Application Attacks | CompTIA Security+ SY0-601 | 1.3a

In this video you will learn about application attacks such as: privilege escalation, cross-site scripting, code injections, pointer/object dereference, directory traversal, buffer overflows, race conditions, error handling, improper input handling, and replay attacks.

Privilege Escalation

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.  The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.  This type of attack can involve external threat actors or an insider.

Cross-Site Scripting (XSS)

Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or the plug-in systems on which they rely.  Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site.  When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system.  By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user.

Code Injections

Code injection is the exploitation of a computer bug that is caused by processing invalid data.  The injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program & change the course of execution.  The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.  Code injection vulnerabilities occur when an application sends untrusted data to an interpreter.  Injection flaws are most often found in SQL, DLL, LDAP, & XML parsers, etc.  Injection flaws tend to be easier to discover when examining source code than via testing.[1]  Scanners and fuzzers can help find injection flaws.[2]  Injection can result in data loss or corruption, lack of accountability, or denial of access.  Also, injection can sometimes lead to complete host takeover.  The types of code injections you need to be concerned with in regards to the CompTIA Security+ SY0-601 certification exam are:

  • Structured Query Language (SQL):  used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[3]  SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.  SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
  • Dynamic-Link Library (DLL):  used for running code within the address space of another process by forcing it to load a dynamic-link library.[4]  DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.[5]  For example, the injected code could hook system function calls,[6] or read the contents of password textboxes, which cannot be done the usual way.[7]  A program used to inject arbitrary code into arbitrary processes is called a DLL injector.
  • Lightweight Directory Access Protocol (LDAP):  used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP data stores.[8]  LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions.  When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.
  • Extensible Markup Language (XML):  used to manipulate or compromise the logic of an XML application or service.  The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the applications.  Further, XML injection can cause the insertion of malicious content into the resulting message/document.[9]

Pointer/Object Dereference

Pointer dereferencing is common in programming; when you want to access data such as an integer in memory, dereferencing the pointer would retrieve different data from a different section of memory (perhaps a different integer).  Programs that contain a null pointer dereference generate memory fault errors (memory leaks).  A null pointer dereference occurs when the program dereferences a pointer that it expects to be valid but is null, which can cause the application to exit or the system to crash.  From a programmatic standpoint, the main way to prevent this situation is to use meticulous coding.  Programmers can use special memory error analysis tools to enable error detection for a null pointer dereference.  Once the problem is identified, the programmer can correct the code that may be causing the errors.[10]

Directory Traversal

A directory traversal (or path traversal or a ../ “dot-dot-slash”) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory” are passed through to the operating system’s file system API.  An affected application can be exploited to gain unauthorized access to the file system.  It is often used on web servers that have PHP files and are Linux or UNIX-based, but it can also be perpetrated on Microsoft operating systems (..\ “dot-dot-backslash” attack).  It is designed to get access to files such as ones that contain passwords.  This access can be prevented by updating the operating system or by checking the code of files for vulnerabilities, otherwise known as fuzzing.[10]

Buffer Overflows

A buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.  Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs.  Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer.  If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.

Race Conditions

Race condition attacks (also called Time of Check to Time of Use, or TOCTTOU attacks) take advantage of the need that computing systems must execute some tasks in a specific sequence.  In any such sequence, there is a small period of time when the system has carried out the first task but not started on the second.  If this period is long enough or the attacker is lucky and knowledgeable, a race condition vulnerability exists where an attacker can trick the system into carrying out unauthorized actions in addition to its normal processes.[11]

Error Handling

Improper error handling flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates.  Although messages like this can help developers fix problems on their sites, they also show attackers information that they can use to help them break into what should be secured areas.  For example, an error message that includes information on the structure of a SQL database table may give attackers everything they need to know in order to carry out a successful SQL injection attack.  In some cases, improper error handling can even directly expose the data attackers want, such as passwords.[12]

Improper Input Handling

Improper input handling is a term used to describe functions such as validation, sanitization, filtering, or encoding and/or decoding of input data.  Improper input handling is a leading cause of critical vulnerabilities that exist in today’s systems and applications.  The root cause of improper input handling is the application trusting rather than validating data inputs.  One of the critical aspects of input handling is validating that the information satisfies specific criteria.  All inputs should be considered untrusted as they can come from various mechanisms and be transferred in multiple formats.  For proper validation, it is essential to identify the form and type of data acceptable and expected by the application.  This is required to define restrictions and avoid improper input handling attacks accurately.[15]

Replay Attack

A replay attack is a form of a network attack in which valid data transmissions are maliciously or fraudulently repeated or delayed.[13]  This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a spoofing attack by IP packet substitution.  This is one of the lower-tier versions of a man-in-the-middle attack.  Replay attacks are usually passive in nature.  Another way of describing such an attack is:  “an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run”.[14]

References

  1. Top 10 Web Application Security Vulnerabilities. Penn Computing.
  2. OWASP Top 10 2013 A1: Injection Flaws. OWASP.
  3. SQL Injection. Microsoft.
  4. Shewmaker, J. (2006). Analyzing DLL Injection. Bluenotch.
  5. Tutorial 24: Windows Hooks. Iczelion’s Win32 Assembly Homepage.
  6. Rowhani, N. (2003). DLL Injection and Function Interception Tutorial. CodeProject.
  7. Kuster, R. (2003). Three Ways to Inject Your Code into Another Process. CodeProject.
  8. Alonso, J.M.; Bordon, R.; Beltran, M.; Guzman, A. (1 Nov 2008). LDAP Injection Techniques. 2008 11th IEEE Singapore International Conference on Communication Systems.
  9. XML Injection. The Web Application Security Consortium.
  10. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide. Pearson IT Certification.
  11. What Is a Race Condition? Veracode.
  12. Error Handling Flaws – Information and How to Fix Tutorial. Veracode.
  13. El Abbadi, R.; Jamouli, H. (25 Jan 2021). Takagi-Sugeno Fuzzy Control for a Nonlinear Networked System Exposed to a Replay Attack. Mathematical Problems in Engineering. Hindawi.
  14. Malladi, S.; Alves-Foss, J.; Heckendorn, R. On Preventing Replay Attacks on Security Protocols.
  15. Improper Input Handling. Application Security Terminology.