Application Attacks | CompTIA Security+ SY0-601 | 1.3b

In this video you will learn about application attacks such as: integer overflow, request forgeries, application programming (API) attacks, resource exhaustion, memory leaks, Secure Socket Layer (SSL) stripping, driver manipulation, and pass the hash.

Integer Overflow

Integer overflow, also known as wraparound, occurs when an arithmetic operation outputs a numeric value that falls outside allocated memory space or overflows the range of the given value of the integer.  Mostly in all programming languages, integer values are allocated limited bits of storage.  For example, a 16-bit integer value could possibly store an unsigned integer ranging from 0 to 65,535, or a signed integer ranging from -32,768 to 32,767.  So during an arithmetic operation, if the results require more than the allocated space (like 65,535 + 1), the compiler may completely ignore the error that is caused or simply abort the program.[1]

A way to visualize an integer overflow is to think of a car that has a six digit analog odometer that reads 999,999 miles.  Now visualize somebody driving the car 1 extra mile to reach mile 1 million on the odometer.  Being that the analog odometer can only display 6 digits, exactly what’s going to happen when mile 1 million is reached?  What’s going to happen is that the odometer is going to reset all the way back to 000,000 as if this was a brand new car fresh off the assembly line.  The only problem is, this is not a brand new car.  This is a car that has 1 million miles logged on it, but it just can’t physically display 1 million miles on the analog odometer.  As this example relates to computer programming, in theory, after the car reaches mile 1 million, the car would then open itself up to all types of problems with it’s engine & overall performance which would be further proof that just because the analog odometer says 000,000, it’s still not a brand new car fresh off of the factory floor.  That’s the basic concept.

As this directly relates to programming, most compilers will ignore the overflow & store unexpected outputs or errors.  This would result in various attacks such as a buffer overflow, which is the most common attack and leads to executing malicious programs or privilege escalation.[1]

Cross-Site Request Forgery (CSRF or XSRF)

A cross-site request forgery attack is a cyber attack that tricks a user into accidentally using their credentials to invoke a state changing activity, such as transferring funds from their account, changing their email address and password, or some other undesired action.  While the potential impact against a regular user is substantial, a successful cross-site request forgery attack against an administrative account can compromise an entire server, potentially resulting in a complete takeover of a web application, API, or other service.[2]

Server-Side Request Forgery (SSRF)

A server-side request forgery is an attack where a bad actor can abuse the functionality on the server to read or update internal resources.  The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configurations such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.[3]

Application Programming Interface (API) Attacks

An API is a connection between computers or between computer programs.  It is a type of software interface, offering a service to other pieces of software.[4]  In contrast to a user interface, which connects a computer to a person, an API connects computers or pieces of software to each other.  It is not intended to be used directly by a person (the end user) other than a computer programmer who is incorporating it into software.  An API attack is an abusive or manipulative usage or attempted usage of an API which is commonly used to breach data or manipulate a commerce solution such as:  broken access control, DDoS attacks, SQL injections, man-in-the-middle attacks, excessive data exposure, improper assets management, unencrypted communications, & broken user authentication.[5]  Here are some recommended best practices for securing APIs:[6]

  • Secure API services to only provide HTTPS endpoints with a strong version of TLS.
  • Validate parameters in the application & sanitize incoming data from API clients.
  • Explicitly scan for common attack signatures; injection attacks often betray themselves by following common patterns.
  • Use strong authentication & authorization standards.
  • Use reputable & standard libraries to create the APIs.
  • Segment API implementation & API security into distinct tiers; doing so frees up the API developer to focus completely on the application domain.
  • Identify what data should be publicly available & what is sensitive information.
  • If possible, have a security expert do the API code verification.
  • Make internal API documentation mandatory.
  • Avoid discussing company API development (or any other application development) on public forums.

