/// Security Alerts
Combining data protection technology innovation with staff awareness. Understand the risk before it becomes an issue.
Combining data protection technology innovation with staff awareness. Understand the risk before it becomes an issue.
ritical IT infrastructures around the world have, for some time, been the target of cyber attacks for criminal, political or other purposes. Regardless of their motivation, hostile actors have potential access to various tools and techniques that could be used to engage in malicious activity directed against the computer-related components of the critical infrastructure. Bluezone goes to the great extent of protecting your critical cyber assets, where any of your sensitive data elements are secured at the edge of their entry into your organization’s network. The ultimate cyber security always implies a combination of data protection technology innovation and personnel awareness of possible types of digital attacks, data breach techniques and system vulnerabilities.
Abuse of Functionality is an attack technique that uses a website’s own features and functionality to attack itself or others. Abuse of Functionality can be described as the abuse of an application’s intended functionality to perform an undesirable outcome. These attacks have varied results such as consuming resources, circumventing access controls, or leaking information. The potential and level of abuse will vary from website to website and application to application. Abuse of Functionality attacks are often a combination of other attack types and/or utilize other attack vectors.
Some examples of Abuse of Functionality are:
A Brute Force attack is a method to determine an unknown value by using an automated process to try a large number of possible values. The attack takes advantage of the fact that the entropy of the values is smaller than perceived. For example, while an 8 character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms.
Some examples of Brute Force attacks are:
A Buffer Overflow is a flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold. Exploiting a buffer overflow allows an attacker to modify portions of the target process’ address space. This ability can be used for a number of purposes, including process execution control, process crash and internal variable modification. This is accomplished by identifying a function pointer in memory that can be modified, directly or indirectly, using the overflow. When such a pointer is used by the program to direct program execution through a jump or call instruction, the attacker-supplied instruction location will be used, thereby allowing process control.
The two main types of Buffer Overflow are:
Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of a web application. This technique is often combined with Masquerading, where an attacking network device impersonates a valid device to remain undetected and pose as legitimate endpoint.
The main types of Content Spoofing are:
Credential/Session Prediction is a method of hijacking or impersonating a website user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue website requests with the compromised user’s privileges.
For example, if an attacker can determine the algorithm used to generate the session ID, an attack can be mounted as follows:
There are three types of Cross-site Scripting attacks:
A Cross-site Request Forgery (CSRF) is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a website has for a user. By contrast, Cross-site Scripting (XSS) exploits the trust that a user has for a website. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site Request Forgery is also known as one-click attack, session riding, confused deputy, and sea surf.
Cross-site Request Forgery attacks are effective in a number of situations, including:
Denial of Service (DoS) is an attack technique with the intent of preventing a website from serving normal user activity. DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality. Many times DoS attacks will attempt to consume all of a website’s available system resources such as: CPU, memory, disk space etc. When any one of these critical resources reach full utilization, the website will normally be inaccessible.
Some examples of Denial of Service attack are:
The most common methodology for attackers is to first footprint the target’s web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host. Multi-tier fingerprinting is similar to TCP/IP Fingerprinting (or Snooping with a network scanner) except that it is focused on the application layer of the OSI model.
Some examples of the Fingerprinting techniques exist for the following categories:
Format String attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog) or other system output methods.
If an attacker passes a format string consisting of escaped format characters, they may:
HTTP Request Smuggling is an attack technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices (typically a frontend proxy or HTTP-enabled firewall and a backend web server) to smuggle a request to the second device “through” the first device. This technique enables the attacker to send one set of requests to the second device while the first device sees a different set of requests. In turn, this facilitates several possible exploitations, such as partial cache poisoning, bypassing firewall protection and XSS.
HTTP Request Splitting is an attack that enables forcing the browser to send arbitrary HTTP requests, inflicting XSS and poisoning the browser’s cache. The essence of the attack is the ability of the attacker, once the victim (browser) is forced to load the attacker’s malicious HTML page, to manipulate one of the browser’s functions to send two HTTP requests instead of one. For this attack to work, the browser must use a forward HTTP proxy (not all of them “support” this attack), or the attack must be carried out against a host located on the same IP (from the browser’s perspective) with the attacker machine.
