Security+ Guide to Network
Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks
�Objectives
List and explain the different types of server-side
web application attacks
Define client-side attacks
Explain how overflow attacks works
List different types of networking-based attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Conceptual Networked System
Network used to connect different clients and
servers together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit
Attacks on the applications in a networked
computer system can be directed toward the
server, the client, or both
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Conceptual Networked Computer
System (Figure 3-1)
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Server-Side Web Application Attacks
Content provided for users who are surfing the
Web is generated by a software application
running on a server
In providing web services to clients, web servers
also expose those same services to attackers
Important characteristic of server-side web
applications to create dynamic content based on
inputs from user
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Server-Side Web Application Process
Clients web browser makes a request using the
Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web
application servers
Application servers run the specific web apps,
which in turn are directly connected to databases on
internal network
Information from databases retrieved and returned to
web server so dynamic information can be sent back
to the users web browser
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Server-Side Web Application
Infrastructure (Figure 3-2)
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Securing Web Applications
Securing server-side web applications often
considered more difficult than protecting other
systems
Traditional network security devices cannot always
block web application attacks because many
traditional network security devices ignore the
content of HTTP traffic, which is the vehicle of web
application attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Zero Day Attacks
Many web application attacks (as well as other
application attacks) exploit previously unknown
vulnerabilities
Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend
Security+ Guide to Network Security Fundamentals, Fifth Edition
�Common Application Attacks
Many server-side web application attacks target the
input that the applications accept from users
Common web application attacks:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal
Security+ Guide to Network Security Fundamentals, Fifth Edition
10
�Cross-Site Scripting
Not all attacks on websites are designed to steal
content or deface it
Some attacks use web server as a platform to
launch attacks on other computers that access it
Cross-site scripting (XSS) - Injects scripts into
web application server to direct attacks at
unsuspecting clients
Many web applications are designed to customize
content for user by taking what user enters and
then displaying that input back to user
Security+ Guide to Network Security Fundamentals, Fifth Edition
11
�Customized Responses (Table 3-1)
Security+ Guide to Network Security Fundamentals, Fifth Edition
12
�Cross-Site Scripting Platform
Cross-site scripting attacks occur when attacker
takes advantage of web applications that accept
user input without validation and then present back
to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment
that becomes part of an automated response
An attacker can use this vulnerability in XSS attack
by tricking valid website into feeding malicious script
to another users web browser to execute
Security+ Guide to Network Security Fundamentals, Fifth Edition
13
�Bookmark Page That Accepts User
Input (Figure 3-3)
Security+ Guide to Network Security Fundamentals, Fifth Edition
14
�Input Used In Response (Figure 3-4)
Security+ Guide to Network Security Fundamentals, Fifth Edition
15
�SQL Injection
SQL (Structured Query Language) - Used to
manipulate data stored in relational database
SQL Injection - Targets SQL servers by
introducing malicious commands
Security+ Guide to Network Security Fundamentals, Fifth Edition
16
�Forgotten Password Example
Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated
Attacker enters email field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field
= whatever or a=a
Result is all user email addresses will be displayed
Security+ Guide to Network Security Fundamentals, Fifth Edition
17
�SQL Injection Statements (Table 3-2)
Security+ Guide to Network Security Fundamentals, Fifth Edition
18
�XML (Extensible Markup Language)
Markup language - Method for adding annotations
to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML (Extensible Markup Language):
Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
Security+ Guide to Network Security Fundamentals, Fifth Edition
19
�XML Attack
XML Attack - Similar to SQL injection attack
Attacker discovers Web site that does not filter user
data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack
Attempts to exploit XML Path Language queries
Security+ Guide to Network Security Fundamentals, Fifth Edition
20
�Directory Traversal/Command
Injection
Web server users typically restricted to root
directory
Users may be able to access subdirectories but not
parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or
takes advantage of vulnerability to move from root
directory to restricted directories
Command injection - Attacker enters commands
to execute on server or view confidential files
Security+ Guide to Network Security Fundamentals, Fifth Edition
21
�Directory Traversal Attack (Figure 3-6)
Security+ Guide to Network Security Fundamentals, Fifth Edition
22
�Client-Side Application Attacks
Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client
applications:
Interacting with a compromised server
Client initiates connection with server, which could
result in an attack
Security+ Guide to Network Security Fundamentals, Fifth Edition
23
�Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server
to gain access to servers operating system
Attackers craft a zero pixel frame to avoid visual
detection
Embed an HTML document inside main document
Clients browser downloads malicious script
Instructs computer to download malware
Security+ Guide to Network Security Fundamentals, Fifth Edition
24
�HTTP Header
HTTP header consists of fields that characterize
data being transmitted
Header fields are comprised of:
Field name
Colon
Field value
Example Content-length: 49.
