security.net chapter 1. how do attacks occur? stages of attack examples of attacker actions 1....
TRANSCRIPT
![Page 1: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/1.jpg)
Security.NETSecurity.NET
Chapter 1Chapter 1
![Page 2: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/2.jpg)
How Do Attacks Occur?How Do Attacks Occur?
Stages of Stages of attackattack
Examples of attacker actionsExamples of attacker actions
1. Footprint Runs a port scan on the firewall
2. Penetration Exploits an unpatched Web server
3. Elevation of privilege
Creates an account with administrator rights
4. ExploitUploads unlicensed software to the
Web server
5. Cover-up Erases the audit trail of the exploit
![Page 3: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/3.jpg)
VulnerabilityVulnerability ExamplesExamples
Weak passwords Employees use blank or default passwords
Unpatched software Patches are not updated Security hotfixes are not applied
Misconfigured software Services have more privileges than required Services run as the Local System account
Social engineering Help desk administrator resets a password
without verifying the identity of the caller
Weak security on Internet connections
Unused services and ports are not secured Firewalls are used improperly
Unencrypted data transfer
Authentication packets are sent in clear text Important data is sent over the Internet in
clear text
Buffer overrun A trusted process runs untrusted code
![Page 4: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/4.jpg)
STRIDE ModelSTRIDE Model
• Spoofing identity
• Tampering
• Repudiability
• Information disclosure
• Denial of Service
• Elevation of Privilege
• Spoofing identity
• Tampering
• Repudiability
• Information disclosure
• Denial of Service
• Elevation of Privilege
![Page 5: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/5.jpg)
Spoofing IdentitySpoofing Identity
• Attacker impersonates a valid system user or resource to gain access to the system
• Example:– Spoofing a server identity to gain access to
passwords and other system data
• Attacker impersonates a valid system user or resource to gain access to the system
• Example:– Spoofing a server identity to gain access to
passwords and other system data
![Page 6: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/6.jpg)
Tampering with Data (Integrity)Tampering with Data (Integrity)
• Malicious modification of system or user data with or without detection
• Data tampering can occur on:– Database objects through
SQL injection attacks– Application objects, such as application
configuration information and HTML files– Communications and interactions
• Malicious modification of system or user data with or without detection
• Data tampering can occur on:– Database objects through
SQL injection attacks– Application objects, such as application
configuration information and HTML files– Communications and interactions
![Page 7: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/7.jpg)
RepudiabilityRepudiability
• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous
request
– A system where audit logging is not enabled
– An attacker that tampers with or deletes logged data
– An attacker that spoofs another user to exploit the system
• Enable logging to avoid repudiability threats
• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous
request
– A system where audit logging is not enabled
– An attacker that tampers with or deletes logged data
– An attacker that spoofs another user to exploit the system
• Enable logging to avoid repudiability threats
![Page 8: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/8.jpg)
Information DisclosureInformation Disclosure
• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information
• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information
![Page 9: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/9.jpg)
Denial of ServiceDenial of Service
• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,
and bandwidth– Using viruses and worms that consume hard
disk space on a Web server
• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,
and bandwidth– Using viruses and worms that consume hard
disk space on a Web server
![Page 10: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/10.jpg)
Elevation of PrivilegeElevation of Privilege
• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected
– Can become part of the trusted system
• Example:– A buffer overrun attack that causes injected code to run
at an elevated privilege, giving the malicious code access to unauthorized pieces of the system
• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected
– Can become part of the trusted system
• Example:– A buffer overrun attack that causes injected code to run
at an elevated privilege, giving the malicious code access to unauthorized pieces of the system
![Page 11: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/11.jpg)
Enabling LoggingEnabling Logging
• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs
• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs
![Page 12: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/12.jpg)
User InputUser Input
• URLs– Request individual resources of a Web application
• GET data– Parameters and values that a client passes to a Web application to
satisfy a GET request • POST data
– Parameters and values that a client passes to a Web application to satisfy a POST request
• Cookies– Store data on the client computer
• HTTP headers– Provide numerous HTTP request header values to describe the
client environment to the server
• URLs– Request individual resources of a Web application
• GET data– Parameters and values that a client passes to a Web application to
satisfy a GET request • POST data
– Parameters and values that a client passes to a Web application to satisfy a POST request
• Cookies– Store data on the client computer
• HTTP headers– Provide numerous HTTP request header values to describe the
client environment to the server
![Page 13: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/13.jpg)
Why Validate User Input?Why Validate User Input?
• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources
• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within
a valid range
• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources
• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within
a valid range
![Page 14: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/14.jpg)
Types of User Input ValidationTypes of User Input Validation
• Client-side validation– Executes validation code, in a script, within the user’s
browser– Minimizes server round-trips for data validation
• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,
resulting in more server round-trips
• ASP.NET validation controls– Support both client-side and server-side validation
• Client-side validation– Executes validation code, in a script, within the user’s
browser– Minimizes server round-trips for data validation
• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,
resulting in more server round-trips
• ASP.NET validation controls– Support both client-side and server-side validation
![Page 15: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/15.jpg)
URL Format AttacksURL Format Attacks
• ::$DATA format– Returned the script source instead of the HTML
response
• Dotless IP Addresses – Previously considered part of intranet– http://031713501415
• Parent paths– Can access files outside a virtual directory
• ::$DATA format– Returned the script source instead of the HTML
response
• Dotless IP Addresses – Previously considered part of intranet– http://031713501415
• Parent paths– Can access files outside a virtual directory
![Page 16: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/16.jpg)
HTTP Cookie AttacksHTTP Cookie Attacks
• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe
– C:\Documents and Settings\username\Cookies
• All cookies can be edited in client-side script– document.cookie is in JavaScript
• Do not store sensitive data in a cookie– Instead store a lookup key
• Encrypt cookie data if necessary
• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe
– C:\Documents and Settings\username\Cookies
• All cookies can be edited in client-side script– document.cookie is in JavaScript
• Do not store sensitive data in a cookie– Instead store a lookup key
• Encrypt cookie data if necessary
![Page 17: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/17.jpg)
HTTP Header AttacksHTTP Header Attacks
• Do not trust the header values sent by the client– Header values can be set maliciously
• Do not trust header values for important decisions– Example: invoicing based on the Referrer
header value
• Do not trust the header values sent by the client– Header values can be set maliciously
• Do not trust header values for important decisions– Example: invoicing based on the Referrer
header value
![Page 18: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/18.jpg)
Form Data AttacksForm Data Attacks
• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the
request
• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure
• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data
• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the
request
• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure
• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data
![Page 19: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/19.jpg)
Script Command Injection Attacks
Script Command Injection Attacks
• XSS
• Used with Trusted Web Application
• Embed script in text controls
• XSS
• Used with Trusted Web Application
• Embed script in text controls
![Page 20: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/20.jpg)
Example (ASP)Example (ASP)
<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>
<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>
![Page 21: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/21.jpg)
ASP FileASP File
<html>
<body>
<% response.write "you entered:" & request("t1") %>
</body>
</html>
• Enter <script>alert(‘hello’);</script>
<html>
<body>
<% response.write "you entered:" & request("t1") %>
</body>
</html>
• Enter <script>alert(‘hello’);</script>
![Page 22: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/22.jpg)
ASP.NETASP.NET
• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:
<%@ Page validateRequest="false"%>• Or in web.config:<System.web>
<pages validateRequest="false" /></system.web>
• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:
<%@ Page validateRequest="false"%>• Or in web.config:<System.web>
<pages validateRequest="false" /></system.web>
![Page 23: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/23.jpg)
Trusted codeTrusted code
<SCRIPT>
var fso = new ActiveXObject('Scripting.FileSystemObject');
var e=fso.GetFile('d:\\a.txt');
e.Delete();
</SCRIPT>
If you add to trusted sites its work
<SCRIPT>
var fso = new ActiveXObject('Scripting.FileSystemObject');
var e=fso.GetFile('d:\\a.txt');
e.Delete();
</SCRIPT>
If you add to trusted sites its work
![Page 24: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/24.jpg)
Prevent XSSPrevent XSS
• Validate user input
• Use:– Server.HtmlEncode(str);
• Validate user input
• Use:– Server.HtmlEncode(str);
![Page 25: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/25.jpg)
ASP.NET Validation ControlsASP.NET Validation Controls
• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator
• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator
![Page 26: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/26.jpg)
Regular ExpressionsRegular Expressions
string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");
string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =
expression.Matches(test1); foreach (Match match in matches)
Console.WriteLine(match.Index);
string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");
string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =
expression.Matches(test1); foreach (Match match in matches)
Console.WriteLine(match.Index);
![Page 27: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/27.jpg)
Providing Feedback to UsersProviding Feedback to Users
• During normal conditions– Verification messages
– Success messages
– Explanatory messages
• During error conditions– Keep detailed error information hidden: error codes,
error messages, system information, call stacks
– Return general error message and log error details
– Never return the data that generated the error
• During normal conditions– Verification messages
– Success messages
– Explanatory messages
• During error conditions– Keep detailed error information hidden: error codes,
error messages, system information, call stacks
– Return general error message and log error details
– Never return the data that generated the error
![Page 28: Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e2a5503460f94b18a35/html5/thumbnails/28.jpg)
Obscuring Error Details from Users
Obscuring Error Details from Users
• In Web.config file:
<customErrors mode="On" defaultRedirect="GenericError.aspx"/>
• In Web.config file:
<customErrors mode="On" defaultRedirect="GenericError.aspx"/>