Académique Documents
Professionnel Documents
Culture Documents
Attack
Agenda
1 Definitions of Security Terms
2 Security Technologies
3 VA , PT ,VM & Compliances
4 Security Attacks
5 Software Exploits
Definitions
Terminology Example
Asset(s):
$5,000,000 under the mattress
in guest bedroom
Threat(s):
Loosing the $5,000,000
Threat
Attack
Vulnerability
Risk
(0-100)
Loosing the
$5,000,000
Burglar breaks in
and steals
money
95
85
75
No alarm system
100
No alarm system
100
House Burns
Down
Entry/Exit Points:
Front & Side Doors
Windows (guest bedroom &
elsewhere in residence
Note vulnerability can be shared across
attacks(!)
Hacker
The term "Hacker" may mean simply a person with mastery of
computers; however the mass media most often uses "Hacker" as
synonymous with a (usually criminal) computer intruder .
In a security context, a hacker is someone involved in computer
security/insecurity, specializing in the discovery of exploits in systems (for
exploitation or prevention), or in obtaining or preventing unauthorized
access to systems through skills, tactics and detailed knowledge
Types of Hackers
White hat - Someone who breaks security but who does so for altruistic or at least nonmalicious reasons. They generally have a clearly defined code of ethics, and will often
attempt to work with a manufacturer or owner to improve discovered security weaknesses.
Grey hat - A hacker of ambiguous ethics and/or borderline legality, often frankly admitted.
Bluehat - Someone outside computer security consulting firms that are used to bug test a
system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the
term Bluehat to represent a series of security briefing events.
Black hat - Someone who subverts computer security without authorization or who uses
technology (usually a computer or the Internet) for terrorism, vandalism, credit card fraud,
identity theft, intellectual property theft, or many other types of crime. This can mean taking
control of a remote computer through a network, or software cracking.
Script kiddie - Script kiddie is a pejorative term for a computer intruder with little or no
skill; a person who simply follows directions or uses a cook-book approach without fully
understanding the meaning of the steps they are performing.
Hacktivist - A hacktivist is a hacker who utilizes technology to announce a political
message. Web vandalism is not necessarily hacktivism.
Types of Attacks
Criminal Attacks
Basis is in financial gain
Includes fraud, destruction and theft (personal, brand, identity)
Privacy Violations
Private/personal information acquired by organizations not authorized.
Includes surveillance, databases, traffic analysis
Publicity Attacks
Attacker wants to get their name(s) in the papers
Can affect ANY system, not just related to profit centers
Denial of service
Legal Attack
Setup situation to use discovery process to gather information
Rare, but possibly devastating
Password sniffing
Collect first parts of data packet and look for login attempts
IP Spoofing
Fake packet to hijack a session and gain access
DNS Overrides
Malicious access to a DNS server can compromise a network
Port scanning
Automated process that looks for open networking ports
Logs positive hits for later exploits
10
Firewalls
Networking devices (routers) that check traffic coming into a private network
Needs to be complete and properly configured to ensure protection
Good protection for general networking traffic, but specific traffic will still get
through.
DMZs
Network space between two firewalls
VPNs
Provides encrypted access from outside a network.
Current versions arent reliable enough and arent useful against slow
attacks.
11
Burglar alarms
Traps set on specific networked objects that go off if accessed
Honey pots
Dummy objects used to attract attacks. Range from single devices to whole
sub networks.
Vulnerability scanners
Tools that scan a network periodically for holes/open gateways /
misconfigured routers
Limited in scope because of potential damage to the network
Cryptography
Has potential, but complexity limits its use to local sites.
12
Wrap Up
13
2. Security Technologies
14
Firewalls
15
Service control
Not recommended
User Control
Behavior Control
16
Firewall Characteristics
17
Firewall Types
Software firewalls
Used in single workstations
less expensive / easier to configure
18
Evolution of Firewalls
Deep Packet
Inspection
Stateful
Inspection
Application
Proxy
Packet
Filter
Stage of Evolution
19
20
Challenges faced
Solution?
Limit access to the network
Dont trust outsiders
Trust insiders(!!!)
Put firewalls across the perimeter of the network
21
Firewalls (Contd.)
Firewall
Internet
Internet
22
Internal Network
Packet Filters
23
Example filters
Block all packets from outside except for SMTP servers
Block all traffic to a list of domains
Block all connections from a specified domain
Data Available
Actions Available
24
Internet
Internet
DMZ
DMZ
Advantages?
