Support
Eng
Рус
Company
Home page
Services
Solutions
Documentation
News and Events
Company
 
 
 
Knowledgebase
Downloads
Glossary
Ask a Question
Search:     Advanced search
SHALB.com / Security Knowledgebase / Web Application Security / Attack / Web Application Attack

Web Application Attack
Article ID: 2
Last updated: 06 May, 2008
Print
Email to friend
Add comment
Views: 129
Comments: 0
Posted: 06 May, 2008
by: Tech Pubs S.
Updated: 06 May, 2008
by: Tech Pubs S.

What is an attack?

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.

Overview

When you incorporate security features into your application's design, implementation, and deployment, it helps to have a good understanding of how attackers think. By thinking like attackers and being aware of their likely tactics, you can be more effective when applying countermeasures. This chapter describes the classic attacker methodology and profiles the anatomy of a typical attack.

This chapter analyzes Web application security from the perspectives of threats, countermeasures, vulnerabilities, and attacks. The following set of core terms are defined to avoid confusion and to ensure they are used in the correct context.

  • Asset. A resource of value such as the data in a database or on the file system, or a system resource
  • Threat. A potential occurrence — malicious or otherwise — that may harm an asset
  • Vulnerability. A weakness that makes a threat possible
  • Attack (or exploit). An action taken to harm an asset
  • Countermeasure. A safeguard that addresses a threat and mitigates risk

Anatomy of an Attack

By understanding the basic approach used by attackers to target your Web application, you will be better equipped to take defensive measures because you will know what you are up against. The basic steps in attacker methodology are summarized below and illustrated in Figure 2.1:

  • Survey and assess
  • Exploit and penetrate
  • Escalate privileges
  • Maintain access
  • Deny service

Figure 2.1

Basic steps for attacking methodology

Survey and Assess

Surveying and assessing the potential target are done in tandem. The first step an attacker usually takes is to survey the potential target to identify and assess its characteristics. These characteristics may include its supported services and protocols together with potential vulnerabilities and entry points. The attacker uses the information gathered in the survey and assess phase to plan an initial attack.

For example, an attacker can detect a cross-site scripting (XSS) vulnerability by testing to see if any controls in a Web page echo back output.

Exploit and Penetrate

Having surveyed a potential target, the next step is to exploit and penetrate. If the network and host are fully secured, your application (the front gate) becomes the next channel for attack.

For an attacker, the easiest way into an application is through the same entrance that legitimate users use — for example, through the application's logon page or a page that does not require authentication.

Escalate Privileges

After attackers manage to compromise an application or network, perhaps by injecting code into an application or creating an authenticated session with the Microsoft® Windows® 2000 operating system, they immediately attempt to escalate privileges. Specifically, they look for administration privileges provided by accounts that are members of the Administrators group. They also seek out the high level of privileges offered by the local system account.

Using least privileged service accounts throughout your application is a primary defense against privilege escalation attacks. Also, many network level privilege escalation attacks require an interactive logon session.

Maintain Access

Having gained access to a system, an attacker takes steps to make future access easier and to cover his or her tracks. Common approaches for making future access easier include planting back-door programs or using an existing account that lacks strong protection. Covering tracks typically involves clearing logs and hiding tools. As such, audit logs are a primary target for the attacker.

Log files should be secured, and they should be analyzed on a regular basis. Log file analysis can often uncover the early signs of an attempted break-in before damage is done.

Deny Service

Attackers who cannot gain access often mount a denial of service attack to prevent others from using the application. For other attackers, the denial of service option is their goal from the outset. An example is the SYN flood attack, where the attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

Understanding Threat Categories

While there are many variations of specific attacks and attack techniques, it is useful to think about threats in terms of what the attacker is trying to achieve. This changes your focus from the identification of every specific attack — which is really just a means to an end — to focusing on the end results of possible attacks.

STRIDE

Threats faced by the application can be categorized based on the goals and purposes of the attacks. A working knowledge of these categories of threats can help you organize a security strategy so that you have planned responses to threats. STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE stands for:

  • Spoofing. Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.
  • Tampering. Tampering is the unauthorized modification of data, for example as it flows over a network between two computers.
  • Repudiation. Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove.
  • Information disclosure. Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. Any of this information can be very useful to the attacker.
  • Denial of service. Denial of service is the process of making a system or application unavailable. For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.
  • Elevation of privilege. Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.