HTTP header field names and values may be any
application-specific strings, but core set
standardized by Internet Engineering Task Force
Security+ Guide to Network Security Fundamentals, Fifth Edition
25
�HTTP Header Fields (Table 3-3)
Security+ Guide to Network Security Fundamentals, Fifth Edition
26
�Header Manipulation
HTTP header manipulation - Attack modifies
HTTP headers
HTTP header manipulation is not actual attack but
rather vehicle through which other attacks like
(XSS) can be launched.
HTTP header manipulation allows an attacker to
pass malicious instructions from own malicious
website or through an infected site to the web
browser via HTTP headers
Security+ Guide to Network Security Fundamentals, Fifth Edition
27
�HTTP Header Attacks
Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer
field to hide fact came from another site
Accept-Language Because some web applications
pass contents of field directly to database attacker
can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response
Security+ Guide to Network Security Fundamentals, Fifth Edition
28
�Cookies
Cookies - Store user-specific information on users
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store users travel itinerary
Personal information provided when visiting a site
Only Web site that created a cookie can read it
Security+ Guide to Network Security Fundamentals, Fifth Edition
29
�Types of Cookies
First-party cookie - Cookie created by Web site
user currently visiting
Third-party cookie - Site advertisers (third parties)
place cookie to record user preferences
Session cookie - Stored in RAM and expires when
browser is closed
Persistent cookie - Recorded on computers hard
drive and does not expire when browser closes
Security+ Guide to Network Security Fundamentals, Fifth Edition
30
�Locally Shared Object (LSO)
Locally shared object (LSO) or Flash cookie named after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times
data as regular cookie)
Cannot be deleted through browser's normal
configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user
deleted or blocked
Security+ Guide to Network Security Fundamentals, Fifth Edition
31
�Risks of Cookies
Cookies have security and privacy risks
First-party cookies can be stolen and used to
impersonate the user
Third-party cookies can be used to track the
browsing or buying habits of a user
When multiple websites are serviced by a single
marketing organization, cookies can be used to
track browsing habits on all clients site
Security+ Guide to Network Security Fundamentals, Fifth Edition
32
�Attachments
Attachments - Files that are coupled to email
messages
Malicious attachments commonly used to spread
viruses, Trojans, and other malware when opened
Most users routinely open any email attachment
received even if from an unknown sender
Attackers often include information in the subject
line that entices even reluctant users to open the
attachment, such as a current event
Security+ Guide to Network Security Fundamentals, Fifth Edition
33
�Session Token
User accessing secure web application needs be
verified to prevent an imposter from jumping in to
interaction
Session token - Verification through which random
string assigned to interaction between user and web
application currently being accessed (session)
Web application server assigns a unique session
token
Each subsequent request from users web browser to
web application contains session token verifying user
identity
Security+ Guide to Network Security Fundamentals, Fifth Edition
34
�Session Hijacking
Session hijacking - Attacker attempts to
impersonate the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victims computer
Eavesdropping on the transmission
Guessing the session token (successful if generation
of session tokens not truly random)
Security+ Guide to Network Security Fundamentals, Fifth Edition
35
�Session Hijacking Attack (Figure 3-7)
Security+ Guide to Network Security Fundamentals, Fifth Edition
36
�Plug-Ins and Add-Ons
Tools be added to enhance users interaction with
website through web browser
Plug-in - Third-party library (Java, Adobe Flash
player, Apple QuickTime, Adobe Acrobat Reader)
that attaches to web browser and can be embedded
inside a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality
to the web browser itself
Security+ Guide to Network Security Fundamentals, Fifth Edition
37
�Malicious Add-Ons
Attackers can create malicious add-ons to launch
attacks against users computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called
ActiveX applications
ActiveX controls can be invoked from webpages
through the use of a scripting language or directly by
HTML command
Security+ Guide to Network Security Fundamentals, Fifth Edition
38
�Impartial Overflow Attacks
Impartial attacks can target either server or client
Many these attacks designed to overflow areas of
memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.
Security+ Guide to Network Security Fundamentals, Fifth Edition
39
�Buffer Overflow Attack
Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
Data overflows into adjacent memory locations
Attacker can change return address of memory
location of code and redirect to memory address
containing malware code
Security+ Guide to Network Security Fundamentals, Fifth Edition
40
�Buffer Overflow Attack (Figure 3-8)
Security+ Guide to Network Security Fundamentals, Fifth Edition
41
�Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used
to store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum
value
Security+ Guide to Network Security Fundamentals, Fifth Edition
42
�Integer Overflow Attack
Example:
8-bit signed integer has a maximum value of 127 and
a minimum value of 128
If the value 127 is stored in a variable and 1 is added
to it, the sum exceeds the maximum value for this
integer type
Wraps around to become 128.