Two HTTP Request Splitting methods have been exploited to date:
HTTP response smuggling is a technique to “smuggle” two HTTP responses from a server to a client, through an intermediary HTTP device that expects (or allows) a single response from the server. One use for this technique is to enhance the basic HTTP response splitting technique in order to evade anti- HTTP response splitting measures. In this case, the intermediary is the anti-HTTP response splitting mechanism between the web server and the proxy server (or web browser). Another use case is to spoof responses received by the browser. In this case a malicious website serves the browser a page that the browser will interpret as originating from a different (target) domain. HTTP response smuggling can be used to achieve this when the browser uses a proxy server to access both sites.
In the HTTP Response Splitting attack, there are always at least three parties involved: web server (which has a security hole), target (such as proxy server or browser) and attacker machine. The essence of HTTP Response Splitting is the attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some “innocent” resource on the web server. However, the second request would be matched, to the second HTTP response, which is fully controlled by the attacker.
With HTTP Response Splitting, it is possible to mount various kinds of attacks:
An Integer Overflow is the condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. When an integer overflow occurs, the interpreted value will appear to have “wrapped around” the maximum value and started again at the minimum value.
Integer Overflow is related to other conditions that occur when manipulating integers:
Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. Depending on the type of statement taken advantage by the attacker, we meet two types of injections: IMAP and SMTP Injection.
An IMAP/SMTP Injection may make it possible to access a mail server which you previously had no access to before-hand. In some cases, these internal systems do not have the same level of infrastructure security hardening applied to them as most front-end web servers. Hence, attackers may find that the mail server yields better results in terms of exploitation. On the other hand, this technique allows to evade possible restrictions that could exist at application level (CAPTCHA, maximum number of requests, etc.).
LDAP Injection is an attack technique used to exploit websites that construct LDAP statements from user-supplied input. Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The LDAP protocol runs over Internet transport protocols, such as TCP. web applications may use user-supplied input to create custom LDAP statements for dynamic page requests.
When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command.
Null Byte Injection is an active exploitation technique used to bypass sanity checking filters in web infrastructure by adding URL-encoded null byte characters (i.e. %00, or 0x00 in hex) to the user-supplied data. This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files.
The scope of a null byte attack starts where web applications interact with active C routines and external APIs from the underlying OS. Thus, allowing an attacker to manipulate web resources by reading or writing files based on the application’s user privileges. In C/C++, a null byte represents the string termination point or delimiter character which means to stop processing the string immediately. Bytes following the delimiter will be ignored. If the string loses its null character, the length of a string becomes unknown until memory pointer happens to meet next zero byte. This unintended ramification can cause introduce vulnerabilities within the system or application scope.
OS Commanding is an attack technique used for unauthorized execution of operating system commands. OS Commanding is the direct result of mixing trusted code and untrusted data. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.
In OS Commanding, executed commands by an attacker will run with the same privileges of the component that executed the command, (e.g. database server, web application server, web server, wrapper, application). Since the commands are executed under the privileges of the executing component an attacker can leverage this to gain access or damage parts that are otherwise unreachable (e.g. the OS directories and files).
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the website will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most websites restrict user access to a specific portion of the file-system, typically called the “web document root” or “CGI root” directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.
Predictable Resource Location is an attack technique used to uncover hidden website content and functionality. By making educated guesses via brute forcing an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming convention and reside in standard locations. These can include temporary files, backup files, logs, administrative site sections, configuration files, demo applications, and sample files. These files may disclose sensitive information about the website, web application internals, database information, passwords, machine names, and file paths to other sensitive areas.
Remote File Include (RFI) is an attack technique used to exploit “dynamic file include” mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.
An attacker can use Remote File Include for:
The WS-Routing is a protocol for exchanging SOAP messages from an initial message sender to an ultimate receiver, typically via a set of intermediaries. The WS-Routing protocol is implemented as a SOAP extension, and is embedded in the SOAP Header. WS-Routing is often used to provide a way to direct XML traffic through complex environments and transactions by allowing interim way stations in the XML path to assign routing instructions to an XML document.
Routing Detours are a type of “Man in the Middle” attack where Intermediaries can be injected or “hijacked” to route sensitive messages to an outside location. Routing information (either in the HTTP header or in WS-Routing header) can be modified en route and traces of the routing can be removed from the header and message such that the receiving application none the wiser that a routing detour has occurred.
