In applications, particularly web applications, access to functionality is
mitigated by the authorization framework, whose job it is to map ACLs to
elements of the application's functionality; particularly URL's for web
apps. In the case that the application deployer failed to specify an ACL for
a particular element, an attacker may be able to access it with impunity. An
attacker with the ability to access functionality not properly constrained
by ACLs can obtain sensitive information and possibly compromise the entire
application. Such an attacker can access resources that must be available
only to users at a higher privilege level, can access management sections of
the application or can run queries for data that he is otherwise not
supposed to.
Attack Execution Flow
Explore
Survey:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spidering web sites for all available
links
env-Web
2
Brute force guessing of resource
names
env-All
3
Brute force guessing of user names /
credentials
env-All
4
Brute force guessing of function names /
actions
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
ACLs or other access control mechanisms are
present in the software
env-Web
env-ClientServer
2
Positive
User IDs or other credentials are present in
the software
env-Web
env-ClientServer
3
Positive
Operating modes with different privileges
are present in the software
env-ClientServer env-Local
env-Embedded
Identify
Functionality:
At each step, the attacker notes the resource or
functionality access mechanism invoked upon
performing specific actions
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use the web inventory of all forms and
inputs and apply attack data to those
inputs.
env-Web
2
Use a packet sniffer to capture and record
network traffic
env-CommProtocol
3
Execute the software in a debugger and
record API calls into the operating system or
important libraries. This might occur in an
environment other than a production environment,
in order to find weaknesses that can be exploited
in a production environment.
env-Local env-Embedded
Outcomes
ID
Type
Outcome Description
1
Success
The attacker produces a list of
functionality or data that can be accessed through
the system.
Experiment
Iterate over access
capabilities:
Possibly as a valid user, the attacker then tries
to access each of the noted access mechanisms
directly in order to perform functions not
constrained by the ACLs.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Fuzzing of API parameters (URL parameters,
OS API parameters, protocol parameters)
env-Web env-Local env-Embedded
env-ClientServer
Indicators
ID
Type
Indicator Description
Environments
1
Negative
Attempts to create a catalog of access
mechanisms and data have failed.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
Functionality is accessible to
unauthorized users.
Attack Prerequisites
The application must be navigable in a manner that associates elements
(subsections) of the application with ACLs.
The various resources, or individual URLs, must be somehow discoverable by
the attacker
The deployer must have forgotten to associate an ACL or has associated an
inappropriately permissive ACL with a particular navigable resource.
Typical Likelihood of Exploit
Likelihood: Very High
Methods of Attack
Analysis
Brute Force
Examples-Instances
Description
Implementing the Model-View-Controller (MVC) within Java EE's Servlet
paradigm using a "Single front controller" pattern that demands that
brokered HTTP requests be authenticated before hand-offs to other Action
Servlets.
If no security-constraint is placed on those Action Servlets, such
that positively no one can access them, the front controller can be
subverted.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
In order to discover unrestricted resources, the attacker does not
need special tools or skills. He only has to observe the resources or
access mechanisms invoked as each action is performed and then try and
access those access mechanisms directly.
Resources Required
No special resources are required for the exploit of this pattern.
Probing Techniques
Description
In the case of web applications, use of a spider or other crawling
software can allow an attacker to search for accessible pages not
beholden to a security constraint.
Description
More generally, noting the target resource accessed upon performing
specific actions drives an understanding of the resources accessible
from the current context.
Solutions and Mitigations
In a J2EE setting, deployers can associate a role that is impossible for
the authenticator to grant users, such as "NoAccess", with all Servlets to
which access is guarded by a limited number of servlets visible to, and
accessible by, the user.
Having done so, any direct access to those protected Servlets will be
prohibited by the web container.
In a more general setting, the deployer must mark every resource besides
the ones supposed to be exposed to the user as accessible by a role
impossible for the user to assume. The default security setting must be to
deny access and then grant access only to those resources intended by
business logic.
All resources must be constrained to be inaccessible by default followed
by selectively allowing access to resources as dictated by application and
business logic
In addition to a central controller, every resource must also restrict,
wherever possible, incoming accesses as dictated by the relevant ACL.
Related Security Principles
Failing Securely
Least Privilege
Reluctance To Trust
Complete Mediation
Related Guidelines
Use Authorization Mechanisms Correctly
Design Configuration Subsystems Correctly and Distribute Safe Default
Configurations
Purposes
Penetration
CIA Impact
Confidentiality Impact: High
Integrity Impact: Medium
Availability Impact: Low
Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Attack
Execution Flow, Attack Prerequisites, Examples and
Solutions
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An attack of this type exploits a system's configuration that allows an
attacker to either directly access an executable file, for example through
shell access; or in a possible worst case allows an attacker to upload a
file and then execute it. Web servers, ftp servers, and message oriented
middleware systems which have many integration points are particularly
vulnerable, because both the programmers and the administrators must be in
synch regarding the interfaces and the correct privileges for each
interface.
