In applications, particularly web applications, access to functionality is
mitigated by the authorization framework, whose job it is to map ACLs to
elements of the application's functionality; particularly URL's for web
apps. In the case that the application deployer failed to specify an ACL for
a particular element, an attacker may be able to access it with impunity. An
attacker with the ability to access functionality not properly constrained
by ACLs can obtain sensitive information and possibly compromise the entire
application. Such an attacker can access resources that must be available
only to users at a higher privilege level, can access management sections of
the application or can run queries for data that he is otherwise not
supposed to.
Attack Execution Flow
Explore
Survey:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spidering web sites for all available
links
env-Web
2
Brute force guessing of resource
names
env-All
3
Brute force guessing of user names /
credentials
env-All
4
Brute force guessing of function names /
actions
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
ACLs or other access control mechanisms are
present in the software
env-Web
env-ClientServer
2
Positive
User IDs or other credentials are present in
the software
env-Web
env-ClientServer
3
Positive
Operating modes with different privileges
are present in the software
env-ClientServer env-Local
env-Embedded
Identify
Functionality:
At each step, the attacker notes the resource or
functionality access mechanism invoked upon
performing specific actions
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use the web inventory of all forms and
inputs and apply attack data to those
inputs.
env-Web
2
Use a packet sniffer to capture and record
network traffic
env-CommProtocol
3
Execute the software in a debugger and
record API calls into the operating system or
important libraries. This might occur in an
environment other than a production environment,
in order to find weaknesses that can be exploited
in a production environment.
env-Local env-Embedded
Outcomes
ID
type
Outcome Description
1
Success
The attacker produces a list of
functionality or data that can be accessed through
the system.
Experiment
Iterate over access
capabilities:
Possibly as a valid user, the attacker then tries
to access each of the noted access mechanisms
directly in order to perform functions not
constrained by the ACLs.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Fuzzing of API parameters (URL parameters,
OS API parameters, protocol parameters)
env-Web env-Local env-Embedded
env-ClientServer
Indicators
ID
type
Indicator Description
Environments
1
Negative
Attempts to create a catalog of access
mechanisms and data have failed.
env-All
Outcomes
ID
type
Outcome Description
1
Success
Functionality is accessible to
unauthorized users.
Attack Prerequisites
The application must be navigable in a manner that associates elements
(subsections) of the application with ACLs.
The various resources, or individual URLs, must be somehow discoverable by
the attacker
The deployer must have forgotten to associate an ACL or has associated an
inappropriately permissive ACL with a particular navigable resource.
Typical Likelihood of Exploit
Likelihood: Very High
Methods of Attack
Analysis
Brute Force
Examples-Instances
Description
Implementing the Model-View-Controller (MVC) within Java EE's Servlet
paradigm using a "Single front controller" pattern that demands that
brokered HTTP requests be authenticated before hand-offs to other Action
Servlets.
If no security-constraint is placed on those Action Servlets, such
that positively no one can access them, the front controller can be
subverted.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
In order to discover unrestricted resources, the attacker does not
need special tools or skills. He only has to observe the resources or
access mechanisms invoked as each action is performed and then try and
access those access mechanisms directly.
Resources Required
No special resources are required for the exploit of this pattern.
Probing Techniques
In the case of web applications, use of a spider or other crawling
software can allow an attacker to search for accessible pages not beholden
to a security constraint.
More generally, noting the target resource accessed upon performing
specific actions drives an understanding of the resources accessible from
the current context.
Solutions and Mitigations
In a J2EE setting, deployers can associate a role that is impossible for
the authenticator to grant users, such as "NoAccess", with all Servlets to
which access is guarded by a limited number of servlets visible to, and
accessible by, the user.
Having done so, any direct access to those protected Servlets will be
prohibited by the web container.
In a more general setting, the deployer must mark every resource besides
the ones supposed to be exposed to the user as accessible by a role
impossible for the user to assume. The default security setting must be to
deny access and then grant access only to those resources intended by
business logic.
All resources must be constrained to be inaccessible by default followed
by selectively allowing access to resources as dictated by application and
business logic
In addition to a central controller, every resource must also restrict,
wherever possible, incoming accesses as dictated by the relevant ACL.
Related Security Principles
Failing Securely
Least Privilege
Reluctance To Trust
Complete Mediation
Related Guidelines
Use Authorization Mechanisms Correctly
Design Configuration Subsystems Correctly and Distribute Safe Default
Configurations
Purposes
Penetration
CIA Impact
Confidentiality Impact: High
Integrity Impact: Medium
Availability Impact: Low
Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Attack
Execution Flow, Attack Prerequisites, Examples and
Solutions
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An attack of this type exploits a system's configuration that allows an
attacker to either directly access an executable file, for example through
shell access; or in a possible worst case allows an attacker to upload a
file and then execute it. Web servers, ftp servers, and message oriented
middleware systems which have many integration points are particularly
vulnerable, because both the programmers and the administrators must be in
synch regarding the interfaces and the correct privileges for each
interface.
Attack Prerequisites
System's configuration must allow an attacker to directly access
executable files or upload files to execute. This means that any access
control system that is supposed to mediate communications between the
subkect and the object is set incorrectly or assumes a benign
environment.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
API Abuse
Examples-Instances
Description
Consider a directory on a web server with the following
permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute
programs' on the web server. This one vulnerability can be exploited by
a threat to probe the system and identify additional vulnerabilities to
exploit.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To identify and execute against an overprivileged system
interface
Resources Required
Ability to communicate synchronously or asynchronously with server that
publishes an overprivileged directory, program, or interface. Optionally,
ability to capture output directly through synchronous communication or other
method such as FTP.
Solutions and Mitigations
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize
chroot jails or other configuration techniques to constrain privileges even
if attacker gains some limited access to commands.
Implementation: Perform testing such as pentesting and vulnerability
scanning to identify directories, programs, and interfaces that grant direct
access to executables.
Attack Motivation-Consequences
Run Arbitrary Code
Data Modification
Information Leakage
Privilege Escalation
Injection Vector
Payload delivered through standard communication protocols.
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
This attack relies on the use of HTTP Cookies to store credentials, state
information and other critical data on client systems.
The first form of this attack involves accessing HTTP Cookies to mine for
potentially sensitive data contained therein.
The second form of this attack involves intercepting this data as it is
transmitted from client to server. This intercepted information is then used
by the attacker to impersonate the remote user/session.
The third form is when the cookie's content is modified by the attacker
before it is sent back to the server. Here the attacker seeks to convince
the target server to operate on this falsified information.
Attack Execution Flow
Explore
Obtain copy of cookie:
The attacker first needs to obtain a copy of the
cookie. The attacker may be a legitimate end user
wanting to escalate privilege, or could be somebody
sniffing on a network to get a copy of HTTP
cookies.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Obtain cookie from local filesystem (e.g.
C:\Documents and Settings\*\Cookies and
C:\Documents and Settings\*\Application
Data\Mozilla\Firefox\Profiles\*\cookies.txt in
Windows)
env-Web
2
Sniff cookie using a network sniffer such as
Wireshark
env-Web
3
Obtain cookie from local memory or
filesystem using a utility such as the Firefox
Cookie Manager or AnEC Cookie Editor.
env-Web
4
Steal cookie via a cross-site scripting
attack.
env-Web
5
Guess cookie contents if it contains
predictable information.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Cookies used in web application.
env-Web
2
Negative
Cookies not used in web application.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Cookie captured by
attacker.
2
Failure
Cookie cannot be captured by
attacker.
Security Controls
ID
type
Security Control Description
1
Preventative
To prevent network
sniffing, cookies should be transmitted over HTTPS
and not plain HTTP. To enforce this on the client
side, the "secure" flag should be set on cookies
(javax.servlet.http.Cookie.setSecure() in Java,
secure flag in setcookie() function in php,
etc.).
Experiment
Obtain sensitive information from
cookie:
The attacker may be able to get sensitive
information from the cookie. The web application
developers may have assumed that cookies are not
accessible by end users, and thus, may have put
potentially sensitive information in them.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
If cookie shows any signs of being encoded
using a standard scheme such as base64, decode
it.
env-Web
2
Analyze the cookie's contents to determine
whether it contains any sensitive
information.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Negative
Cookie only contains a random session ID
(e.g. ASPSESSIONID, JSESSIONID, etc.)
env-Web
2
Positive
Cookie contains sensitive information (e.g.
