Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Size: px

Start display at page:

Download "Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer."

Sylvia Merritt
5 years ago
Views:

1 Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers It is straight-forward on how to protect the lower 4: transport network data link physical The application layer, the top, is the scene of most attacks This is because by design, the Internet does not care what is inside each packet only the application understands the content 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Application Layer Internet Protocols Attackers attempt to create fake or corrupted applicationlayer data An application can malfunction crash or be changed into another program while it is running! Application Layer Transport Layer Network Layer Data link Layer Physical Layer Any Data Internet TCP / IP 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc 8 - Summer

2 Application Attacks Zero-Day Attacks The number of attacks that target applications continues to grow Examples: Web application attacks Client-side attacks Buffer overflow attacks Hackers attempt to discover new vulnerabilities that can be exploited If found, it is shared with other attackers It takes time for to good guys to find out Zero day attacks exploit previously unknown vulnerabilities victims have no time to prepare or defend (hence, zero days) 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Buffer Overflow Buffer Overflow Application Layer Attack Operating systems protect programs from having their memory / code damaged by another program However operating systems don't protect programs from damaging themselves 5/31/2018 Sacramento State - Cook - CSc Summer Buffer Overflow Buffers One technique used to attack a computer is to take advantage of this fact Get the program to damage/destroy itself There is no defense In memory, a running program's data is often stored next to its instructions Programs keep blocks of memory called buffers which store data (which can vary in size) Examples: people's names list of pet names bytes in an image 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

3 Buffer Overflow How it Works Buffer Overflow Computer Memory Data Not used It is possible to store too much information resulting in a buffer overflow Program Buffer Program The extra bytes will overwrite part of the running program changing it! 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Buffer Overflow How it Works The Aftermath Computer Memory Overflow of data Overwritten program Hackers can use this to make a program rewrite itself with malicious instructions They can overflow a buffer and use an innocent program to commit malicious acts Anti-spyware, anti-virus, etc software cannot stop this it all depends if the target software protects itself from overflows 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer A Scary Video Example: Code Red Worm I'm going to show a short video of a real-time application attack on a computer The user opens a Windows Meta File (.wmf) on the Internet it downloads and opens using the default Windows image viewer It buffer overflows the application converts it into a downloader it then downloads and installs rogueware Worm first attacked on July 13, 2001 First version just defaced web pages Code Red II showed no visible evidence of its presence 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

4 Example: Code Red Worm Example: Code Red Worm Exploited a security flaw in Microsoft IIS web servers used a buffer overflow to run malicious code exploit was a simple HTTP request server had no reason to worry buffer was large enough for any normal HTTP request Though infected, server ran normally Worm used the server clock to determine its actions for each day of the month What it did: Day 1-19: Attack random IP addresses in an attempt propagate the worm Day 20-27: Denial of Service Attack will be launched against pre-selected IP address Day 28-31: Sleep and wait Wake-up call that a new type of war now exists 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Scripting Scripting Programs aren't always bits and bytes Most applications are compiled they are written in a high-level language such as Java and C# but are converted into the raw 1's and 0's that run on a computer However, some aren't they remain in their text form parsed and executed "on the fly" 5/31/2018 Sacramento State - Cook - CSc Summer Scripting Scripting Examples Scripting files are text files that are executed They require an interpreter to parse and run the program Common on servers, web applications, and more Sequential Query Language (SQL) JavaScript XML UNIX shell scripts DOS batch files 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

5 This image cannot currently be displayed. Applications and Scripting Javascript Tricks Your browser is running a program Applications such as web applications use scripts to communicate with each other e.g. SQL is used to talk to databases Attackers can insert malicious code into a script and change how one computer talks to another this is a common application layer attack 5/31/2018 Sacramento State - Cook - CSc Summer Web Application Attacks Web applications an essential element of organizations today Scripting attacks are increasingly common Approach to securing Web applications hardening the web server protecting the network 5/31/2018 Sacramento State - Cook - CSc Summer Common Web Application Attacks JavaScript Cross-site scripting SQL injection XML injection Command injection / directory traversal JavaScript scripting language designed add functionality to webpages executed by the web browser on the client examples: mouseovers, menus, etc... Don't confuse it with. Java Programming Language Java Virtual Machine 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