Integer overflow attack - Attacker changes value
of variable to something outside the range
programmer had intended by using an integer
overflow
Security+ Guide to Network Security Fundamentals, Fifth Edition
43
�Arbitrary/Remote Code Execution
Heap spray - Targeted to insert data only in certain
parts of memory
Arbitrary/remote code execution - Allows
attacker to run programs and execute commands
on different computer
Once under the attackers control, computer can
perform virtually any command from the attacker
Arbitrary/remote code execution attacks often take
advantage of malicious attachments like Microsoft
Visio file or PDF file
Security+ Guide to Network Security Fundamentals, Fifth Edition
44
�Network Attacks
Attackers place high priority on targeting networks
Exploiting single vulnerability may expose
hundreds or thousands of devices to an attacker
Types of attacks that target a network or network
process:
Denial of service
Interception
Poisoning
Attacks on access rights
Security+ Guide to Network Security Fundamentals, Fifth Edition
45
�Denial of Service (DoS)
Denial of service (DoS) - Attempts to prevent
system from performing normal functions
Distributed denial of service (DDoS) - Uses
thousands zombie computers in botnet
Ping flood attack - Ping utility used to send large
number of echo request messages and overwhelms
server
Smurf attack - Ping request with originating address
changed (spoofing) and appears as if target
computer is asking for response from all computers
on the network
Security+ Guide to Network Security Fundamentals, Fifth Edition
46
�SYN Flood Attack
SYN flood attack - Takes advantage of procedures
for establishing connection
Attacker sends SYN segments in IP packets to server
but modifies source address of each packet to
computer addresses that do not exist or cannot be
reached
Server continues to wait for a response (which is not
coming) while receiving more false requests and
keeping more lines open for responses
Server ultimately runs out of resources and can no
longer respond to legitimate requests
Security+ Guide to Network Security Fundamentals, Fifth Edition
47
�SYN Flood Attack (Figure 3-9)
Security+ Guide to Network Security Fundamentals, Fifth Edition
48
�Interception
Man-in-the-middle - Interception of legitimate
communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active
attack alters contents of transmission before sending
to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before
sending it to the recipient for use at a later time (the
man-in-the-middle replays it)
Security+ Guide to Network Security Fundamentals, Fifth Edition
49
�ARP Poisoning
ARP poisoning
Attacker modifies MAC address in ARP cache to
point to different computer
Table 3-4 ARP poisoning attack
Security+ Guide to Network Security Fundamentals, Fifth Edition
50
�Attacks From ARP Poisoning (Table 35)
Table 3-5 Attacks from ARP poisoning
Security+ Guide to Network Security Fundamentals, Fifth Edition
51
�DNS Poisoning
Domain Name System - Current basis for name
resolution to IP address
DNS poisoning - Substitutes DNS addresses to
redirect computer to another device
DNS poisoning
Two locations for DNS poisoning:
Local host table
External DNS server
Security+ Guide to Network Security Fundamentals, Fifth Edition
52
�Sample HOSTS file (Figure 3-11)
Security+ Guide to Network Security Fundamentals, Fifth Edition
53
�DNS Poisoning (Figure 3-12)
Security+ Guide to Network Security Fundamentals, Fifth Edition
54
�Attacks on Access Rights
Privilege escalation - Exploiting software
vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower
privilege uses privilege escalation to grant self
access functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted
privileges accesses the different restricted functions
of a similar user
Security+ Guide to Network Security Fundamentals, Fifth Edition
55
�Transitive Trust
Transitive - Relation with a property so that if a
relation exists been A and B, and there is also a
relation between B and C, then there is a relation
between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts
Carol, then Alice trusts Carol
Security+ Guide to Network Security Fundamentals, Fifth Edition
56
�Transitive Access
Transitive trust can result in transitive access:
System 1 can access System 2, and because
System 2 can access System 3, then System 1 can
access System 3
Intention may not be for System 1 to access
System 3, but instead for System 1 to be restricted
to accessing only System 2
Inadvertent and unauthorized access can result in
serious security risks
Security+ Guide to Network Security Fundamentals, Fifth Edition
57
�Security+ Guide to Network
Security Fundamentals,
Fifth Edition
Chapter 3
Application and Networking-Based
Attacks