STRIDE Threats and Countermeasures

Each threat category described by STRIDE has a corresponding set of countermeasure techniques that should be used to reduce risk. These are summarized in Table 2.1. The appropriate countermeasure depends upon the specific attack. More threats, attacks, and countermeasures that apply at the network, host, and application levels are presented later in this chapter.

Table 2.1   STRIDE Threats and Countermeasures

Threat Countermeasures
Spoofing user identity Use strong authentication.

Do not store secrets (for example, passwords) in plaintext.

Do not pass credentials in plaintext over the wire.

Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data Use data hashing and signing.

Use digital signatures.

Use strong authorization.

Use tamper-resistant protocols across communication links.

Secure communication links with protocols that provide message integrity.
Repudiation Create secure audit trails.

Use digital signatures.
Information disclosure Use strong authorization.

Use strong encryption.

Secure communication links with protocols that provide message confidentiality.

Do not store secrets (for example, passwords) in plaintext.
Denial of service Use resource and bandwidth throttling techniques.

Validate and filter input.
Elevation of privilege Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Network Threats and Countermeasures

The primary components that make up your network infrastructure are routers, firewalls, and switches. They act as the gatekeepers guarding your servers and applications from attacks and intrusions. An attacker may exploit poorly configured network devices. Common vulnerabilities include weak default installation settings, wide open access controls, and devices lacking the latest security patches. Top network level threats include:

  • Information gathering
  • Sniffing
  • Spoofing
  • Session hijacking
  • Denial of service

Information Gathering

Network devices can be discovered and profiled in much the same way as other types of systems. Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions. Armed with this information, an attacker can attack known vulnerabilities that may not be updated with security patches.

Countermeasures to prevent information gathering include:

  • Configure routers to restrict their responses to footprinting requests.
  • Configure operating systems that host network software (for example, software firewalls) to prevent footprinting by disabling unused protocols and unnecessary ports.

Sniffing

Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all plaintext traffic. Also, attackers can crack packets encrypted by lightweight hashing algorithms and can decipher the payload that you considered to be safe. The sniffing of packets requires a packet sniffer in the path of the server/client communication.

Countermeasures to help prevent sniffing include:

  • Use strong physical security and proper segmenting of the network. This is the first step in preventing traffic from being collected locally.
  • Encrypt communication fully, including authentication credentials. This prevents sniffed packets from being usable to an attacker. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.

Spoofing

Spoofing is a means to hide one's true identity on the network. To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. Spoofing may be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.

Although carefully crafted spoofed packets may never be tracked to the original sender, a combination of filtering rules prevents spoofed packets from originating from your network, allowing you to block obviously spoofed packets.

Countermeasures to prevent spoofing include:

  • Filter incoming packets that appear to come from an internal IP address at your perimeter.
  • Filter outgoing packets that appear to originate from an invalid local IP address.

Session Hijacking

Also known as man in the middle attacks, session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host. Instead the upstream host is an attacker's host that is manipulating the network so the attacker's host appears to be the desired destination.

Countermeasures to help prevent session hijacking include:

  • Use encrypted session negotiation.
  • Use encrypted communication channels.
  • Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.

Denial of Service

Denial of service denies legitimate users access to a server or services. The SYN flood attack is a common example of a network level denial of service attack. It is easy to launch and difficult to track. The aim of the attack is to send more requests to a server than it can handle. The attack exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the server's pending connection queue.

Countermeasures to prevent denial of service include:

  • Apply the latest service packs.
  • Harden the TCP/IP stack by applying the appropriate registry settings to increase the size of the TCP connection queue, decrease the connection establishment period, and employ dynamic backlog mechanisms to ensure that the connection queue is never exhausted.
  • Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.

Host Threats and Countermeasures

Host threats are directed at the system software upon which your applications are built. This includes Windows 2000, Microsoft Windows Server 2003, Internet Information Services (IIS), the .NET Framework, and SQL Server depending upon the specific server role. Top host level threats include:

  • Viruses, Trojan horses, and worms
  • Footprinting
  • Profiling
  • Password cracking
  • Denial of service
  • Arbitrary code execution
  • Unauthorized access

Viruses, Trojan Horses, and Worms

A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. A worm is similar to a Trojan horse except that it self-replicates from one server to another. Worms are difficult to detect because they do not regularly create files that can be seen. They are often noticed only when they begin to consume system resources because the system slows down or the execution of other programs halt. The Code Red Worm is one of the most notorious to afflict IIS; it relied upon a buffer overflow vulnerability in a particular ISAPI filter.