Intranet
Intranet
25
26
Client
SYN
SYN/ACK
Ack Set?
Problems?
27
Server
ACK
Rule
Dir
Src Addr
Src Port
Dst Addr
Dst Port
Proto
Ack Set?
Action
SSH-1
In
Ext
> 1023
Int
22
TCP
Any
Allow
SSH-2
Out
Int
22
Ext
> 1023
TCP
Yes
Allow
Egress Filtering
Outbound traffic from external address Drop
Benefits?
Ingress Filtering
Inbound Traffic from internal address Drop
Benefits?
Default Deny
Why?
28
Rule
Dir
Src Addr
Src Port
Dst Addr
Dst Port
Proto
Ack Set?
Action
Egress
Out
Ext
Any
Ext
Any
Any
Any
Deny
Ingress
In
Int
Any
Int
Any
Any
Any
Deny
Default
Any
Any
Any
Any
Any
Any
Any
Deny
Packet Filters
Advantages
Transparent to application/user
Simple packet filters can be efficient
Disadvantages
Usually fail open
Very hard to configure the rules
Doesnt have enough information to take actions
Does port 22 always mean SSH?
Who is the user accessing the SSH?
29
Alternatives
30
Alternatives (Contd.)
Proxy Firewalls
Two connections instead of one
Either at transport level
SOCKS proxy
Or at application level
HTTP proxy
31
Proxy Firewall
Data Available
Application level information
User information
Advantages:
Better policy enforcement
Better logging
Fail closed
Disadvantages:
Doesnt perform as well
One proxy for each application
Client modification
32
What is VPN?
33
Encrypted VPNs
Nonencrypted VPNs
Based on OSI model:
Intranet VPNs
Extranet VPNs
34
Two connections one is made to the Internet and the second is made to
the VPN.
Datagrams contains data, destination and source information.
Firewalls VPNs allow authorized users to pass through the firewalls.
Protocols protocols create the VPN tunnels.
35
There are products based on IPSec and Point to Point Tunneling Protocol
(PPTP) or L2TP (Layer 2 Tunneling Protocol)
Although IP sec has become the de facto standard for LAN to LAN
VPNs, PPTP and L2TP are heavily used for single client to LAN
connections.
Therefore, many VPN products support IPSec, PPTP and L2TP.
Technologies
36
Tunneling
A virtual point-to-point connection
made through a public network. It transports
encapsulated datagram.
Original Datagram
Datagram Header
37
38
39
SSL Architecture
40
Authentication Protocols
41
VPN Comparisons
42
IDS Definition
It is better to prevent attack than to detect it after it succeeds, Unfortunately,
not all attacks can be prevented.
Some attackers become intruders succeed in breaking defenses
Intrusion Prevention first line of defense
Intrusion Detection second line of defense
Intrusion Detection System (IDS) - a device (typically a seprate computer)
monitoring system activities to detect malicious / suspicious events like
attacks.
43
IDS Terminology
44
Anomaly
Misuse
Intrusion
Audit
Profiling
abnormal behavior
activity that violates the security policy
(subset of anomaly)
misuse by outsiders and insiders
activity of looking at user/system behavior,
its effects, or collected data
looking at users or systems to determine what they
usually do
Types of IDS
45
Host-based IDS
46
Network-based IDS
47
Signature Recognition
48
Anomaly Detection
49
Limits of IDS
50
IPS
51
Host Based
Network Based
Content Based
Protocol Analysis
Rate Based
52
53
A network based IPS is one where the IPS application/hardware and any
actions taken to prevent an intrusion on a specific network host(s) is done
from a host with another IP address on the network (This could be on a
front-end firewall appliance.)
54
Protocol Analysis
55
For example, the existence of a large binary file in the User-Agent field of
an HTTP request would be very unusual and likely an intrusion. A
protocol analyzer could detect this anomalous behavior and instruct the IPS engine
to drop the offending packets.
This is because they must have a different pattern for each exploit variant.
Protocol analysis-based products can often block exploits with a single signature
that monitors for the specific vulnerability in the network communications.
2009 Wipro Ltd Internal & Restricted
56
Rate based IPS (RBIPS) are primarily intended to prevent Denial of Service and
Distributed Denial of Service attacks. They work by monitoring and learning
normal network behaviors.
Through real-time traffic monitoring and comparison with stored statistics, RBIPS
can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP
packets, connections per second, packets per connection, packets to specific ports
etc. Attacks are detected when thresholds are exceeded. The thresholds are
dynamically adjusted based on time of day, day of the week etc., drawing on stored
traffic statistics.
