoid this attack is stripping the email on the SMTP server, and then allowing it to reach the end-user’s system. Local Shared Objects are small files or pieces of data that websites store on a user’s system using Adobe Flash Player. These objects are also referred to as flash cookies that use Adobe Flash Player to store user preferences and settings. However, if these cookies are used to track a user’s web activities, and are not cleared or removed when browser cookies are removed, the stored cookies can be a threat. Flash cookies are generally used as a tracking tool, and it blocks or limits the function of LSO. The modified settings are reset to default after each successful update. As a countermeasure, use the browser in the secured mode, which restricts the Flash Player from storing local shared objects.

5 Malicious add-ons, Hijack Header manipulation, Remote Code Execution

In this topic, you will learn about Malicious Add-ons, Session Hijacking, Header Manipulation, and Arbitrary Code Execution or Remote Code Execution. Genuine add-ons are also referred to as plug-ins or expansion packs. These are available in the form of browser plug-ins as an additional feature, and to use even when the browser is offline. Attackers use add-ons to fool people and create fake add-on versions. They convert add-ons into Trojan horses, and program them to appear genuine. But in reality, they are a piece of malicious code. With malicious add-ons, attackers can either access user’s information or take charge of the entire system or user identity. As a countermeasure, ensure that you install software only from trusted sources, and periodically run antivirus and malware scan. Many vendors black-list add-ons to filter them and close them in the browser due to their previous malicious record. In session hijacking, the attacker takes over the user’s existing session. This is also known as TCP/IP hijacking. TCP/IP hijacking is easy since it is a one-sided form of the man-in-the-middle attack. In session hijacking, the other partner in the communication remains unconnected. However, the other partner is unaware of the session being disturbed, and realizes this only once the attack occurs. You can prevent this attack by doing the following: Use encrypted protocols and perform re-authentication during a session. Use modern or secured protocols designed with preventive features to make session hijacking very difficult or impossible. This includes, complex nonlinear sequencing rules and timestamps with short timeout values. Header manipulation is the process of adding malicious code in the web browser or web server by using false representation of a valid HTML or HTTP header value. The common examples of header manipulation attacks are cross-site scripting, cache poisoning, browser hijacking, open redirects, cookie manipulation, and cross-user defacement. Cross-user defacement is similar to HTTP response splitting. To avoid such an attack, use updated browsers and servers, filter content from visitors, and reject or ignore any header in violation of HTTP and HTML specifications. In Arbitrary code execution, attackers exercise their authority to run any software or program on a remote system by exploiting its vulnerabilities. At times, it is not possible for the attacker to execute the program on target machine due to security privileges. In such cases, the attacker includes exploits and attacks to escalate the privilege, and then executes the program on the target/remote machine. For example: Windows RPC DCOM Vulnerability allows attackers to exploit the machine by remote code execution. Then, they can perform any operation on remote machine such as creating a user, getting a shell, access files and folders, and so on.

7 Summary

Let’s summarize the topics covered in this lesson. • SQL injection can be classified into Simple SQL Injection and Blind SQL Injection. • The two common ways to avoid the SQL Injection, LDAP Injection and XML Injection are Input Validation and Privilege Management. • In the Buffer Overflow attack, the attackers exploit an existing vulnerability such as a flaw, bug, error, and oversights in the target application. • Attackers convert add-ons into Trojan horses, and program them to appear genuine. • In Arbitrary code execution, attackers exercise their authority to run any software or program on a remote system by exploiting its vulnerabilities. With this, we conclude the lesson, ‘Explain Types of Application Attacks.’ The next lesson is, ‘Analyze a Scenario and Select the Appropriate Type of Mitigation and Deterrent Techniques.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*