"ACCTNO=0234234", or "DBIP=0xaf112a22" -- database
server's IP address).
env-Web
3
Inconclusive
Cookie's contents cannot be
deciphered.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Cookie contains sensitive
information that developer did not intent the end
user to see.
2
Failure
Cookie does not contain any
sensitive information.
Security Controls
ID
type
Security Control Description
3
Preventative
Do not store sensitive
information in cookies unless they are encrypted
such that only the server can decrypt
them.
Modify cookie to subvert security
controls.:
The attacker may be able to modify or replace
cookies to bypass security controls in the
application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Modify logical parts of cookie and send it
back to server to observe the effects.
env-Web
2
Modify numeric parts of cookie
arithmetically and send it back to server to
observe the effects.
env-Web
3
Modify cookie bitwise and send it back to
server to observe the effects.
env-Web
4
Replace cookie with an older legitimate
cookie and send it back to server to observe the
effects. This technique would be helpful in cases
where the cookie contains a "points balance" for a
given user where the points have some value. The
user may spend his points and then replace his
cookie with an older one to restore his
balance.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Subversion of security controls
on server
2
Failure
Cookie reset by
server
Security Controls
ID
type
Security Control Description
1
Detective
Web server logs
contain many messages indicating that invalid
cookies were received from
client.
2
Preventative
Cookies should not
contain any information that the user is not
allowed to modify, unless that information is
never expected to change. In the latter case, the
integrity of the cookie should be protected using
a digital signature or a message authentication
code.
Attack Prerequisites
Target server software must be a HTTP daemon that relies on
cookies.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
API Abuse
Protocol Manipulation
Time and State
Examples-Instances
Description
There are two main attack vectors for exploiting poorly protected
session variables like cookies. One is the local machine itself which
can be exploited directly at the physical level or indirectly through
XSS and phising. In addition, the man in the middle attack relies on a
network sniffer, proxy, or other intermediary to intercept the subject's
credentials and use them to impersonate the digital subject on the host.
The issue is that once the credentials are intercepted, impersonation is
trivial for the attacker to accomplish if no other protection mechanisms
are in place.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To overwrite session cookie data, and submit targeted attacks via
HTTP
High: Exploiting a remote buffer overflow generated by attack
Resources Required
Ability to send HTTP request containing cookie to server
Solutions and Mitigations
Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security
patches, many exploitable buffer overflows are fixed in patches issued for
the software.
Attack Motivation-Consequences
Information Leakage
Data Modification
Privilege Escalation
Injection Vector
HTTP cookie
Payload
Malicious input delivered through cookie in HTTP Request.
Activation Zone
Client software, such as a browser and its component libraries, or an
intermediary
Payload Activation Impact
1. Enables attacker to leverage state stored in cookie
2. Enables attacker a vector to attack web server and platform
An attacker is able to disguise one action for another and therefore trick
a user into initiating one type of action when they intend to initiate a
different action. For example, a user might be led to believe that clicking
a button will submit a query, but in fact it downloads software. Attackers
may perform this attack through social means, such as by simply convincing a
victim to perform the action or relying on a user's natural inclination to
do so, or through technical means, such as a clickjacking attack where a
user sees one interface but is actually interacting with a second,
invisible, interface.
Attack Prerequisites
The victim must be convinced into performing the decoy action.
Resources Required
The attacker must have enough control over a user's interface to present them
with a decoy action as well as the actual malicious action. Simple versions of
this attack can be performed using web pages requiring only that the attacker be
able to host (or control) content that the user visits.
This attack against older telephone switches and trunks has been around
for decades. The signal is sent by the attacker to impersonate a supervisor
signal. This has the effect of rerouting or usurping command of the line and
call. While the US infrastructure proper may not contain widespread
vulnerabilities to this type of attack, many companies are connected
globally through call centers and business process outsourcing. These
international systems may be operated in countries which have not upgraded
telco infrastructure and so are vulnerable to Blue boxing.
Blue boxing is a result of failure on the part of the system to enforce
strong authentication for administrative functions. While the infrastructure
is different than standard current applications like web applications, there
are hisotrical lessons to be learned to upgrade the access control for
administrative functions.
Attack Prerequisites
System must use weak authentication mechanisms for administrative
functions.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Protocol Manipulation
Examples-Instances
Description
Attacker identifies a vulnerable CCITT-5 phone line, and sends a
combination tone to the switch in order to request administrative
access. Based on tone and timing parameters the request is verified for
access to the switch. Once the attacker has gained control of the switch
launching calls, routing calls, and a whole host of opportunities are
available.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Given a vulnerable phone system, the attacker's technical vector
relies on attacks that are well documented in cracker 'zines and have
been around for decades.
Resources Required
CCITT-5 or other vulnerable lines, with the ability to send tones such as
combined 2,400 Hz and 2,600 Hz tones to the switch
Solutions and Mitigations
Implementation: Upgrade phone lines. Note this may be prohibitively
expensive
Use strong access control such as two factor access control for
adminsitrative access to the switch
Attack Motivation-Consequences
Denial of Service
Privilege Escalation
Injection Vector
Payload delivered through standard communication protocols.
An attacker manipulates the processing of Application Programming
Interface (API) resulting in the API's function having an adverse impact
upon the security of the system or application implementing the API. This
can allow the attacker to execute functionality not intended by the API
implementation, possibly compromising the system or application which
integrates the API. API Abuse can take on a number of forms. For example,
the API may trust that the calling function properly validates its data and
thus it may be manipulated by supplying metacharacters or alternate
encodings as input, resulting in any number of injection flaws, including
SQL injection, cross-site scripting, or command execution. Another example
could be API methods that should be disabled in a production application but
were not, thus exposing dangerous functionality within a production
environment.
Attack Prerequisites
The target system must expose API functionality in a manner that can be
discovered and manipulated by an attacker. This may require reverse
engineering the API syntax or decrypting/de-obfuscating client-server
exchanges.
Resources Required
The requirements vary depending upon the nature of the API. For
application-layer APIs related to the processing of the HTTP protocol, one or
more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web
browser, or a programming/scripting language.
An attacker changes the behavior or state of a targeted application
through injecting data or command syntax through the targets use of
non-validated and non-filtered arguments of exposed services or
methods.
Attack Execution Flow
Explore
Discovery of potential injection
vectors:
Using an automated tool or manual discovery, the
attacker identifies services or methods with
arguments that could potentially be used as
injection vectors (OS, API, SQL procedures,
etc.).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually cover the application and record
the possible places where arguments could be
passed into external systems.
env-All
2
Use a spider, for web applications, to
create a list of URLs and associated
inputs.
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
Arguments are used by the application in
exposed services or methods
env-All
2
Inconclusive
No parameters appear to be used.
env-All
3
Negative
Application does not use any inputs.
env-All
Outcomes
ID
type
Outcome Description
1
Success
A list of parameters, arguments
to modify is identified.
2
Success
A list of URLs, with their
corresponding parameters (POST, GET, COOKIE, etc.)
is created by the attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
1. Attempt variations on argument
content:
Possibly using an automated tool, the attacker
will perform injection variations of the
arguments.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a very large list of probe strings in
order to detect if there is a positive result,
and, what type of system has been targeted (if
obscure).
env-All
2
Use a proxy tool to record results, error
messages and/or log if accessible.
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
The application behaves like the injection
has been a success.
env-All
2
Inconclusive
No result appears.
env-All
Outcomes
ID
type
Outcome Description
1
Failure
It is possible to monitor the
application and to see that the argument has been
validated.
Security Controls
ID
type
Security Control Description
1
Preventative
Actively monitor
malicious inputs.
2
Detective
Monitor the services
and/or methods uses of the
arguments.
Exploit
Abuse of the
application:
The attacker injects specific syntax into a
particular argument in order to generate a specific
malicious effect in the targeted application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually inject specific payload into
targeted argument.
env-All
Outcomes
ID
type
Outcome Description
1
Success
The attacker observes desired
effect.
Security Controls
ID
type
Security Control Description
2
Preventative
Actively monitor
malicious inputs.
3
Detective
Monitor the services
and/or methods uses of the
arguments.