Session Fixation is an attack technique that forces a user’s session ID to an explicit value. Depending on the functionality of the target website, a number of techniques can be utilized to “fix” the session ID value. These techniques range from Cross-site Scripting exploits to peppering the website with previously made HTTP requests. After a user’s session ID has been fixed, the attacker will wait for that user to login. Once the user does so, the attacker uses the predefined session ID value to assume the same online identity.
Generally speaking there are two types of session management systems when it comes to ID values. The first type is “permissive” systems that allow web browsers to specify any ID. The second type is “strict” systems that only accept server-side-generated values. With permissive systems, arbitrary session IDs are maintained without contact with the website. Strict systems require the attacker to maintain the “trap-session”, with periodic website contact, preventing inactivity timeouts.
XML SOAP arrays are a common target for malicious abuse. SOAP arrays are defined as having a type of “SOAP-ENC:Array” or a type derived there from. SOAP arrays have one or more dimensions (rank) whose members are distinguished by ordinal position. An array value is represented as a series of elements reflecting the array, with members appearing in ascending ordinal sequence. For multi-dimensional arrays the dimension on the right side varies most rapidly. Each member element is named as an independent element.
A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine’s memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.
Server-side Include (SSI) Injection is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application’s failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file. Before serving an HTML web page, a web server may parse and execute Server-side Include statements before providing it to the client. In some cases (e.g. message boards, guest books, or content management systems), a web application will insert user-supplied data into the source of a page.
Structured Query Language (SQL) Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
SQL Injection includes the following methods:
URL Redirectors represent common functionality employed by websites to forward an incoming request to an alternate resource. This can be done for a variety of reasons and is often done to allow resources to be moved within the directory structure and to avoid breaking functionality for users that request the resource at its previous location. URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination.
URL redirectors may also be used to implement load balancing, leveraging abbreviated URLs or recording outgoing links. It is this last implementation which is often used in phishing attacks. When URL redirect functionality is identified on a website, phishers will take advantage of it to fool unsuspecting users into believing that they are navigating to the well known origin site as opposed to the external, attacker-controlled site.
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. The syntax of XPath bears some resemblance to an SQL query, and it is possible to form SQL-like queries on an XML document using XPath.
XML Attribute Blowup is a Denial of Service attack against XML parsers. The attacker provides a malicious XML document, which vulnerable XML parsers process in a very inefficient manner, leading to excessive CPU load. The essence of the attack is to include many attributes in the same XML node. Vulnerable XML parsers manage the attributes in an inefficient manner (e.g. in a data container for which insertion of a new attribute has O(n) runtime), resulting in a non-linear (in this example, O(n²)) overall runtime, leading to a denial of service condition via CPU exhaustion.
XML External Entities (XXE) attack takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to.
The XML Entity Expansion attack exploits a capability in XML Document Type Definition (DTD) that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. The malicious XML message is used to force recursive entity expansion (or other repeated processing) that completely uses up available server resources.
XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML Injection can cause the insertion of malicious content into the resulting message/document.
XQuery Injection is a variant of the classic SQL injection attack against the XML Query Language. XQuery Injection uses improperly validated data that is passed to XQuery commands. This, in turn, will execute commands on behalf of the attacker that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim’s environment, inject commands to the local host, or execute queries to remote files and data sources. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer.
Application Misconfiguration attacks exploit configuration weaknesses found in web applications. Many applications come with unnecessary and unsafe features, such as debug and QA features, enabled by default. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
Likewise, default installations may include well-known usernames and passwords, hard-coded backdoor accounts, special access mechanisms, and incorrect permissions set for files accessible through web servers. Default samples may be accessible in production environments. Application-based configuration files that are not properly locked down may reveal clear text connection strings to the database, and default settings in configuration files may not have been set with security in mind.
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (such as index.html or default.htm) is not present. When a user requests the main page of a website, they normally type in a URL using the domain name (with optional sub-directory path) and excluding a specific file. The web server processes this request and searches the document root directory for the default file name and sends this page to the client. If this page is not present, the web server will dynamically issue a directory listing and send the output to the client. Essentially, this is equivalent to issuing an “ls” (Unix) or “dir” (Windows) command within this directory and showing the results in HTML form.
When a web server reveals a directory’s contents, the listing could contain information not intended for public viewing. Often web administrators rely on “security through obscurity” assuming that if there are no hyperlinks to these documents, they will not be found, or no one will look for them. The assumption is incorrect. Today’s vulnerability scanners can dynamically include additional directories/files in their scan based upon initial probes.