Unusual but legitimate network traffic patterns may create false alarms. The
system's effectiveness is related to the granularity of the RBIPS rulebase and the
quality of the stored statistics.
57
HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data
after it has been decrypted on the host.
NIPS does not use processor and memory on computer hosts but uses its own CPU and
memory.
NIPS is a single point of failure, which is considered a disadvantage; however, this property
also makes it simpler to maintain. However, this attribute applies to all network devices like
routers and switches and can be overcome by implementing the network accordingly
(failover path, etc.).
A Bypass Switch can be implemented to alleviate the single point of failure disadvantage
though. This also allows the NIPS appliance to be moved and be taken off-line for
maintenance when needed.
NIPS can detect events scattered over the network (e.g. low level event targeting many
different hosts, like hostscan, worm) and can react, whereas with a HIPS, only the hosts data
itself is available to take a decision, respectively it would take too much time to report it to
a central decision making engine and report back to block.
2009 Wipro Ltd Internal & Restricted
Honeypot
58
59
There are four major components of a SIM. They are client components,
correlation engine, signature database and a management console
SIM
Consolidation
Reporting
Meta Alerting
Traceability
SIM
Event
60
Event
Event
Event
Event
Event
Event
Event
Event
62
The correlation engine then analysis and validate the event logs sent by
the log collector components based on rules or statistics stored in the
database.
The security professionals can view and monitor events related to various
devices or servers in one single format and in one single console.
63
Vulnerability Scanner
Correlation Engine
Statistical Threat
Analysis
Rule Based
Vulnerability
Asset Management
64
65
SIM VS SEM
According to Gartner:
66
"Security information and event management (SIEM) technology delivers two basic
capabilities:
Security information management (SIM) SIM provides reporting and analysis of
data primarily from host systems and applications, and secondarily from security
devices to support regulatory compliance initiatives, internal threat management
and security policy compliance management. SIM can be used to support the
activities of the IT security, internal audit and compliance organizations.
Security event management (SEM) SEM improves security incident response
capabilities. SEM processes near-real-time data from security devices, network
devices and systems to provide real-time event management for security
operations.
SEM helps IT security operations personnel be more effective in responding to
external and internal threats.
SIM and SEM require a common set of base functions, but they differ both in scope
and the time frame for data analysis"
SIM VS SEM
67
68
Access Control
Authentication
Non-repudiation
Data Confidentiality
Communication Security
Data Integrity
Availability
Ensure network elements,
services and application
available to legitimate users
Examples: IDS/IPS, network
redundancy, BC/DR
Privacy
Eight Security Dimensions applied to each Security Perspective (layer and plane)
69
Vulnerability Management
Vulnerability Management
To overcome the growing risk posed by vulnerabilities, an organization must develop a formal vulnerability
management program addressing the entire life cycle of vulnerability management as shown in FIG A. All of
these must be supported by an underlying foundation of people, process and technology initiatives.
Vulnerability Assessment
Asset Management
Asset
profile
Vulnerabilities list
Prioritization of assets
Asset
update
Report
Information
Remediation
Monitoring
Report
information
Report
information
Reporting
Detailed report on
vulnerability
management
70
Asset Management
Asset Management
To get a confident start to a VM process it is very important to have an accurate
inventory and profile of what the infrastructure contains. For an organization of any
significant size, this inventory will be complex and constantly changing as new
components are added and existing components are retired. The below mentioned
steps aid in making a comprehensive asset inventory
71
Vulnerability Assessment
Vulnerability Assessment
Once the identification of the network assets is done, a vulnerability assessment
should be carried out to find the vulnerabilities existing in the network. Many software
tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a
computer system.
QualysGuard ,GFI LANguard Network Security Scanner ,Nessus
72
Though these tools can provide a good overview of possible vulnerabilities present,
they can not replace human judgment. Relying solely on scanners will yield false
positives and a limited-scope view of the problems present in the system. Therefore, a
proper vulnerability assessment system should make use of vulnerability scanner tools
to identify potential vulnerabilities and then carry out a detailed vulnerability analysis to
remove false positives.
Penetration Test
Attack and Penetration Testing is a systematic approach to
identifying weaknesses in deployed targets.
A target may be a network, a collection of hosts, or an
application that is part of an organization, function or
enterprise segment to be analyzed.
73
Penetration testing can be performed by anyone who is either knowledgeable in this area
and keeps up to date with the latest security news, penetration applications and researching
ways of attacks.
