Server-Side Web Application Attacks

  Securing server-side web applications of often considered more difficult than protecting other systems

  Traditional network security devices can block traditional network attacks, but cannot always block web application attacks

• Many network security devices ignore the content of HTTP traffic

  Zero-day attack - an attack that exploits previously unknown vulnerabilities, victims have not time to prepare for or defend against the attack

  Many server-side web application attacks target the input that the applications accept from users

  Such common web application attacks are:

• Cross-site scripting
• SQL injection
• XML injection
• Command injection/directory traversal

 

Cross-site scripting

   Injecting scripts into a Web application server to direct attacks at unsuspecting clients.

   When victim visits injected Website:

• Malicious instructions are sent to victim’s browser

   Some XSS attacks are designed to steal information:

• Retained by the browser when visiting specific sites

   An XSS attack requires a website meets two criteria:

• Accepts user input without validating it
• Uses input in a response

 

Client-Side Application Attacks

• Web application attacks are server-side attacks

• Client-side attacks target vulnerabilities in client applications that interact with a compromised server or process malicious data

• The client initiates connection with the server, which could result in an attack.

 

Client-Side Attacks

 Cookies

    •Cookies store user-specific information on user’s local computer

 Types of cookies:

    • First-party cookie - cookie created by Web site user is currently viewing.

    • Third-party cookie - site advertisers place a cookie to record user preferences.

    • Session cookie - stored in RAM and expires when browser is closed.

    • Persistent cookie - recorded on computer’s hard drive and does not expire when the browser closes

         •Also called a tracking cookie

    • Locally shared object (LSO) - can store up to 100 KB of data form a website

         •More complex than the simple text found in a regular cookie

         •Also called a Flash cookie

 

Denial of Service (DoS)

 Denial of service (DoS)

        • A deliberate attempt to prevent authorized users from accessing a system by overwhelming it with requests

 Most DoS attacks today are distributed denial of service (DDoS)

        • Using hundreds or thousands of zombie computers in a botnet to flood a device with requests

 

 Ping flood attack

• The ping utility is used to send large number of ICMP echo request messages
•  In a ping flood attack, multiple computers rapidly send a large number of ICMP echo requests to a server

              •Server will drop legitimate connections and refuse new connections

 

 Smurf attack

• Tricks devices into responding to false requests to an unsuspecting victim
• An attacker broadcasts a ping request to all computers on the network but changes the address from which the request came from (called spoofing)
• Appears as if victim’s computer is asking for response from all computers on the network
• All computers send a response to the victim’s computer so that it is overwhelmed and crashes or becomes unavailable to legitimate users

 

 SYN flood attack

• •Takes advantage of procedures for initiating a session

 In a SYN flood attack against a web server:

• The attacker sends SYN segments in IP packets to the server
• Attacker modifies the source address of each packet to computer addresses that do not exist or cannot be reached

 

Poisoning

 Poisoning

• The act of introducing a substance that harms or destroys

 Two types of attacks inject “poison” into a normal network process to facilitate an attack:

• ARP poisoning
• DNS poisoning

 ARP Poisoning

• Attacker modifies MAC address in ARP cache to point to a different computer