Attack Prerequisites
System's configuration must allow an attacker to directly access
executable files or upload files to execute. This means that any access
control system that is supposed to mediate communications between the
subkect and the object is set incorrectly or assumes a benign
environment.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
API Abuse
Examples-Instances
Description
Consider a directory on a web server with the following
permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute
programs' on the web server. This one vulnerability can be exploited by
a threat to probe the system and identify additional vulnerabilities to
exploit.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To identify and execute against an overprivileged system
interface
Resources Required
Ability to communicate synchronously or asynchronously with server that
publishes an overprivileged directory, program, or interface. Optionally,
ability to capture output directly through synchronous communication or other
method such as FTP.
Solutions and Mitigations
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize
chroot jails or other configuration techniques to constrain privileges even
if attacker gains some limited access to commands.
Implementation: Perform testing such as pentesting and vulnerability
scanning to identify directories, programs, and interfaces that grant direct
access to executables.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Integrity
Modify application
data
Confidentiality
Read application
data
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
Payload delivered through standard communication protocols.
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Description
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
This attack relies on the use of HTTP Cookies to store credentials, state
information and other critical data on client systems.
The first form of this attack involves accessing HTTP Cookies to mine for
potentially sensitive data contained therein.
The second form of this attack involves intercepting this data as it is
transmitted from client to server. This intercepted information is then used
by the attacker to impersonate the remote user/session.
The third form is when the cookie's content is modified by the attacker
before it is sent back to the server. Here the attacker seeks to convince
the target server to operate on this falsified information.
Attack Execution Flow
Explore
Obtain copy of cookie:
The attacker first needs to obtain a copy of the
cookie. The attacker may be a legitimate end user
wanting to escalate privilege, or could be somebody
sniffing on a network to get a copy of HTTP
cookies.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Obtain cookie from local filesystem (e.g.
C:\Documents and Settings\*\Cookies and
C:\Documents and Settings\*\Application
Data\Mozilla\Firefox\Profiles\*\cookies.txt in
Windows)
env-Web
2
Sniff cookie using a network sniffer such as
Wireshark
env-Web
3
Obtain cookie from local memory or
filesystem using a utility such as the Firefox
Cookie Manager or AnEC Cookie Editor.
env-Web
4
Steal cookie via a cross-site scripting
attack.
env-Web
5
Guess cookie contents if it contains
predictable information.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Cookies used in web application.
env-Web
2
Negative
Cookies not used in web application.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Cookie captured by
attacker.
2
Failure
Cookie cannot be captured by
attacker.
Security Controls
ID
Type
Security Control Description
1
Preventative
To prevent network
sniffing, cookies should be transmitted over HTTPS
and not plain HTTP. To enforce this on the client
side, the "secure" flag should be set on cookies
(javax.servlet.http.Cookie.setSecure() in Java,
secure flag in setcookie() function in php,
etc.).
Experiment
Obtain sensitive information from
cookie:
The attacker may be able to get sensitive
information from the cookie. The web application
developers may have assumed that cookies are not
accessible by end users, and thus, may have put
potentially sensitive information in them.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
If cookie shows any signs of being encoded
using a standard scheme such as base64, decode
it.
env-Web
2
Analyze the cookie's contents to determine
whether it contains any sensitive
information.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Negative
Cookie only contains a random session ID
(e.g. ASPSESSIONID, JSESSIONID, etc.)
env-Web
2
Positive
Cookie contains sensitive information (e.g.
"ACCTNO=0234234", or "DBIP=0xaf112a22" -- database
server's IP address).
env-Web
3
Inconclusive
Cookie's contents cannot be
deciphered.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Cookie contains sensitive
information that developer did not intent the end
user to see.
2
Failure
Cookie does not contain any
sensitive information.
Security Controls
ID
Type
Security Control Description
3
Preventative
Do not store sensitive
information in cookies unless they are encrypted
such that only the server can decrypt
them.