74
Types of Environment
75
Wireless Networks
DMZ environments
Internet Data Centers (IDC)
Portal Environment
Extranet
VPN Termination points
Remote Access points
DialDial-In
Web Application
Database
Routers, switches, servers, FWs, IDSes
The organization as a whole
Individuals and their workstations
Other networking capable devices
Privilege
Escalation
Information
Gathering
Penetration
Scope/Goal
Definition
76
Attack
Clean Up
Reporting
77
Frameworks
78
COBIT
ISO
ITIL
BITS
Etc.
2009 Wipro Ltd Internal & Restricted
SOX
Sarbanes-Oxley Act of 2002
79
Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by
improving the accuracy and reliability of corporate disclosures made pursuant to the
securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.
SOX
Administrative Access to Financial Systems
SOX Section 306 (a)(4) & (D)
Lists all logon and privileged access attempts by the Administrator or SU
accounts.
Computer Account Logon Activity
ISO 17799 Section A.9.5.2
Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX
Unix, Sun Solaris and Red Hat Linux systems.
Computer Account Logon Activity - Windows Detail
ISO 17799 Section A.9.5.2
Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all logon activity for all monitored Windows domains and systems. This
report is specific to monitored Windows systems, but provides a greater level of
detail than the Computer Account Logon Activity report.
80
PCI-DSS
81
Resource :Sensage
82
4. Security Attacks
83
Security Attacks
84
85
Security Flaws in IP
2.1.1.1
Internet
Internet
1.1.1.3
A
86
1.1.1.1
1.1.1.2
Security Flaws in IP
87
IP fragmentation attack
End hosts need to keep the fragments till all the fragments arrive
Ping Flood
Internet
Internet
Attacking System
Broadcast
Broadcast
Enabled
Enabled
Network
Network
Victim
System
88
ICMP Attacks
89
No authentication
Many more
http://www.sans.org/rr/whitepapers/threats/477.php
Routing Attacks
90
BGP
ASes can announce arbitrary prefix
ASes can alter path
Could even happen due to misconfigurations
TCP Attacks
SYN x
SYN y | ACK x+1
ACK y+1
Client
Server
Issues?
Server needs to keep waiting for ACK y+1
Server recognizes Client based on IP address/port and y+1
91
92
93
94
95
DNS insecurity
DNS poisoning
DNS zone transfer
An Example
Showmount -e
Finger
Stephen (S)
SYN
Trusted (T)
Attack when no one is around
What other systems it trusts?
Determine ISN behavior
Finger @S
showmount e
Send 20 SYN packets to S
Mahendar
96
An Example
Stephen (S)
Syn flood
Trusted(T)
Finger @S
showmount e
SYN flood T
97
An Example
SYN|ACK
Stephen (S)
trusted (T)
SYN
Finger @S
showmount e
ACK
An Example
X
Stephen (S)
Trusted (T)
++ > rhosts
Finger @S
showmount e
SYN flood T
Denial of Service
100
Consume bandwidth
UDP floods
ICMP floods
Denial of Service
101
Coordinated DoS
Attacker
Victim
Attacker
Victim
Attacker
Victim
The first attacker attacks a different victim to cover up the real attack
The Attacker usually spoofed source address to hide origin
Harder to deal with
102
Distributed DoS
Attacker
Handler
Agent
Agent
Handler
Agent
Victim
103
Agent
Agent
DDoS Defenses
104
Network Capabilities
Destination explicitly decides whether or not to allow packets
Indicate decision by inserting capabilities in packets
Routers en route check for valid capabilities in subsequent packets
Issues?
Traffic Scrubbers
Sink all traffic to a back-end
Scrub, scrub, scrub
Issues?
Attacks
105
Attacks
106
Man-in-the-middle
Replays
TCP Session hijacking
Social Engineering
Dumpster diving
Online attacks
Web defacement
Attacks
107
108
PC
TCP State
TCP Packet
Closed
TCP State
Listen
SYN-received
SEQ = 750, ACK = 1001, CTL = SYN | ACK
ACK-received
ACK-sent
SEQ = 1000, ACK = 751, CTL = ACK
Established
109
Established
Land attack
110
Smurf attack
111
Port scanning
112
Scanning the source and destination ports for both TCP and UDP for data
capture
TCP ports are commonly monitored but UDP ports are not
Ping of death
113
The hacker sends an illegal echo packet with more bytes than allowed, causing the
data to be fragmented. This causes the data to be stored causing buffer overflows,
kernel dumps, and crashes
This was made possible by some Windows OSs allowing non-standard ICMP
(Internet Control Message Protocol) messages to be generated
Maximum ICMP packet size is 65507 bytes. Any echo packet exceeding this size
will be fragmented by the sender and the receiver will try to reconstitute the
packet, when overflow would occur
UDP-flood attack
114
115
IP Spoofing
116
ARP Poisoning
117
ARP Poisoning
118
Hosts store the IP-to-MAC address mapping in the ARP table. ARP
Poisoning means that the ARP communication is intercepted by
redirection from a router.