Attack Prerequisites
Target software fails to strip all user-supplied input of any content that
could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on
operating system shell, and, optionally, the system configuration must allow
for output to be sent back to client.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A recent example instance of argument injection occurred against Java
Web Start technology, which eases the client side deployment for Java
programs. The JNLP files that are used to describe the properties for
the program. The client side Java runtime used the arguments in the
property setting to define execution parameters, but if the attacker
appends commands to an otherwise legitimate property file, then these
commands are sent to the client command shell.
The attacker has to identify injection vector, identify the operating
system-specific commands, and optionally collect the output.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Do not program input values directly on command shell, instead
treat user input as guilty until proven innocent. Build a function that
takes user input and converts it to applications specific types and values,
stripping or filtering out all unauthorized commands and characters in the
process.
Design: Limit program privileges, so if metacharcters or other methods
circumvent program input validation routines and shell access is attained
then it is not running under a privileged account. chroot jails create a
sandbox for the application to execute in, making it more difficult for an
attacker to elevate privilege even in the case that a compromise has
occurred.
Implementation: Implement an audit log that is written to a separate host,
in the event of a compromise the audit log may be able to provide evidence
and details of the compromise.
Attack Motivation-Consequences
Privilege Escalation
Data Modification
Information Leakage
Injection Vector
Malicious input delivered through standard input, the attacker inserts
additional arguments on the application's standard interface
Payload
Varies with instantiation of attack pattern. Malicious payload either pass
commands through valid paramters or supply metacharacters that cause unexpected
termination that redirects to shell
Activation Zone
Client machine and client network (e..g Intranet)
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to, this is particularly problematic when the
sprogram is run as a system or privileged account.
An attacker exploits a data structure shared between multiple applications
or an application pool to affect application behavior. Data may be shared
between multiple applications or between multiple threads of a single
application. Data sharing is usually accomplished through mutual access to a
single memory location. If an attacker can manipulate this shared data
(usually by co-opting one of the applications or threads) the other
applications or threads using the shared data will often continue to trust
the validity of the compromised shared data and use it in their
calculations. This can result in invalid trust assumptions, corruption of
additional data through the normal operations of the other users of the
shared data, or even cause a crash or compromise of the sharing
applications.
Attack Prerequisites
The target applications (or target application threads) must share data
between themselves.
The attacker must be able to manipulate some piece of the shared data
either directly or indirectly and the other users of the data must accept
the changed data as valid.
Resources Required
The attacker must be able to change the shared data. Usually this requires
that the attacker be able to compromise one of the sharing applications or
threads in order to manipulated the shared data.
An attacker obtains unauthorized access to an application, service or
device either through knowledge of the inherent weaknesses of an
authentication mechanism, or by exploiting a flaw in the authentication
scheme's implementation. In such an attack an authentication mechanism is
functioning but a carefully controlled sequence of events causes the
mechanism to grant access to the attacker. This attack may exploit
assumptions made by the target's authentication procedures, such as
assumptions regarding trust relationships or assumptions regarding the
generation of secret values. This attack differs from Authentication Bypass
attacks in that Authentication Abuse allows the attacker to be certified as
a valid user through illegitimate means, while Authentication Bypass allows
the user to access protected material without ever being certified as an
authenticated user. This attack does not rely on prior sessions established
by successfully authenticating users, as relied upon for the "Exploitation
of Session Variables, Resource IDs and other Trusted Credentials" attack
patterns.
Attack Prerequisites
An authentication mechanism or subsystem implementing some form of
authentication such as passwords, digest authentication, security
certificates, etc. which is flawed in some way.
Resources Required
A client application, command-line access to a binary, or scripting language
capable of interacting with the authentication mechanism.
An attacker gains access to application, service, or device with the
privileges of an authorized or privileged user by evading or circumventing
an authentication mechanism. The attacker is therefore able to access
protected data without authentication ever having taken place. This refers
to an attacker gaining access equivalent to an authenticated user without
ever going through an authentication procedure. This is usually the result
of the attacker using an unexpected access procedure that does not go
through the proper checkpoints where authentication should occur. For
example, a web site might assume that all users will click through a given
link in order to get to secure material and simply authenticate everyone
that clicks the link. However, an attacker might be able to reach secured
web content by explicitly entering the path to the content rather than
clicking through the authentication link, thereby avoiding the check
entirely. This attack pattern differs from other uthentication attacks in
that attacks of this pattern avoid authentication entirely, rather than
faking authentication by exploiting flaws or by stealing credentials from
legitimate users.
Attack Prerequisites
An authentication mechanism or subsystem impmenting some form of
authentication such as passwords, digest authentication, security
certificates, etc.
Resources Required
A client application, such as a web browser, or a scripting language capable
of interacting with the target.
Blind SQL Injection results from an insufficient mitigation for SQL
Injection. Although suppressing database error messages are considered best
practice, the suppression alone is not sufficient to prevent SQL Injection.
Blind SQL Injection is a form of SQL Injection that overcomes the lack of
error messages. Without the error messages that facilitate SQL Injection,
the attacker constructs input strings that probe the target through simple
Boolean SQL expressions. The attacker can determine if the syntax and
structure of the injection was successful based on whether the query was
executed or not. Applied iteratively, the attacker determines how and where
the target is vulnerable to SQL Injection.
For example, an attacker may try entering something like "username' AND
1=1; --" in an input field. If the result is the same as when the attacker
entered "username" in the field, then the attacker knows that the
application is vulnerable to SQL Injection. The attacker can then ask yes/no
questions from the database server to extract information from it. For
example, the attacker can extract table names from a database using the
following types of queries:
"username' AND ascii(lower(substring((SELECT TOP 1 name FROM
sysobjects WHERE xtype='U'), 1, 1))) > 108".
If the above query executes properly, then the attacker knows that the
first character in a table name in the database is a letter between m
and z. If it doesn't, then the attacker knows that the character must be
between a and l (assuming of course that table names only contain
alphabetic characters). By performing a binary search on all character
positions, the attacker can determine all table names in the database.
Subsequently, the attacker may execute an actual attack and send
something like:
"username'; DROP TABLE trades; --
Attack Execution Flow
Explore
Hypothesize SQL queries in
application:
Generated hypotheses regarding the SQL queries in
an application. For example, the attacker may
hypothesize that his input is passed directly into a
query that looks like:
"SELECT * FROM orders WHERE ordernum =
_____"
or
"SELECT * FROM orders WHERE ordernum IN
(_____)"
or
"SELECT * FROM orders WHERE ordernum in
(_____) ORDER BY _____"
Of course, there are many other
possibilities.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Research types of SQL queries and determine
which ones could be used at various places in an
application.
env-All
Determine how to inject information into
the queries:
Determine how to inject information into the
queries from the previous step such that the
injection does not impact their logic. For example,
the following are possible injections for those
queries:
"5' OR 1=1; --"
and
"5) OR 1=1; --"
and
"ordernum DESC; --"
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Add clauses to the SQL queries such that the
query logic does not change.
env-All
2
Add delays to the SQL queries in case server
does not provide clear error messages (e.g.
WAITFOR DELAY '0:0:10' in SQL Server or
BENCHMARK(1000000000,MD5(1) in MySQL). If these
can be injected into the queries, then the length
of time that the server takes to respond reveals
whether the query is injectable or not.
env-All
Outcomes
ID
type
Outcome Description
1
Success
At least one way to complete a
hypothesized SQL query that would violate the
application developer's
assumptions.
Experiment
Determine user-controllable input
susceptible to injection:
Determine the user-controllable input susceptible
to injection. For each user-controllable input that
the attacker suspects is vulnerable to SQL
injection, attempt to inject the values determined
in the previous step. If an error does not occur,
then the attacker knows that the SQL injection was
successful.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web browser to inject input through text
fields or through HTTP GET parameters.
env-Web
2
Use a web application debugging tool such as
Tamper Data, TamperIE, WebScarab,etc. to modify
HTTP POST parameters, hidden fields, non-freeform
fields, etc.
env-Web
3
Use network-level packet injection tools
such as netcat to inject input
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
type
Security Control Description
1
Detective
Unusual queries such
as the ones described in the previous step, in
application logs. Log files may contain unusual
messages such as "User bob' OR 1=1; -- logged in".
Operators should be alerted when such SQL commands
appear in the logs.