Modify cookie to subvert security
controls.:
The attacker may be able to modify or replace
cookies to bypass security controls in the
application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Modify logical parts of cookie and send it
back to server to observe the effects.
env-Web
2
Modify numeric parts of cookie
arithmetically and send it back to server to
observe the effects.
env-Web
3
Modify cookie bitwise and send it back to
server to observe the effects.
env-Web
4
Replace cookie with an older legitimate
cookie and send it back to server to observe the
effects. This technique would be helpful in cases
where the cookie contains a "points balance" for a
given user where the points have some value. The
user may spend his points and then replace his
cookie with an older one to restore his
balance.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Subversion of security controls
on server
2
Failure
Cookie reset by
server
Security Controls
ID
Type
Security Control Description
1
Detective
Web server logs
contain many messages indicating that invalid
cookies were received from
client.
2
Preventative
Cookies should not
contain any information that the user is not
allowed to modify, unless that information is
never expected to change. In the latter case, the
integrity of the cookie should be protected using
a digital signature or a message authentication
code.
Attack Prerequisites
Target server software must be a HTTP daemon that relies on
cookies.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
API Abuse
Protocol Manipulation
Time and State
Examples-Instances
Description
There are two main attack vectors for exploiting poorly protected
session variables like cookies. One is the local machine itself which
can be exploited directly at the physical level or indirectly through
XSS and phising. In addition, the man in the middle attack relies on a
network sniffer, proxy, or other intermediary to intercept the subject's
credentials and use them to impersonate the digital subject on the host.
The issue is that once the credentials are intercepted, impersonation is
trivial for the attacker to accomplish if no other protection mechanisms
are in place.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To overwrite session cookie data, and submit targeted attacks via
HTTP
High: Exploiting a remote buffer overflow generated by attack
Resources Required
Ability to send HTTP request containing cookie to server
Solutions and Mitigations
Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security
patches, many exploitable buffer overflows are fixed in patches issued for
the software.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read application
data
Integrity
Modify application
data
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
HTTP cookie
Payload
Malicious input delivered through cookie in HTTP Request.
Activation Zone
Client software, such as a browser and its component libraries, or an
intermediary
Payload Activation Impact
Description
1. Enables attacker to leverage state stored in cookie
2. Enables attacker a vector to attack web server and platform
An attacker is able to disguise one action for another and therefore trick
a user into initiating one type of action when they intend to initiate a
different action. For example, a user might be led to believe that clicking
a button will submit a query, but in fact it downloads software. Attackers
may perform this attack through social means, such as by simply convincing a
victim to perform the action or relying on a user's natural inclination to
do so, or through technical means, such as a clickjacking attack where a
user sees one interface but is actually interacting with a second,
invisible, interface.
Attack Prerequisites
The victim must be convinced into performing the decoy action.
Resources Required
The attacker must have enough control over a user's interface to present them
with a decoy action as well as the actual malicious action. Simple versions of
this attack can be performed using web pages requiring only that the attacker be
able to host (or control) content that the user visits.
An attacker engages in activity to detect the operating system or firmware
version of a remote target by interrogating a device, server, or platform
with a probe designed to solicit behavior that will reveal information about
the operating systems or firmware in the environment. Operating System
detection is possible because implementations of common protocols (Such as
IP or TCP) differ in distinct ways. While the implementation differences are
not sufficient to 'break' compatibility with the protocol the differences
are detectable because the target will respond in unique ways to specific
probing activity that breaks the semantic or logical rules of packet
construction for a protocol. Different operating systems will have a unique
response to the anomalous input, providing the basis to fingerprint the OS
behavior. This type of OS fingerprinting can distinguish between operating
system types and versions.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Network Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: Any
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: User Datagram Protocol
Relationship Type
Uses Protocol
Related Protocol: lnternet Control Messaging Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
The ability to send and receive packets from a remote target, or the
ability to passively monitor network communications.
Resources Required
Any type of active probing that involves non-standard packet headers requires
the use of raw sockets, which is not available on particular operating systems
(Microsoft Windows XP SP 2, for example). Raw socket manipulation on unix/linux
requires root privileges. Installing a listener on the network requires access
to at least one host, and the privileges to interface with the network interface
card.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
This attack against older telephone switches and trunks has been around
for decades. The signal is sent by the attacker to impersonate a supervisor
signal. This has the effect of rerouting or usurping command of the line and
call. While the US infrastructure proper may not contain widespread
vulnerabilities to this type of attack, many companies are connected
globally through call centers and business process outsourcing. These
international systems may be operated in countries which have not upgraded
telco infrastructure and so are vulnerable to Blue boxing.
Blue boxing is a result of failure on the part of the system to enforce
strong authentication for administrative functions. While the infrastructure
is different than standard current applications like web applications, there
are hisotrical lessons to be learned to upgrade the access control for
administrative functions.