Example:
Assume routers IP is 10.1.1.0
Hosts IP is 10.1.1.1
Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to
requests from 10.1.1.0 with its MAC address
From this point on all packets meant for 10.1.1.1 is routed to
10.1.1.2 because the router has the MAC address of 10.1.1.2 in its
routing table
Web Spoofing
119
DNS Spoofing
120
Replays
121
Replay involves capturing traffic while in transit and use that to gain access
to systems.
Example:
Hacker sniffs login information of a valid user
Even if the information is encrypted, the hacker replays the login
information to fool the system and gains access
Replays
122
Sniffer
Sn
wd
p
and
d
di
e
f
if
Hacker
rep
123
id
s
y
la
an
wd
p
d
Server
124
This means that the hacker has directed traffic to his server instead of a trusted
server that the victim is assuming
To hijack a session, the hacker ARP poisons the router to route all traffic to his
computer before it is delivered to the victim
See Figure 3-14 (p. 68) in the book for details of IP and MAC addresses needed to
understand this type of attack
Dictionary attack
125
Birthday attack
126
Countermeasures
127
Countermeasures
128
Countermeasures
129
Countermeasures
130
Countermeasures
131
5. Software Exploitation
132
Software Exploitation
133
Software exploitation
Malicious software (virus and worm)
Back door
Logic bombs
134
Malicious code
Type
Characteristics
Virus
Trojan horse
Logic bomb
Time bomb
Trapdoor
Worm
Rabbit
135
Viruses
Viruses
String of computer code that attaches to other programs and
replicates
File infectors Oldest type of virus, now mostly extinct
Boot-sector viruses Reside on the boot portion of a disk.
Also mostly extinct
Macro viruses Written in a scripting language and affects data
files, not programs. Future of viruses.
No absolute cure for viruses
Antivirus programs work, but need continual updating.
Virus makers depend on laziness of users to let virus defs get
out of date.
136
Virus
137
Virus self-replicates
Early viruses (1980s to mid-90s) were placed on boot sector of hard and
floppy drives as they would not show up in the directory listing
Second type of virus is known as parasitic virus. This was prevalent in
mid-90s.
Parasitic virus attaches to files and infect files of type exe, sys, com, dll,
bin, drv
Third virus type is multipartite virus. This infected both boot sector and
files. This was also common in the mid-90s.
Current virus type is known as macro virus. These are application
specific as opposed to operating system specific. They propagate rapidly
through email. Most macro viruses are written in VB Script and they
exploit Microsofts applications such as Outlook.
138
Virus is a program that reproduces itself by attaching its code to another program
They require human intervention to spread
Melissa, I LOVE YOU spread by e-mail
Worms actively replicate without a helper program
Is a subclass of virus, but does not require user intervention
Sasser and Blaster targeted machines with out of date software
Antivirus
Antivirus software is a term used to describe a computer program that attempts
to identify, neutralize or eliminate malicious software. This type of software is so
named because the earliest examples were designed exclusively to combat computer
viruses; however most modern antivirus software is now designed to combat a wide
range of threats, including worms, phishing attacks, rootkits, trojan horses.
139
140
Good viruses
141
Hiding places
Boot sector
Memory- resident viruses
Macro, library etc. viruses
Boot Strap
Loader
System
Initialization
Normal Process
Virus Code
System
Initialization
Infection
142
Boot Strap
Loader
143
Effect
Attach to executable
Program
How caused?
Modify file directory
Write to executable file
Modify directory
Rewrite data
Append to data
Append data to itself
Spread infection
144
How caused?
Intercept interrupts and modify handlers
Intercept interrupt
Intercept OS call
Modify system file
Modify ordinary executables
Malware
Malware is software designed to infiltrate or damage a computer system without the
owner's informed consent. It is a portmanteau of the words "malicious" and
"software". The expression is a general term used by computer professionals to mean
a variety of forms of hostile, intrusive, or annoying software or program code.