Resource Exhaustion

Resource exhaustion attacks are computer security exploits that crash, hang, or otherwise interfere with the targeted program or system.  They are a form of denial-of-service (DoS) attack but are different from distributed denial-of-service (DDoS) attacks, which involve a network host such as a web server with requests from many locations.[7]  Resource exhaustion attacks generally exploit a software bug or design deficiency.  In software with manual memory management (most commonly written in C or C++), memory leaks are a very common bug exploited for resource exhaustion.

Memory Leak

A memory leak is a type of resource leak that occurs when a computer program incorrectly manages memory allocations in a way that memory which is no longer needed is not released.[8]  A memory leak may also happen when an object is stored in memory but cannot be accessed by running the code.[9]  A memory leak has symptoms similar to a number of other problems & generally can only be diagnosed by a programmer with access to the program’s source code.  A memory leak reduces the performance of the computer by reducing the amount of available memory.  Eventually, in the worst case, too much of the available memory may become allocated & all or part of the system or device stops working correctly, the application fails, or the system slows down due to thrashing.  Memory leaks may not be serious or even detectable by normal means.  In modern operating systems, normal memory used by an application is released when the application terminates.  This means that a memory leak in a program that only runs for a short time may not be noticed and is rarely serious.

Secure Sockets Layer (SSL) Stripping

SSL stripping is another form of a MITM attack.  When it comes to HTTPS traffic between a client and a server, a hacker can’t break into the legitimate HTTPS traffic even if they manage to intercept & relay the communications.  When it comes to SSL stripping, the attackers downgrade the communications between the client and server into an unencrypted format to be able to stage a MITM attack.  When a victim wants to connect to a server, the attacker intercepts the request & creates an independent, legitimate connection to the server through HTTPS protocol.  When the attacker receives the server’s response, they relay it to the victim in an unencrypted format, posing as the server.  The victim, thinking that they are communicating with the legitimate party will continue to send information to the attacker, who will then relay it to the server in HTTPS.  A way to check to see if you’ve been victimized by SSL stripping is to check the browser address bar to see if you are connected through the unencrypted HTTP protocol.  An effective way to prevent SSL stripping is to install the HTTPS Everywhere browser extension which will enforce HTTPS communication wherever possible and prevent an uninvited party from downgrading your communication to HTTP.[10]

Driver Manipulation

Driver manipulation is when an attacker reaches down into device drivers to manipulate them in ways that undermine security.[11]  Two types of driver manipulation you need to be concerned with for the CompTIA Security+ Sy0-601 certification are:[12]

  • Shimming:  additional code that can be run instead of the original driver.  When an application attempts to call an older driver, the OS intercepts the call & redirects it to run the shim code instead.
  • Refactoring:  the process of rewriting the internal processing of the code, without changing its external behavior.  It is usually done to correct problems related to software design.

Pass the Hash

Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.  It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.  After an attacker obtains valid username and password hash values, they are then able to use that information to authenticate to a remote server or service using a LAN manager (LM) or New Technology LM (NTLM) authentication without the need to brute-force the hashes to obtain the cleartext password.  The attack exploits an implementation weakness in the authentication protocol, where password hashes remain static from session to session until the password is changed.

References

  1. Luqman, M. (2021, Jan 10). Integer Overflow Attack and Prevention. Secure Coding.
  2. What is cross-site request forgery? Cloudflare.
  3. Server Side Request Forgery. OWASP.
  4. Reddy, M. (2011). API Design for C++. Elsevier Science.
  5. What is an API Attack. API Mike.
  6. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide. Pearson IT Certification.
  7. Lindqvist, U. & Jonsson, E. (1997). How to Systematically Classify Security Intrusions. Proceedings. 1997 IEEE Symposium and Privacy.
  8. Crockfor, D. (2012). JScript Memory Leaks.
  9. How Can I Create a Memory Leak with Java. Stack Overflow.
  10. SSL Stripping. Secret Double Octopus.
  11. Driver Manipulation. LinkedIn.
  12. Gibson, D. Advanced Attacks and Countermeasures. Get Certified Get Ahead.