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use APIs that help
mitigate SQL injection (such as PreparedStatement
in Java)
Determine database
type:
Determines the type of the database, such as MS
SQL Server or Oracle or MySQL, using logical
conditions as part of the injected queries
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Try injecting a string containing
char(0x31)=char(0x31) (this evaluates to 1=1 in
SQL Server only)
Inject other database-specific commands into
input fields susceptible to SQL Injection. The
attacker can determine the type of database that
is running by checking whether the query executed
successfully or not (i.e. wheter the attacker
received a normal response from the server or
not).
Desired information about
database schema extracted.
2
Failure
Desired information about
database schema could not be
extracted.
Security Controls
ID
type
Security Control Description
1
Detective
Large number of
unusual queries in database
logs.
Exploit SQL Injection
vulnerability:
Use the information obtained in the previous steps
to successfully inject the database in order to
bypass checks or modify, add, retrieve or delete
data from the database
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use information about how to inject commands
into SQL queries as well as information about the
database schema to execute attacks such as
dropping tables, inserting records, etc.
Attacker achieves goal of
unauthorized system access, denial of service,
etc.
2
Failure
Attacker cannot exploit the
information gathered by blind SQL
Injection
Attack Prerequisites
SQL queries used by the application to store, retrieve or modify
data.
User-controllable input that is not properly validated by the application
as part of SQL queries.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Analysis
Examples-Instances
Description
In the PHP application TimeSheet 1.1, an attacker can successfully
retrieve username and password hashes from the database using Blind SQL
Injection. If the attacker is aware of the local path structure, the
attacker can also remotely execute arbitrary code and write the output
of the injected queries to the local path. Blind SQL Injection is
possible since the application does not properly sanitize the
$_POST['username'] variable in the login.php file.
Related Vulnerabilities
CVE-2006-4705
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Determining the database type and version, as well as the right number
and type of parameters to the query being injected in the absence of
error messages requires greater skill than reverse-engineering database
error messages.
Resources Required
None
Probing Techniques
In order to determine the right syntax for the query to inject, the
attacker tries to determine the right number of parameters to the query and
their types. This is achieved by formulating conditions that result in a
true/false answer from the database. If the logical condition is true, the
database will execute the rest of the query. If not, a custom error page or
a default page is returned. Another approach is to ask such true/false
questions of the database and note the response times to a query with a
logically true condition and one with a false condition.
Indicators-Warnings of Attack
The only indicators of successful Blind SQL Injection are the application
or database logs that show similar queries with slightly differing logical
conditions that increase in complexity over time. However, this requires
extensive logging as well as knowledge of the queries that can be used to
perform such injection and return meaningful information from the
database.
Solutions and Mitigations
Security by Obscurity is not a solution to preventing SQL Injection.
Rather than suppress error messages and exceptions, the application must
handle them gracefully, returning either a custom error page or redirecting
the user to a default page, without revealing any information about the
database or the application internals.
Strong input validation - All user-controllable input must be validated
and filtered for illegal characters as well as SQL content. Keywords such as
UNION, SELECT or INSERT must be filtered in addition to characters such as a
single-quote(') or SQL-comments (--) based on the context in which they
appear.
Attack Motivation-Consequences
Data Modification
Information Leakage
Run Arbitrary Code
Injection Vector
User-controllable input to the application
Payload
SQL statements intended to bypass checks or retrieve information about the
database
Activation Zone
Back-end database
Payload Activation Impact
The injected SQL statements are such that they result in a true/false query to
the database. If the database evaluates a statement to be logically true, it
responds with the requested data. If the condition is evaluated to be logically
false, an error is returned. The attacker modifies the boolean condition each
time to gain information from the database.
Custom error pages must be used to handle exceptions such that they do not
reveal any information about the architecture of the application or the
database.
Special characters in user-controllable input must be escaped before use
by the application.
Employ application-level safeguards to filter data and handle exceptions
gracefully.
Related Security Principles
Reluctance to Trust
Failing Securely
Defense in Depth
Related Guidelines
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Purposes
Penetration
CIA Impact
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
References
CWE - Input Validation
CWE - Improper Error Handling
Content History
Submissions
Submitter
Date
Comments
Chiradeep B Chhaya
2007-02-22
Third Draft - Revised to schema
v1.4
Modifications
Modifier
Organization
Date
Comments
Malik Hamro
Cigital, Inc
2007-02-27
Reformat to new schema and
review
Sean Barnum
Cigital, Inc
2007-03-05
Review and revise
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description,
Attack Prerequisites and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An application typically makes calls to functions that are a part of
libraries external to the application. These libraries may be part of the
operating system or they may be third party libraries. It is possible that
the application does not handle situations properly where access to these
libraries has been blocked. Depending on the error handling within the
application, blocked access to libraries may leave the system in an insecure
state that could be leveraged by an attacker.
Attack Execution Flow
Determine what external libraries the application
accesses.
Block access to the external libraries accessed by
the application.
Monitor the behavior of the system to see if it
goes into an insecure/inconsistent state.
If the system does go into an
insecure/inconsistent state, leverage that to obtain
information about the system functionality or data,
elevate access control, etc. The rest of this attack
will depend on the context and the desired
goal.
Attack Prerequisites
An application requires access to external libraries.
An attacker has the priviliges to block application access to external
libraries.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Modification of Resources
Examples-Instances
Description
A web-based system uses a third party cryptographic random number
generation library that derives entropy from machine's hardware. This
library is used in generation of user session ids used by the
applicatoin. If the library is inaccessible, the application instead
uses a software based weak pseudo random number generation library. An
attacker of the system blocks access of the application to the third
party cryptographic random number generation library (by renaming it).
The application in turn uses the weak pseudo random number generation
library to generate session ids that are predictable. An attacker then
leverages this weakness to guess a session id of another user to perform
a horizontal elevation of privilege escalation and gain access to
another user's account.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Solutions and Mitigations
Ensure that application handles situations where access to APIs in
external libraries is not available securely. If the application cannot
continue its execution safely it should fail in a consistent and secure
fashion.
In this attack, some asset (information, functionality, identity, etc.) is
protected by a finite secret value. The attacker attempts to gain access to
this asset by using trial-and-error to exhaustively explore all the possible
secret values in the hope of finding the secret (or a value that is
functionally equivalent) that will unlock the asset. Examples of secrets can
include, but are not limited to, passwords, encryption keys, database lookup
keys, and initial values to one-way functions.
The key factor in this attack is the attacker's ability to explore the
possible secret space rapidly. This, in turn, is a function of the size of
the secret space and the computational power the attacker is able to bring
to bear on the problem. If the attacker has modest resources and the secret
space is large, the challenge facing the attacker is intractable. While the
defender cannot control the resources available to an attacker, they can
control the size of the secret space. Creating a large secret space involves
selecting one's secret from as large a field of equally likely alternative
secrets as possible and ensuring that an attacker is unable to reduce the
size of this field using available clues or cryptoanalysis. Doing this is
more difficult than it sounds since elimination of patterns (which, in turn,
would provide an attacker clues that would help them reduce the space of
potential secrets) is difficult to do using deterministic machines, such as
computers. Assuming a finite secret space, a brute force attack will
eventually succeed. The defender must rely on making sure that the time and
resources necessary to do so will exceed the value of the information. For
example, a secret space that will likely take hundreds of years to explore
is likely safe from raw-brute force attacks.
Attack Execution Flow
Explore
Determine secret testing
procedure:
Determine how a potential guess of the secret may
be tested. This may be accomplished by comparing
some manipulation of the secret to a known value,
use of the secret to manipulate some known set of
data and determining if the result displays specific
characteristics (for example, turning cryptotext
into plaintext), or by submitting the secret to some
external authority and having the external authority
respond as to whether the value was the correct
secret. Ideally, the attacker will want to determine
the correctness of their guess independently since
involvement of an external authority is usually
slower and can provide an indication to the defender
that a brute-force attack is being attempted.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine if there is a way to parallelize
the attack. Most brute force attacks can take
advantage of parallel techniques by dividing the
search space among available resources, thus
dividing the average time to success by the number
of resources available. If there is a single choke
point, such as a need to check answers with an
external authority, the attacker's position is
significantly degraded.
env-All
Reduce search space:
Find ways to reduce the secret space. The smaller
the attacker can make the space they need to search
for the secret value, the greater their chances for
success. There are a great many ways in which the
search space may be reduced.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
If possible, determine how the secret was
selected. If the secret was determined
algorithmically (such as by a random number
generator) the algorithm may have patterns or
dependencies that reduce the size of the secret
space. If the secret was created by a human,
behavioral factors may, if not completely reduce
the space, make some types of secrets more likely
than others. (For example, humans may use the same
secrets in multiple places or use secrets that
look or sound familiar for ease of recall.)
env-All
2
If the secret was chosen algorithmically,
cryptoanalysis can be applied to the algorithm to
discover patterns in this algorithm. (This is true
even if the secret is not used in cryptography.)