Attack Prerequisites
System must use weak authentication mechanisms for administrative
functions.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Protocol Manipulation
Examples-Instances
Description
Attacker identifies a vulnerable CCITT-5 phone line, and sends a
combination tone to the switch in order to request administrative
access. Based on tone and timing parameters the request is verified for
access to the switch. Once the attacker has gained control of the switch
launching calls, routing calls, and a whole host of opportunities are
available.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Given a vulnerable phone system, the attacker's technical vector
relies on attacks that are well documented in cracker 'zines and have
been around for decades.
Resources Required
CCITT-5 or other vulnerable lines, with the ability to send tones such as
combined 2,400 Hz and 2,600 Hz tones to the switch
Solutions and Mitigations
Implementation: Upgrade phone lines. Note this may be prohibitively
expensive
Use strong access control such as two factor access control for
adminsitrative access to the switch
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: resource consumption
(other)
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
Payload delivered through standard communication protocols.
An attacker performs an analysis of a target system, protocol, message, or
application in order to overcome protections on the target or as a precursor
to other attacks. Analysis can involve dissection of an application,
analysis of message patterns, formal analysis of protocols, or other
methods. The outcome of these attacks can be disclosure of sensitive
information, or disclosure of security configuration that leads to further
attacks targeted to discovered weaknesses.
Attack Prerequisites
Any entity that can be observed by an attacker could potentially be
vulnerable to an analysis attack.
Resources Required
Most analysis attacks require tools in order to collect information about the
target. For example, scanning suites and packet sniffers might be used to
analyze a web service or protocol. Moreover, following collection of
information, some attacks require additional tools in order to process the
discovered data. Cryptanalysis applications are one example of such tools.
Finally, some of these attacks require a high level of sophistication on the
part of an attacker in order to extract useful results from collected
information.
Solutions and Mitigations
Implementation: When possible, minimize the information a system displays
about itself, including minimizing unnecessary information in error messages
and other descriptive messages.
Design: Utilize techniques to minimize covert information. For example,
intentionally throttling network throughput can hide an entities true
throughput potential.
An attacker manipulates the processing of Application Programming
Interface (API) resulting in the API's function having an adverse impact
upon the security of the system or application implementing the API. This
can allow the attacker to execute functionality not intended by the API
implementation, possibly compromising the system or application which
integrates the API. API Abuse can take on a number of forms. For example,
the API may trust that the calling function properly validates its data and
thus it may be manipulated by supplying metacharacters or alternate
encodings as input, resulting in any number of injection flaws, including
SQL injection, cross-site scripting, or command execution. Another example
could be API methods that should be disabled in a production application but
were not, thus exposing dangerous functionality within a production
environment.
Attack Prerequisites
The target system must expose API functionality in a manner that can be
discovered and manipulated by an attacker. This may require reverse
engineering the API syntax or decrypting/de-obfuscating client-server
exchanges.
Resources Required
The requirements vary depending upon the nature of the API. For
application-layer APIs related to the processing of the HTTP protocol, one or
more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web
browser, or a programming/scripting language.
An attacker manipulates either egress or ingress data from a client within
an application framework in order to change the destination and/or content
of buttons displayed to a user within API messages. Performing this attack
allows the attacker to manipulate content in such a way as to produce
messages or content that looks authentic but contains buttons that point to
an attacker controlled destination. For example, an in-game event occurs and
the attacker traps the result, which turns out to be a form that will be
populated to their primary profile. The attacker, using a MITM proxy,
observes the following data:
By altering the destination of "Claim_Link" to point to the attackers
server an unwitting victim can be enticed to click the link. Another example
would be for the attacker to rewrite the button destinations for an event so
that clicking "Yes" or "No" causes the user to load the attackers code.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Application Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
Targeted software is utilizing application framework APIs
Resources Required
A software program that allows a user to man-in-the-middle communications
between the client and server, such as a man-in-the-middle proxy.
An attacker manipulates either egress or ingress data from a client within
an application framework in order to change the content of messages.
Performing this attack can allow the attacker to gain unauthorized
privileges within the application, or conduct attacks such as phishing,
deceptive strategies to spread malware, or traditional web-application
attacks. The techniques require use of specialized software that allow the
attacker to man-in-the-middle communications between the web browser and the
remote system. Despite the use of MITM software, the attack is actually
directed at the server, as the client is one node in a series of content
brokers that pass information along to the application framework.
Additionally, it is not true "Man-in-the-Middle" attack at the network
layer, but an application-layer attack the root cause of which is the master
applications trust in the integrity of code supplied by the client.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Application Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
Targeted software is utilizing application framework APIs
Resources Required
A software program that allows a user to man-in-the-middle communications
between the client and server, such as a man-in-the-middle proxy.