6 This image cannot currently be displayed. The <SCRIPT> Tag Javascript Example Inserts a script directly into the program Can define functions, to be called from events like clicking on button Or executed immediately Can be in the header or body of a webpage <script> </script> <script> function hello() { alert("sac State rocks!"); } </script> 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Common Gateway Interface Common Gateway Interface Users often submit data to a website logging into your website entering a bid on ebay etc This information is passed using Common Gateway Interface protocol Application layer protocol that is used by all web browsers Information is sent one of two different ways POST information is based directly from the browser to the server users do not see it GET data is sent as part of a webpage address used in links 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer CGI Get Example CGI Get link The Get format is pretty straight forward, and can be read with little effort Get link consists of the following: original webpage address question mark separates the URL from data one or more names and values Website. Just a dummy one in this example 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

7 Example CGI Get link Example CGI Get link Question mark separates link and data "name" field equals "Gunchy" Different fields are separated by ampersands 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Cross Site Scripting Attacks Cross Site Scripting Attacks Application Layer Attack Cross Site Scripting (XSS) allows an attacker to execute their code on a webpage Doesn't attack the vulnerable server, but uses it to attack someone else Hence, the "cross" in the name 5/31/2018 Sacramento State - Cook - CSc Summer Cross Site Scripting Attacks The Attack Most commonly makes use of Javascript Some experts want to call this Javascript Injection rather than XSS Use the terms synonymously When victim visits an injected web site, the malicious script is downloaded It is executed on the user's machine The browser doesn't distinguish between valid code and malicious script its all just script that it needs to run 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

8 The Vulnerability XSS attack requires a targeted website/server that doesn't validate input Without validation accepts user input without checking uses input in a response without encoding it malicious input becomes malicious output 5/31/2018 Sacramento State - Cook - CSc Summer What Javascript can do What Javascript can do Display pop-up alerts and prompts Change the displayed page using Document Object Model (DOM) read cookies/session tokens Circumvent same-origin policy virtually deface web page Redirect to a different website Detect installed programs Detect browser history Capture keystrokes Port scan the local network Induce user actions 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer What Javascript can do Types of XSS Determine if they are logged on to a website Capture clipboard content Rewrite the status bar Exploit browser vulnerabilities Launch executable files (in some cases) Reflected XSS Stored XSS (a.k.a. Persistent XSS ) DOM Based XSS 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

Reflective XSS Example Normal Link Reflective XSS uses script inserted into a CGI get link that "reflects" on the victim Attacker only needs to find a server and send a poisoned link Victim clicks

uter Search field contains "Hornet" http://url.com?

9 Reflective XSS Example Normal Link Reflective XSS uses script inserted into a CGI get link that "reflects" on the victim Attacker only needs to find a server and send a poisoned link Victim clicks the link opens the website with the script script then runs on the user computer Search field contains "Hornet" 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Example Website Output Example Poisoned Link <h2>search Results For: Hornet </h2> Text of the search placed directly in generated webpage search field contains a script alert('attack')</script>&pg=1 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

10 Example Website Output Stored XSS <h2>search Results For: <script>alert('attack')</script> </h2> Script will execute! Javascript is supplied by the attacker and stored by the website (e.g. in a database) Doesn t require the victim to do anything. They just have to visit the exploited page more dangerous than Reflected XSS caused many XSS worms on popular sites 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Example: Samy Worm Example: Samy Worm Affected MySpace Attacked every visitor to Samy s page Used XSS JavaScript embedded in the page MySpace did not validate input (which users at the time had fun with) For each visitor: it added them to Sammy s friends it infected there page with the same JavaScript it posted but most of all, Samy is my hero to their page 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Example: Samy Worm DOM Based XSS Worm spread exponentially Over 1 million friend requests in less than 20 hours Sammy was popular!! Injected Javascript changes the page as the client (your browser) is creating it Uses Document Object Model (DOM) What they can do: change the content of the page add fake links fill out forms with their data 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