Periodicity, the need for seed values, or
weaknesses in the generator all can result in a
significantly smaller secret space.
env-All
3
If the secret was chosen by a person, social
engineering and simple espionage can indicate
patterns in their secret selection. If old secrets
can be learned (and a target may feel they have
little need to protect a secret that has been
replaced) hints as to their selection preferences
can be gleaned. These can include character
substitutions a target employs, patterns in
sources (dates, famous phrases, music lyrics,
family members, etc.). Once these patterns have
been determined, the initial efforts of a
brute-force attack can focus on these
areas.
env-All
4
Some algorithmic techniques for secret
selection may leave indicators that can be tested
for relatively easily and which could then be used
to eliminate large areas of the search space for
consideration. For example, it may be possible to
determine that a secret does or does not start
with a given character after a relatively small
number of tests. Alternatively, it might be
possible to discover the length of the secret
relatively easily. These discoveries would
significantly reduce the search space, thus
increasing speed with which the attacker discovers
the secret.
env-All
Expand victory
conditions:
It is sometimes possible to expand victory
conditions. For example, the attacker might not need
to know the exact secret but simply needs a value
that produces the same result using a one-way
function. While doing this does not reduce the size
of the search space, the presence of multiple
victory conditions does reduce the likely amount of
time that the attacker will need to explore the
space before finding a workable value.
Exploit
Gather information so attack can be
performed independently.:
If possible, gather the necessary information so a
successful search can be determined without
consultation of an external authority. This can be
accomplished by capturing cryptotext (if the goal is
decoding the text) or the encrypted password
dictionary (if the goal is learning
passwords).
Attack Prerequisites
The attacker must be able to determine when they have successfully
guessed the secret. As such, one-time pads are immune to this type of attack
since there is no way to determine when a guess is correct.
Methods of Attack
Brute Force
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
The attack simply requires basic scripting ability to automate the
exploration of the search space. More sophisticated attackers may be
able to use more advanced methods to reduce the search space and
increase the speed with which the secret is located.
Resources Required
Ultimately, the speed with which an attacker discovers a secret is directly
proportional to the computational resources the attacker has at their disposal.
This attack method is resource expensive: having large amounts of computational
power do not guarantee timely success, but having only minimal resources makes
the problem intractable against all but the weakest secret selection
procedures.
Indicators-Warnings of Attack
Repeated submissions of incorrect secret values may indicate a brute force
attack. For example, repeated bad passwords when accessing user accounts or
repeated queries to databases using non-existent keys.
Attempts to download files protected by secrets (usually using encryption)
may be a precursor to an offline attack to break the file's encryption and
read its contents. This is especially significant if the file itself
contains other secret values, such as password files.
If the attacker is able to perform the checking offline then there will
likely be no indication that an attack is ongoing.
Obfuscation Techniques
The attack is impossible to detect if the attacker can test for successful
discovery of the secret value independently, without needing to consult an
external authority.
If an external authority must be consulted, the attacker can attempt to
space out their guesses to avoid a large number of failed guesses in a short
period of time, but doing so slows the attack to the point of making it
unworkable against all but the most trivial secret spaces. As such, if an
external authority must be consulted the attacked is unlikely to be able to
keep the attack secret.
Solutions and Mitigations
Select a provably large secret space for selection of the secret. Provably
large means that the procedure by which the secret is selected does not have
artifacts that significantly reduce the size of the total secret
space.
Do not provide the means for an attacker to determine success
independently. This forces the attacker to check their guesses against an
external authority, which can slow the attack and warn the defender. This
mitigation may not be possible if testing material must appear externally,
such as with a transmitted cryptotext.
Protect sensitive data, even when the data is encrypted. If an attacker
can gain access to encrypted data, they can mount a brute-force attack
independently. The defender will not be aware of this attack or be able to
do anything about it and at that point it is purely a function of the
attacker's available resources as to how long it takes them to learn the
secret.
Monitor activity logs for suspicious activity. An attacker that must use
an external authority to check their brute-force guesses is easy to detect,
but only if that external authority is monitoring activity and detects the
abnormally large number of failed guesses.
Related Guidelines
Do not assume secrets will protect sensitive data in the long-term
An attacker manipulates a data buffer to change the execution flow of a
process to a sequence of events the attacker controls. Data buffers in
software applications provide a storage-space for external input. Buffer
attacks provide input the buffer cannot correctly handle. Buffer attacks are
distinguished in that it is the buffer space itself that is the target of
the attack rather than any code responsible for interpreting the content of
the buffer. In virtually all buffer attacks the content that is placed in
the buffer by the user is immaterial. Instead, most buffer attacks involve
providing more input than the buffer can store, resulting in the overwriting
of other program memory or even the program stack with user supplied
input.
Attack Prerequisites
The target must accept input provided by the attacker and store it in a
buffer.
Resources Required
The attacker must posess a programmatic means for supplying data to a buffer,
such as a compiled C or scripted exploit in perl. Network buffer overflows rely
on connectivity of a protocol to deliver the payload.
This attack targets libraries or shared code modules which are vulnerable
to buffer overflow attacks. An attacker who has access to an API may try to
embed malicious code in the API function call and exploit a buffer overflow
vulnerability in the function's implementation. All clients that make use of
the code library thus become vulnerable by association. This has a very
broad effect on security across a system, usually affecting more than one
software process.
Attack Execution Flow
An attacker can call an API exposed by the target
host.
On the probing stage, the attacker injects
malicious code using the API call and observes the
results. The attacker's goal is to uncover a buffer
overflow vulnerability.
The attacker finds a buffer overflow
vulnerability, crafts malicious code and injects it
through an API call. The attacker can at worst
execute remote code on the target host.
Attack Prerequisites
The target host exposes an API to the user.
One or more API functions exposed by the target host has a buffer overflow
vulnerability.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
API Abuse
Injection
Examples-Instances
Description
A buffer overflow in the FreeBSD utility setlocale (found in the libc
module) puts many programs at risk all at once.
Description
A buffer overflow in the Xt library of the X windowing system allows
local users to execute commands with root privileges.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Solutions and Mitigations
Use a language or compiler that performs automatic bounds checking.
Use secure functions not vulnerable to buffer overflow.
If you have to use dangerous functions, make sure that you do boundary
checking.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Denial of Service
Run Arbitrary Code
Information Leakage
Data Modification
Injection Vector
The user supplied data.
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
This attack targets command-line utilities available in a number of
shells. An attacker can leverage a vulnerability found in a command-line
utility to escalate privilege to root.
Attack Execution Flow
Attacker identifies command utilities exposed by
the target host.
On the probing stage, the attacker interacts with
the command utility and observes the results of its
input. The attacker's goal is to uncover a buffer
oveflow in the command utility. For instance the
attacker may find that input data are not properly
validated.
The attacker finds a buffer overflow vulnerability
in the command utility and tries to exploit it. He
crafts malicious code and injects it using the
command utility. The attacker can at worst execute
remote code on the target host.
Attack Prerequisites
The target host exposes a command-line utility to the user.
The command-line utility exposed by the target host has a buffer overflow
vulnerability that can be exploited.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
API Abuse
Examples-Instances
Description
A buffer overflow in the HPUX passwd command allows local users to
gain root privileges via a command-line option.
A buffer overflow in Solaris's getopt command (found in libc)
allows local users to gain root privileges via a long
argv[0].
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Probing Techniques
The attacker can probe for services available on the target host. Many
services may expose a command utility. For instance Telnet is a service
which can be invoked through a command shell.
Solutions and Mitigations
Carefully review the service's implementation before making it available
to user. For instance you can use manual or automated code review to uncover
vulnerabilities such as buffer overflow.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Operational: Use OS-level preventative functionality. Not a complete
solution.
Apply the latest patches to your user exposed services. This may not be a
complete solution, specially against zero day attack.
Do not unnecessarily expose services.