Although these three threats are actually attacks, together they pose a significant threat to Web applications, the hosts these applications live on, and the network used to deliver these applications. The success of these attacks on any system is possible through many vulnerabilities such as weak defaults, software bugs, user error, and inherent vulnerabilities in Internet protocols.

Countermeasures that you can use against viruses, Trojan horses, and worms include:

  • Stay current with the latest operating system service packs and software patches.
  • Block all unnecessary ports at the firewall and host.
  • Disable unused functionality including protocols and services.
  • Harden weak, default configuration settings.

Footprinting

Examples of footprinting are port scans, ping sweeps, and NetBIOS enumeration that can be used by attackers to glean valuable system-level information to help prepare for more significant attacks. The type of information potentially revealed by footprinting includes account details, operating system and other software versions, server names, and database schema details.

Countermeasures to help prevent footprinting include:

  • Disable unnecessary protocols.
  • Lock down ports with the appropriate firewall configuration.
  • Use TCP/IP and IPSec filters for defense in depth.
  • Configure IIS to prevent information disclosure through banner grabbing.
  • Use an IDS that can be configured to pick up footprinting patterns and reject suspicious traffic.

Password Cracking

If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection. For this, the attacker must know a valid username and password combination. If you use default account names, you are giving the attacker a head start. Then the attacker only has to crack the account's password. The use of blank or weak passwords makes the attacker's job even easier.

Countermeasures to help prevent password cracking include:

  • Use strong passwords for all account types.
  • Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password.
  • Do not use default account names, and rename standard accounts such as the administrator's account and the anonymous Internet user account used by many Web applications.
  • Audit failed logins for patterns of password hacking attempts.

Denial of Service

Denial of service can be attained by many methods aimed at several targets within your infrastructure. At the host, an attacker can disrupt service by brute force against your application, or an attacker may know of a vulnerability that exists in the service your application is hosted in or in the operating system that runs your server.

Countermeasures to help prevent denial of service include:

  • Configure your applications, services, and operating system with denial of service in mind.
  • Stay current with patches and security updates.
  • Harden the TCP/IP stack against denial of service.
  • Make sure your account lockout policies cannot be exploited to lock out well known service accounts.
  • Make sure your application is capable of handling high volumes of traffic and that thresholds are in place to handle abnormally high loads.
  • Review your application's failover functionality.
  • Use an IDS that can detect potential denial of service attacks.

Arbitrary Code Execution

If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. The risks posed by arbitrary code execution increase if the server process under which the attacker's code runs is over-privileged. Common vulnerabilities include weak IIS configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution.

Countermeasures to help prevent arbitrary code execution include:

  • Configure IIS to reject URLs with "../" to prevent path traversal.
  • Lock down system commands and utilities with restricted ACLs.
  • Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched.

Unauthorized Access

Inadequate access controls could allow an unauthorized user to access restricted information or perform restricted operations. Common vulnerabilities include weak IIS Web access controls, including Web permissions and weak NTFS permissions.

Countermeasures to help prevent unauthorized access include:

  • Configure secure Web permissions.
  • Lock down files and folders with restricted NTFS permissions.
  • Use .NET Framework access control mechanisms within your ASP.NET applications, including URL authorization and principal permission demands.

Application Threats and Countermeasures

A good way to analyze application-level threats is to organize them by application vulnerability category. The various categories used in the subsequent sections of this chapter and throughout the guide, together with the main threats to your application, are summarized in Table 2.2.

Table 2.2   Threats by Application Vulnerability Category

Category Threats
Input validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Authentication Network eavesdropping; brute force attacks;

dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive data Access sensitive data in storage; network eavesdropping; data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

Input Validation

Input validation is a security issue if an attacker discovers that your application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply carefully crafted input that compromises your application.

When network and host level entry points are fully secured; the public interfaces exposed by your application become the only source of attack. The input to your application is a means to both test your system and a way to execute code on an attacker's behalf. Does your application blindly trust input? If it does, your application may be susceptible to the following:

  • Buffer overflows
  • Cross-site scripting
  • SQL injection
  • Canonicalization

The following section examines these vulnerabilities in detail, including what makes these vulnerabilities possible.
This article was:   Helpful | Not Helpful Add comment
Also listed in
folder Web Application Security

Prev   Next
Web Application Security     Abuse of Functionality

RSS
Powered by KBPublisher (Knowledge base software)