Improper Filesystem Permissions are a threat to the confidentiality, integrity and availability of a web application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. When improper permissions are set, an attacker may be able to access restricted files or directories and modify or delete their contents. For example, if an anonymous user account has write permission to a file, then an attacker may be able to modify the contents of the file influencing the web application in undesirable ways. An attacker may also exploit improper symlinks to escalate their privileges and/or access unauthorized files, e.g. a symlink pointing to a directory outside of the web root.
Improper Input Handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.
Generally, the term input handing is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Applications receive input from various sources including human users, software agents (browsers), and network/peripheral devices to name a few. In the case of web applications, input can be transferred in various formats (name value pairs, JSON, SOAP, etc.) and obtained via URL query strings, POST data, HTTP headers, Cookies, etc. Non-web application input can be obtained via application variables, environment variables, the registry, configuration files, etc. Regardless of the data format or source/location of the input, all input should be considered untrusted and potentially malicious.
Improper Output Handling refers to how an application generates outgoing data. If an application has improper output handling, the output data may be consumed leading to vulnerabilities and actions never intended by the application developer. In many cases, this unintended interpretation is classified as one or more forms of critical vulnerabilities.
Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its users. Therefore, leakage of sensitive data should be limited or prevented whenever possible.
Information Leakage, in its most common form, is the result of the following conditions:
Insecure Indexing is a threat to the data confidentiality of the website. Indexing web-site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and foil.
Insufficient Anti-automation occurs when a web application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, i.e. by a human web user.
Web application functionality that is often a target for automation attacks may include:
Insufficient Authentication occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of websites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.
To get around setting up authentication, some resources are protected by “hiding” the specific location and not linking the location into the main website or other public places. However, important to understand that even though a resource is unknown to an attacker, it still remains accessible directly through a specific URL. The specific URL could be discovered through a Brute Force probing for common file and directory locations, error messages, referrer logs, or documentation such as help files.
Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a website, it does not necessarily mean that the user should have full access to all content.
There are following two primary cases of Insufficient Authorization in applications:
Insufficient Password Recovery is when a website permits an attacker to illegally obtain, change or recover another user’s password. Conventional website authentication methods require users to select and remember a password or passphrase. The user should be the only person that knows the password and it must be remembered precisely. As time passes, a user’s ability to remember a password fades. The matter is further complicated when the average user visits 20 sites requiring them to supply a password.
Examples of automated password recovery processes include requiring the user to answer a “secret question” defined as part of the user registration process. This question can either be selected from a list of canned questions or supplied by the user. Another mechanism in use is having the user provide a “hint” during registration that will help the user remember his password. Other mechanisms require the user to provide several pieces of personal data such as their social security number, home address, zip code etc. to validate their identity. After the user has proven who they are, the recovery system will display or e-mail them a new password.
There are two main types of processes that require validation:
Session expiration is comprised of two timeout types: inactivity and absolute. An absolute timeout is defined by the total amount of time a session can be valid without re-authentication and an inactivity timeout is the amount of idle time allowed before the session is invalidated. The lack of proper session expiration may increase the likelihood of success of certain attacks.
Insufficient Transport Layer Protection allows communication to be exposed to untrusted third-parties, providing an attack vector to compromise a web application and/or steal sensitive information. Websites typically use Transport Layer Security / Secure Sockets Layer (TLS/SSL) to provide encryption at the transport layer. However, unless the website is configured to use TLS/SSL and configured to use TLS/SSL properly, the website may be vulnerable to traffic interception and modification.
Insufficient Transport Layer Protection is primarily the result of the following conditions:
Server Misconfiguration attacks exploit configuration weaknesses found in web servers and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and web pages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. These features may allow a hacker bypass authentication methods and gain access to sensitive data, perhaps with elevated privileges.
Servers may include well-known default accounts and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Misconfigured TLS/SSL certificates and encryption settings, the use of default certificates, and improper authentication implementation with external systems may compromise the confidentiality of information and lead to unintentional or malicious disclosure.
Professional associations such as Institute of Electrical and Electronics Engineers (IEEE) and Web Application Security Consortium (WASC), as well as online information security communities including Open Web Application Security Project (OWASP) foundation, have created extensive threat classifications to summarize and clarify various type of cyber attacks, as an important step towards implementation of IT security.