Attack Motivation-Consequences
Privilege Escalation
Run Arbitrary Code
Data Modification
Denial of Service
Information Leakage
Injection Vector
The user supplied data.
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
This attack pattern involves causing a buffer overflow through
manipulation of environment variables. Once the attacker finds that they can
modify an environment variable, they may try to overflow associated buffers.
This attack leverages implicit trust often placed in environment
variables.
Attack Execution Flow
The attacker tries to find an environment variable
which can be overwritten for instance by gathering
information about the target host (error pages,
software's version number, etc.).
The attacker manipulates the environment variable
to contain excessive-length content to cause a
buffer overflow.
The attacker potentially leverages the buffer
overflow to inject maliciously crafted code in an
attempt to execute privileged command on the target
environment.
Attack Prerequisites
The application uses environment variables.
An environment variable exposed to the user is vulnerable to a buffer
overflow.
The vulnerable environment variable uses untrusted data.
Tainted data used in the environment variables is not properly validated.
For instance boundary checking is not done before copying the input data to
a buffer.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A buffer overflow in sccw allows local users to gain root access via
the $HOME environmental variable.
Related Vulnerabilities
CVE-1999-0906
Description
A buffer overflow in the rlogin program involves its consumption of
the TERM environmental variable.
Related Vulnerabilities
CVE-1999-0046
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Probing Techniques
While interacting with a system an attacker would typically investigate
for environment variables that can be overwritten. The more a user knows
about a system the more likely she will find a vulnerable environment
variable.
On a web environment, the attacker can read the client side code and
search for environment variables that can be overwritten.
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unix that support loading a
shared library. Attackers can use such tools to uncover a buffer overflow in
an environment variable.
Indicators-Warnings of Attack
If the application does bound checking, it should fail when the data
source is larger than the size of the destination buffer. If the
application's code is well written, that failure should triger an
alert.
Solutions and Mitigations
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unixes that support loading a
shared library. You can use Sharefuzz to determine if you are exposing an
environment variable vulnerable to buffer overflow.
Attack Motivation-Consequences
Denial of Service
Run Arbitrary Code
Information Leakage
Data Modification
Privilege Escalation
Injection Vector
The user modifiable environment variable.
Payload
User supplied data potentially containing malicious code.
Activation Zone
When the subroutine which uses the environment variable returns control to the
main program, it jumps to the return address portion of the stack frame.
Unfortunately that return address may have been overwritten by the overflowed
buffer and the address may contain a call to a privileged command or to a
malicious code.
In this attack, the target software is given input that the attacker knows
will be modified and expanded in size during processing. This attack relies
on the target software failing to anticipate that the expanded data may
exceed some internal limit, thereby creating a buffer overflow.
Attack Execution Flow
Consider parts of the program where user supplied
data may be expanded by the program. Use a
disassembler and other reverse engineering tools to
guide the search.
Find a place where a buffer overflow occurs due to
the fact that the new expanded size of the string is
not correctly accounted for by the program. This may
happen perhaps when the string is copied to another
buffer that is big enough to hold the original, but
not the expanded string. This may create an
opportunity for planting the payload and redirecting
program execution to the shellcode.
Write the buffer overflow exploit. To be
exploitable, the "spill over" amount (e.g. the
difference between the expanded string length and
the original string length before it was expanded)
needs to be sufficient to allow the overflow of the
stack return pointer (in the case of a stack
overflow), without causing a stack corruption that
would crash the program before it gets to execute
the shellcode. Heap overflow will be more difficult
and will require the attacker to get more lucky, by
perhaps getting a chance to overwrite some of the
accounting information stored as part of using
malloc().
Attack Prerequisites
The program expands one of the parameters passed to a function with input
controlled by the user, but a later function making use of the expanded
parameter erroneously considers the original, not the expanded size of the
parameter.
The expanded parameter is used in the context where buffer overflow may
becomes possible due to the incorrect understanding of the parameter size
(i.e. thinking that it is smaller than it really is).
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
Attack Example: FTP glob()
The glob() function in FTP servers has been susceptible to attack as a
result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap
Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow
condition. The overflow occurs when the LIST command is issued with an
argument that expands into an oversized string after being processed by
glob().
This buffer overflow occurs in memory that is dynamically allocated.
It may be possible for attackers to exploit this vulnerability and
execute arbitrary code on the affected host.
To exploit this, the attacker must be able to create directories on
the target host.
The glob() function is used to expand short-hand notation into
complete file names. By sending to the FTP server a request containing a
tilde (~) and other wildcard characters in the pathname string, a remote
attacker can overflow a buffer and execute arbitrary code on the FTP
server to gain root privileges. Once the request is processed, the
glob() function expands the user input, which could exceed the expected
length. In order to exploit this vulnerability, the attacker must be
able to create directories on the FTP server.
From G. Hoglund and G. McGraw. Exploiting Software: How to Break Code.
Addison-Wesley, February 2004.
Related Vulnerabilities
CVE-2001-0249
Description
Buffer overflow in the glob implementation in libc in NetBSD-current
before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the
FTP daemon, allows remote authenticated users to execute arbitrary code
via a long pathname that results from path expansion.
The limit computation of an internal buffer was done incorrectly. The
size of the buffer in byte was used as element count, even though the
elements of the buffer are 2 bytes long. Long expanded path names would
therefore overflow the buffer.
Related Vulnerabilities
CVE-2006-6652
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Finding this particular buffer overflow may not be trivial. Also,
stack and especially heap based buffer overflows require a lot of
knowledge if the intended goal is aribtrary code execution. Not only
that the attacker needs to write the shell code to accomplish his or her
goals, but the attacker also needs to find a way to get the program
execution to jump to the planted shellcode. There also needs to be
sufficient room for the payload. So not every buffer overflow will be
exploitable, even by a skilled attacker.
Resources Required
Access to the program source or binary. If the program is only available in
binary then a disassembler and other reverse engineering tools will be
helpful.
Solutions and Mitigations
Ensure that when parameter expansion happens in the code that the
assumptions used to determine the resulting size of the parameter are
accurate and that the new size of the parameter is visible to the whole
system
This type of attack leverages the use of symbolic links to cause buffer
overflows. An attacker can try to create or manipulate a symbolic link file
such that its contents result in out of bounds data. When the target
software processes the symbolic link file, it could potentially overflow
internal buffers with insufficient bounds checking.
Attack Execution Flow
The attacker creates or modifies a symbolic link
pointing to a resources (e.g., file, directory). The
content of the symbolic link file includes
out-of-bounds (e.g. excessive length) data.
The target host consumes the data pointed to by
the symbolic link file. The target host may either
intentionally expect to read a symbolic link or it
may be fooled by the replacement of the original
resource and read the attacker's symbolic
link.
While consuming the data, the target host does not
check for buffer boundary which can lead to a buffer
overflow. If the content of the data is controlled
by the attacker, this is an avenue for remote code
execution.
Attack Prerequisites
The attacker can create symbolic link on the target host.
The target host does not perform correct boundary checking while consuming
data from a ressources.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
The EFTP server has a buffer overflow that can be exploited if an
attacker uploads a .lnk (link) file that contains more than 1,744 bytes.
This is a classic example of an indirect buffer overflow. First the
attacker uploads some content (the link file) and then the attacker
causes the client consuming the data to be exploited. In this example,
the ls command is exploited to compromise the server software.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
Skill or Knowledge Level: High
Exploiting a buffer overflow to inject malicious code into the stack
of a software system or even the heap can require a higher skill
level.
Probing Techniques
The attacker will look for temporary files in the world readable
directories. Those temporary files are often created and read by the
system.
The attacker will look for Symbolic link or link target file that she can
overide.
Indicators-Warnings of Attack
An attacker creating or modifying Symbolic links is a potential signal of
attack in progress.
An attacker deleting temporary files can also be a sign that the attacker
is trying to replace legitimate resources with malicious ones.
Solutions and Mitigations
Pay attention to the fact that the ressource you read from can be a
replaced by a Symbolic link. You can do a Symlink check before reading the
file and decide that this is not a legitimate way of accessing the
resource.
Because Symlink can be modified by an attacker, make sure that the ones
you read are located in protected directories.
Pay attention to the resource pointed to by your symlink links (See attack
pattern named "Forced Symlink race"), they can be replaced by malicious
resources.