Software is considered malware based on the perceived intent of the creator rather
than any particular features. It includes computer viruses, worms, trojan horses, most
rootkits, spyware, dishonest adware, and other malicious and unwanted software. In
law, malware is sometimes known as a computer contaminant.
145
Malware
146
Vulnerability to Malware
In this context, as throughout, it should be borne in mind that the system under
attack may be of various types, e.g. a single computer and operating system, a
network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity e.g. when all computers in a network run the same OS, if you can
break that OS, you can break into any computer running it.
Defects most systems containing errors which may be exploited by malware.
Unconfirmed code code from a floppy disk, CD-ROM or USB device may be
executed without the users agreement.
Over-privileged users some systems allow all users to modify their internal
structures.
Over-privileged code most popular systems allow code executed by a user all
rights of that user.
147
Types of Malware
1. Worms and viruses are computer programs that replicate themselves without
human intervention. The difference is that a virus attaches itself to, and becomes
part of, another executable (i.e., runnable) program, whereas a worm is selfcontained and does not need to be part of another program to replicate itself.
2. A trojan, or trojan horse, is software that is disguised as a legitimate program in
order to entice users to download and install it. In contrast to worms and viruses,
trojans are not directly self-replicating. They can be designed to do various harmful
things, including corrupt files erase data and install other types of malware.
3. A backdoor (usually written as a single word) is any hidden method for obtaining
remote access to a computer or other system. Backdoors typically work by
allowing someone or something with knowledge of them to use special password(s)
and/or other actions to bypass the normal authentication (e.g., user name and
password) procedure on a remote machine (i.e., a computer located elsewhere on
the Internet or other network) to gain access to the all-powerful root (i.e.,
administrative) account.
148
149
150
Trojan Horse
151
Login Spoofing
Logic Bombs
153
Piece of code, in the OS or app, which is dormant until a certain time has elapsed
or event has occurred
Event could be missing employee record from payroll
Could act as a Trojan Horse/virus once triggered
Also called slag code or time bomb
Recovery options for a firm include:
Calling the police
Rehiring the programmer
Trap Doors
154
Buffer Overflow
155
156
Host
Threats against
the network
157
Application
Examples
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet hosts
Eavesdropping
SYN floods
ICMP echo request floods
Malformed packets
Spoofing
158
Examples
Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
File disclosure
Unauthorized access
159
160
Examples
SQL injection
Cross-site scripting
Hidden-field tampering
Eavesdropping
Session hijacking
Identity spoofing
Information disclosure
161
Session Management
Session hijacking
162
Session Management
1st Try:
rbcSetCookie("F100","1/WL2/6a0yKsQJ13A3B4NnSan97lZARQN69zCMZDoezJ5De0AX8b
D5S5HScdvXE2DMuVESNApHR2SE5WNwRs4ngmvuEQ__/XQAAAA__/S0/PB", null,
"/");
2nd Try:
rbcSetCookie("F100","1/WK2/H2BlqWdlkC28v8o1dYQkeA9l3p5hmAEK3LsHyree7gKBXvu
WQgoGy52i5QDSsmOc4CasIZ7YqOBcUeuac96oyg__/XQAAAA__/S0/PB", null, "/");
163
Things to try:
Save code, modify and resubmit with new values
Modify cookie
Re-use same cookie 1 day later
Test limits
Test hidden forms and variables
Change variables
Expiry?
164
Cross-Site Scripting
a web application takes input from a user but fails to validate the input
the input is echoed directly in a web page.
input could be malicious JavaScript, when echoed and interpreted in
the destination browser any number of issues could result
Modified URL
URL parameters are modified on the URL to contain script code
Input is not validated and displayed as entered on the resulting dynamic
webpage
165
166
167
SQL injection
SQL injection is a security vulnerability that occurs in the database layer of an
application.
Trick to inject Structured Query Language (SQL) query or command as an input
via web pages
SQL statements injected into an existing SQL command
Injection occurs through malformed application input:
Text box
Query string
Manipulated values in HTML
168
SQL injection
Example of attack:
SQL Query in Web application code:
SELECT * FROM users WHERE login = + userName + and password= +
password + ;
Hacker logs in as: or = ; - SELECT * FROM users WHERE login = or = ; --'; and password=;
Hacker deletes the users table with: or = ; DROP TABLE users; - SELECT * FROM users WHERE login = or =; DROP TABLE users; --'; and
password=;
169
The unexpected:
Username: ' OR 1=1 -Password:
SELECT COUNT(*)
FROM Users
WHERE username='' OR 1=1 -- and password=''
170
References
171
Thank You