11 Client-Side Attacks Client Side Attacks Application Layer Attack (Against You) Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications 5/31/2018 Sacramento State - Cook - CSc Summer Client-Side Attacks Port Scanner Just interacting with a compromised server can result in an attack What happens? client initiates an Internet connection with server server then attacks the client Used to scan a network to find what services are running a computer Scans each of the 65,536 ports If a listening service is found the hacker can check if their is a vulnerability 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Drive-By Download Drive-by Downloads Application Layer Attack (Client) Client computer is attacked by simply viewing a compromised Web page Attackers inject content into vulnerable Web server They must gain access to server s operating system 5/31/2018 Sacramento State - Cook - CSc Summer

12 How it Works How it Works HTML allows page pages to be inserted into other pages using the <iframe> tag Commonly used for embedding video clips (e.g. YouTube) into a site Used by attackers to hide an malicious embedded page Attackers craft a zero pixel frame to avoid visual detection Embed an malicious HTML page inside main page Client s browser downloads malicious script Instructs computer to download malware 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer The Problem with HTTP Internet Cookies Delicious Little Annoyances Hypertext Transfer Protocol is used to transfer webpages However, HTTP is a stateless protocol one request and one response per session it cannot store state data 5/31/2018 Sacramento State - Cook - CSc Summer The Problem with HTTP What are Cookies? But, this data is very useful keep you logged onto a website keep track of a step in e-commerce (checkout) preview an before you send it etc... Cookies fix this problem A small text file saved on your computer created by a web server only visible to the site that created them managed by your web browser You do not have to accept cookies 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

13 Types of Cookies Session Cookies Secure cookie used only when browser visits server over secure connection always encrypted Flash cookie uses more memory than traditional cookie cannot be deleted through browser configuration settings Persistent cookie saved on the hard drive does not expire Session cookie stored in RAM expires when browser is closed 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Session Cookies Cookie Sources The session cookie is also known as a "token" It is passed between the server and client each time they send data First-party cookie cookie created by website user is currently visiting e.g. keep user logged in Third-party cookie created by site advertisers records user preferences 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer Threat of Cookies Threat of Cookies Any web server that you request data from can create (bake) a cookie Pages can get data from multiple servers this can included servers related to the site but are often servers that embed advertisements e.g. banners, pictures, etc... cookies can come from any of these sources Some information may be saved you don't know about: Travel Web sites may store user s travel itinerary Personal information provided when visiting a site All this can build a "profile" of the user 5/31/2018 Sacramento State - Cook - CSc Summer /31/2018 Sacramento State - Cook - CSc Summer

14 Cookies and Ads 1. Visit site about "energy drinks" Ad-servers often shared by webpages By saving data in cookies... ad-servers sites can track your page habits this cannot damage our computer Not dangerous like Spyware although this is a form of spying you do not suffer the effects of spyware only your browsing habits can be watched Your Computer Website 1 Energy Drinks Website contains an ad from UglyAds. The browser downloads it, and the UglyAds server takes note. Ad Server 5/31/2018 Sacramento State - Cook - CSc Summer Server saves cookie to browser 3. Do a report on "Dr. Oz" Your Computer Website 1 Your Computer Website 2 Energy Drinks Ad Server Dr. Oz Ad Server Energy drinks Energy drinks A second website uses UglyAds. It also saves a cookie about your activity. 4. Server saves "Dr. Oz" cookie 5. User visits ecommerce site Your Computer Website 2 Your Computer Sales site Dr. Oz Ad Server Ad Server Energy drinks Dr. Oz Energy drinks Dr. Oz UglyAds wants you to buy a client's product. It looks at cookies and thinks you will buy a common "quack" product. 14

15 6. Sends targeted ad (quack medicine) Session Hijacking Your Computer Sales site Energy drinks Dr. Oz Adrenal Fatigue Ad Ad Server Session hijacking is when an attacker attempts to impersonate user by stealing or guessing session token They intercept this data as it is passed over the network or has malware on your computer steal it 5/31/2018 Sacramento State - Cook - CSc Summer Dangers of Cookies Cookies pose security and privacy risks Examples: may be stolen and used to impersonate user used to tailor advertising can be exploited by attackers 5/31/2018 Sacramento State - Cook - CSc Summer

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define