Always check the size of the input data before copying to a buffer.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Denial of Service
Run Arbitrary Code
Information Leakage
Data Modification
Injection Vector
The resource pointed to by the Symbolic link (e.g., file, directory,
etc.)
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
Some web applications require users to submit information through an
ordered sequence of web forms. This is often done if there is a very large
amount of information being collected or if information on earlier forms is
used to pre-populate fields or determine which additional information the
application needs to collect. An attacker who knows the names of the various
forms in the sequence may be able to explicitly type in the name of a later
form and navigate to it without first going through the previous forms. This
can result in incomplete collection of information, incorrect assumptions
about the information submitted by the attacker, or other problems that can
impair the functioning of the application.
Attack Prerequisites
The target must collect information from the user in a series of forms
where each form has its own URL that the attacker can anticipate and the
application must fail to detect attempts to access intermediate forms
without first filling out the previous forms.
Resources Required
No special resources are required for this attack.
An attacker exploits the functionality of cache technologies to cause
specific data to be cached that aids the attackers objectives. This
describes any attack whereby an attacker places incorrect or harmful
material in cache . The targeted cache can be an application's cache (e.g. a
web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the
cache is refreshed, most applications or clients will treat the corrupted
cache value as valid. This can lead to a wide range of exploits including
redirecting web browsers towards sites that install malware and repeatedly
incorrect calculations based on the incorrect value.
Attack Prerequisites
The attacker must be able to modify the value stored in a cache to match a
desired value.
The targeted application must not be able to detect the illicit
modification of the cache and must trust the cache value in its
calculations.
Resources Required
No special resources are required beyond the ability to modify the targeted
cache.
An attack of this type exploits a Web server's decision to take action
based on filename or file extension. Because different file types are
handled by different server processes, misclassification may force the Web
server to take unexpected action, or expected actions in an unexpected
sequence. This may cause the server to exhaust resources, supply debug or
system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers
including IIS, Lotus Domino, and Orion. The attacker's job in this case is
straightforward, standard communication protocols and methods are used and
are generally appended with malicious information at the tail end of an
otherwise legitimate request. The attack payload varies, but it could be
special characters like a period or simply appending a tag that has a
special meaning for operations on the server side like .jsp for a java
application server. The essence of this attack is that the attacker deceives
the server into executing functionality based on the name of the request,
i.e. login.jsp, not the contents.
Attack Execution Flow
Explore
Footprint file input
vectors:
Manually or using an automated tool, an attacker
searches for all input locations where a user has
control over the filenames or MIME types of files
submitted to the web server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker manually crawls application to
identify file inputs
env-Web
2
Attacker uses an automated tool to crawl
application identify file inputs
env-Web
3
Attacker manually assesses strength of
access control protecting native application files
from user control
env-Web
4
Attacker explores potential for submitting
files directly to the web server via independently
constructed HTTP Requests
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Application submits files under user control
to the web server
env-Web
2
Negative
Application does not submit files under user
control to the web server
env-Web
3
Negative
Application strictly protects all native
application files from user control
env-Web
Outcomes
ID
type
Outcome Description
1
Success
User-controllable files are
identified
Experiment
File misclassification
shotgunning:
An attacker makes changes to file extensions and
MIME types typically processed by web servers and
looks for abnormal behavior.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker submits files with switched
extensions (e.g. .php on a .jsp file) to web
server.
env-Web
2
Attacker adds extra characters (e.g. adding
an extra . after the file extension) to filenames
of files submitted to web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Web server exhibits unexpected
behavior.
Security Controls
ID
type
Security Control Description
2
Detective
Monitor web server
logs for excessive file processing
errors
3
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
File misclassification
sniping:
Understanding how certain file types are processed
by web servers, an attacker crafts varying file
payloads and modifies their file extension or MIME
type to be that of the targeted type to see if the
web server is vulnerable to misclassification of
that type.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Craft a malicious file payload, modify file
extension to the targeted file type and submit it
to the web server.
env-Web
2
Craft a malicious file payload, modify its
associated MIME type to the targeted file type and
submit it to the web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Attacker's payload is acted on
by web server.
2
Failure
The attacker cannot get the web
server to misclassify a
file.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor web server
logs for excessive file processing
errors
2
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Exploit
Disclose information:
The attacker, by manipulating a file extension or
MIME type is able to make the web server return raw
information (not executed).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manipulate the file names that are
explicitly sent to the server.
env-Web
2
Manipulate the MIME sent in order to confuse
the web server.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets the
information from the server
Security Controls
ID
type
Security Control Description
1
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Attack Prerequisites
Web server software must rely on file name or file extension for
processing.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
J2EE application servers are supposed to execute Java Server Pages
(JSP). There have been disclosure issues relating to Orion Application
Server, where an attacker that appends either a period (.) or space
characters to the end of a legitimate Http request, then the server
displays the full source code in the attacker's web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from
the JSP, this is a potentially very serious issue.
To use misclassification to force the Web server to disclose
configuration information, source, or binary data
Resources Required
Ability to execute HTTP request to Web server
Solutions and Mitigations
Implementation: Server routines should be determined by content not
determined by filename or file extension.
Attack Motivation-Consequences
Information Leakage
Privilege Escalation
Injection Vector
Malicious input delivered through standard Web application calls, e.g. HTTP
Request.
Payload
Varies with instantiation of attack pattern. Malicious payload may alter or
append filename or extension to communicate with processes in unexpected
order.
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to force web server to disclose configuration, source, and
data
An attacker spoofs a checksum message for the purpose of making a payload
appear to have a valid corresponding checksum. Checksums are used to verify
message integrity. They consist of some value based on the value of the
message they are protecting. Hash codes are a common checksum mechanism.
Both the sender and recipient are able to compute the checksum based on the
contents of the message. If the message contents change between the sender
and recipient, the sender and recipient will compute different checksum
values. Since the sender's checksum value is transmitted with the message,
the recipient would know that a modification occurred. In checksum spoofing
an attacker modifies the message body and then modifies the corresponding
checksum so that the recipient's checksum calculation will match the
checksum (created by the attacker) in the message. This would prevent the
recipient from realizing that a change occurred.
Attack Prerequisites
The attacker must be able to intercept a message from the sender (keeping
the recipient from getting it), modify it, and send the modified message to
the recipient.
The sender and recipient must use a checksum to protect the integrity of
their message and transmit this checksum in a manner where the attacker can
intercept and modify it.
The checksum value must be computable using information known to the
attacker. A cryptographic checksum, which uses a key known only to the
sender and recipient, would thwart this attack.
Resources Required
The attacker must be able to intercept and modify messages between the sender
and recipient.
Attackers aware that more data is being fed into a multicast or public
information distribution means can 'select' information bound only for
another client, even if the distribution means itself forces users to
authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged
information, possibly perpetrate other attacks through the distribution
means by impersonation.
If the channel/message being manipulated is an input rather than output
mechanism for the system, (such as a command bus), this style of attack
could change its identifier from a less privileged to more so privileged
channel or command.
Attack Execution Flow
Determine the nature of messages being transported
as well as the identifiers to be used as part of the
attack
If required, authenticate to the distribution
channel
If any particular client's information is
available through the transport means simply by
selecting a particular identifier, an attacker can
simply provide that particular identifier.
Attackers with client access connecting to output
channels could change their channel identifier and
see someone else's (perhaps more privileged)
data.
Attack Prerequisites
Information and client-sensitive (and client-specific) data must be
present through a distribution channel available to all users.
Distribution means must code (through channel, message identifiers, or
convention) message destination in a manner visible within the distribution
means itself (such as a control channel) or in the messages
themselves.
Typical Likelihood of Exploit
Likelihood: Very High
Examples-Instances
Description
A certain B2B interface on a large application codes for messages
passed over a MQSeries queue, on a single "Partners" channel. Messages
on that channel code for their client destination based on a partner_ID
field, held by each message. That field is a simple integer. Attackers
having access to that channel, perhaps a particularly nosey partner, can
simply choose to store messages of another parnter's ID and read them as
they desire. Note that authentication does not prevent a partner from
leveraging this attack on other partners. It simply disallows Attackers
without partner status from conducting this attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
All the attacker needs to discover is the format of the messages on
the channel/distribution means and the particular identifier used within
the messages.
Resources Required
The Attacker needs the ability to control source code or application
configuration responsible for selecting which message/channel id is absorbed
from the public distribution means.
Probing Techniques
Assisted protocol analysis: because the protocol under attack is a public
channel, or one in which the attacker likely has authorized access to, they
need simply to decode the aspect of channel or message interpretation that
codes for message identifiers.
Probing is as simple as changing this value and watching its
effect.
Solutions and Mitigations
Associate some ACL (in the form of a token) with an authenticated user
which they provide middleware. The middleware uses this token as part of its
channel/message selection for that client, or part of a discerning
authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper
authentication/authorization with each channel/message.
Rearchitect system input/output channels as appropriate to distribute
self-protecting data. That is, encrypt (or otherwise protect)
channels/messages so that only authorized readers can see them.
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly: this refers to Ambiguity of
authentication. Many authorization systems use ambiguous symbols (i.e.,
principal names) to identify principals allowing circumvention of
authorization by using a different, though equivalent, principal name. For
example, there are many implementations for restricting remote host access
to local services that may allow many proper—but apparently different—names
for unique hosts (e.g., fully qualified domain names, shortened names,
CNAMEs, IPv4 addresses, IPv6 addresses).
Purposes
Penetration
CIA Impact
Confidentiality Impact: Medium
Integrity Impact: Low
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
In a clickjacking attack the victim is tricked into unknowingly initiating
some action in one system while interacting with the UI from seemingly
completely different system. While being logged in to some target system,
the victim visits the attacker's malicious site which displays a UI that the
victim wishes to interact with. In reality, the clickjacked page has a
transparent layer above the visible UI with action controls that the
attacker wishes the victim to execute. The victim clicks on buttons or other
UI elements they see on the page which actually triggers the action controls
in the transparent overlaying layer. Depending on what that action control
is, the attacker may have just tricked the victim into executing some
potentially privileged (and most certainly undesired) functionality in the
target system to which the victim is authenticated. The basic problem here
is that there is a dichotomy between what the victim thinks he's clicking on
versus what he or she is actually clicking on.
Attack Execution Flow
Experiment
Craft a clickjacking
page:
The attacker utilizes web page layering techniques
to try to craft a malicious clickjacking page
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker leveraged iFrame overlay
capabilities to craft a malicious clickjacking
page
env-Web
2
The attacker leveraged Flash file overlay
capabilities to craft a malicious clickjacking
page
env-Web
3
The attacker leveraged Silverlight overlay
capabilities to craft a malicious clickjacking
page
env-Web
4
The attacker leveraged cross-frame scripting
to craft a malicious clickjacking page
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Overlay capabilities are enabled in the
browser
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A page is created that performs
unseen actions when the user interacts with the
visible UI
Security Controls
ID
type
Security Control Description
1
Preventative
Disable overlay
functionality in the browser. This can have
obvious impact on the utility of the browser with
some sites and web
applications.
Exploit
Attacker lures victim to clickjacking
page:
Attacker utilizes some form of temptation,
misdirection or coercion to lure the victim to
loading and interacting with the clickjacking pagen
a way that increases the chances that the victim
will click in the right areas.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Lure the victim to the malicious site by
sending the victim an e-mail with a URL to the
site.
env-Web
2
Lure the victim to the malicious site by
manipulating URLs on a site trusted by the
victim.
env-Web
3
Lure the victim to the malicious site
through a cross-site scripting attack.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The victim loads the
clickjacking page.
Trick victim into interacting with the
clickjacking page in the desired
manner:
The attacker tricks the victim into clicking on
the areas of the UI which contain the hidden action
controls and thereby interacts with the target
system maliciously with the victim's level of
privilege.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Hide action controls over very commonly used
functionality.
env-Web
2
Hide action controls over very
psychologically tempting content.
env-Web
Attack Prerequisites
The victim is communicating with the target application via a web based UI
and not a thick client
The victim's browser security policies allow at least one of the following
JavaScript, Flash, iFrames, ActiveX, or CSS.
The victim uses a modern browser that supports UI elements like clickable
buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and
supports the ability for initiating sensitive actions on behalf of the user
in the target system
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Spoofing
Social Engineering
Examples-Instances
Description
A victim has an authenticated session with a site that provides an
electronic payment service to transfer funds between subscribing
members. At the same time, the victim receives an e-mail that appears to
come from an online publication to which he or she subscribes with links
to today's news articles. The victim clicks on one of these links and is
taken to a page with the news story. There is a screen with an
advertisement that appears on top of the news article with the 'skip
this ad' button. Eager to read the news article, the user clicks on this
button. Nothing happens. The user clicks on the button one more time and
still nothing happens.
In reality, the victim activated a hidden action control located in a
transparent layer above the 'skip this ad' button. The ad screen
blocking the news article made it likely that the victim would click on
the 'skip this ad' button. Clicking on the button, actually initiated
the transfer of $1000 from the victim's account with an electronic
payment service to an attacker's account. Clicking on the 'skip this ad'
button the second time (after nothing seemingly happened the first time)
confirmed the transfer of funds to the elctronic payment service.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Crafting the proper malicious site and luring the victim to this site
are not trivial tasks.
Resources Required
Low: A computer connected to the internet.
Solutions and Mitigations
If using the Firefox browser, use the NoScript plug-in that will help
forbid iFrames.
Turn off JavaScript, Flash and disable CSS.
When maintaining an authenticated session with a privileged target system,
do not use the same browser to navigate to unfamiliar sites to perform other
activities. Finish working with the target system and logout first before
proceeding to other tasks.
Enforce maximum security restrictions in the browser: JavaScript disabled,
Flash disabled, CSS disabled, iFrames forbidden
Related Security Principles
Shed elevated privileges as soon as possible (i.e. log out of the target
application once finished with it and before doing other things in the
browser)
This attack utilizes the frequent client-server roundtrips in Ajax
conversation to scan a system. While Ajax does not open up new
vulnerabilities per se, it does optimize them from an attacker point of
view. In many XSS attacks the attacker must get a "hole in one" and
successfully exploit the vulnerability on the victim side the first time,
once the client is redirected the attacker has many chances to engage in
follow on probes, but their is only one first chance. In a widely used web
application this is not a major problem because 1 in a 1,000 is good enough
in a widely used application.
A common first step for an attacker is to footprint the environment to
understand what attacks will work. Since footprinting relies on enumeration,
the conversational pattern of rapid, multiple requests and responses that
are typical in Ajax applications enable an attacker to look for many
vulnerabilities, well known ports, network locations and so on.
Attack Prerequisites
The user must allow Javscript to execute in their browser
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Protocol Manipulation
Injection
Brute Force
Examples-Instances
Description
Footprinting can be executed over almost any protocol including HTTP,
TCP, UDP, and ICMP, with the general goal of gaining further information
about a host environment to launch further attacks. By appending a
malicious script to an otherwise normal looking URL, the attacker can
probe the sysem for banners, vulnerabilities, filenames, available
services, and in short anything the host process has access to. The
results of the probe are either used to execute additional javascript
(for example, if the attacker's footprint script identifies a
vulnerability in a firewall permission, then the client side script
executes a javascript to change client firewall settings, or an attacker
may simply echo the results of the scan back out to a remote host for
targeting future attacks).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
To land and launch a script on victim's machine with appropriate
footprinting logic for enumerating services and vulnerabilities in
Javascript
Solutions and Mitigations
Design: Use browser technologies that do not allow client side
scripting.
Design: Utilize strict type, character, and encoding enforcement
Implementation: Ensure all content that is delivered to client is
sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as Javascript in
browser
Implementation: Patching software. There are many attack vectors for XSS
on the client side and the server side. Many vulnerabilities are fixed in
service packs for browser, web servers, and plug in technologies, staying
current on patch release that deal with XSS countermeasures mitigates
this.
Attack Motivation-Consequences
Information Leakage
Injection Vector
Payload delivered through standard communication protocols, such as Ajax
application.
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute probes against client system.
This type of attack exploits a buffer overflow vulnerability in targeted
client software through injection of malicious content from a custom-built
hostile service.
Attack Execution Flow
The attacker creates a custom hostile
service
The attacker acquires information about the kind
of client attaching to her hostile service to
determine if it contains an exploitable buffer
overflow vulnerability.
The attacker intentionally feeds malicious data to
the client to exploit the buffer overflow
vulnerability that she has uncovered.
The attacker leverages the exploit to execute
arbitrary code or to cause a denial of
service.
View Data