In a Session Fixation attack, the attacker provides a credential and
coerces a user into using that credential when authenticating with the
server. If the format of credentials is anything but trivial, the
attacker would need to forge a valid-looking credential first.
An attacker manipulates either egress or ingress data from a client within
an application framework in order to change the destination and/or content
of links/buttons displayed to a user within API messages. Performing this
attack allows the attacker to manipulate content in such a way as to produce
messages or content that looks authentic but contains links/buttons that
point to an attacker controlled destination. Some applications make
navigation remapping more difficult to detect because the actual HREF values
of images, profile elements, and links/buttons are masked. One example would
be to place an image in a user's photogallery that when clicked upon
redirected the user to an off-site location. Also, traditional web
vulnerabilities (such as CSRF) can be constructed with remapped buttons or
links. In some cases navigation remapping can be used for Phishing attacks
or even means to artificially boost the page view, user site reputation, or
click-fraud.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Transport Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
Targeted software is utilizing application framework APIs
Resources Required
A software program that allows a user to man-in-the-middle communications
between the client and server, such as a man-in-the-middle proxy.
An attacker changes the behavior or state of a targeted application
through injecting data or command syntax through the targets use of
non-validated and non-filtered arguments of exposed services or
methods.
Attack Execution Flow
Explore
Discovery of potential injection
vectors:
Using an automated tool or manual discovery, the
attacker identifies services or methods with
arguments that could potentially be used as
injection vectors (OS, API, SQL procedures,
etc.).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually cover the application and record
the possible places where arguments could be
passed into external systems.
env-All
2
Use a spider, for web applications, to
create a list of URLs and associated
inputs.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Arguments are used by the application in
exposed services or methods
env-All
2
Inconclusive
No parameters appear to be used.
env-All
3
Negative
Application does not use any inputs.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
A list of parameters, arguments
to modify is identified.
2
Success
A list of URLs, with their
corresponding parameters (POST, GET, COOKIE, etc.)
is created by the attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
1. Attempt variations on argument
content:
Possibly using an automated tool, the attacker
will perform injection variations of the
arguments.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a very large list of probe strings in
order to detect if there is a positive result,
and, what type of system has been targeted (if
obscure).
env-All
2
Use a proxy tool to record results, error
messages and/or log if accessible.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The application behaves like the injection
has been a success.
env-All
2
Inconclusive
No result appears.
env-All
Outcomes
ID
Type
Outcome Description
1
Failure
It is possible to monitor the
application and to see that the argument has been
validated.
Security Controls
ID
Type
Security Control Description
1
Preventative
Actively monitor
malicious inputs.
2
Detective
Monitor the services
and/or methods uses of the
arguments.
Exploit
Abuse of the
application:
The attacker injects specific syntax into a
particular argument in order to generate a specific
malicious effect in the targeted application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually inject specific payload into
targeted argument.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
The attacker observes desired
effect.
Security Controls
ID
Type
Security Control Description
2
Preventative
Actively monitor
malicious inputs.
3
Detective
Monitor the services
and/or methods uses of the
arguments.
Attack Prerequisites
Target software fails to strip all user-supplied input of any content that
could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on
operating system shell, and, optionally, the system configuration must allow
for output to be sent back to client.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A recent example instance of argument injection occurred against Java
Web Start technology, which eases the client side deployment for Java
programs. The JNLP files that are used to describe the properties for
the program. The client side Java runtime used the arguments in the
property setting to define execution parameters, but if the attacker
appends commands to an otherwise legitimate property file, then these
commands are sent to the client command shell.
The attacker has to identify injection vector, identify the operating
system-specific commands, and optionally collect the output.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Do not program input values directly on command shell, instead
treat user input as guilty until proven innocent. Build a function that
takes user input and converts it to applications specific types and values,
stripping or filtering out all unauthorized commands and characters in the
process.
Design: Limit program privileges, so if metacharcters or other methods
circumvent program input validation routines and shell access is attained
then it is not running under a privileged account. chroot jails create a
sandbox for the application to execute in, making it more difficult for an
attacker to elevate privilege even in the case that a compromise has
occurred.
Implementation: Implement an audit log that is written to a separate host,
in the event of a compromise the audit log may be able to provide evidence
and details of the compromise.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Integrity
Modify application
data
Confidentiality
Read application
data
Injection Vector
Malicious input delivered through standard input, the attacker inserts
additional arguments on the application's standard interface
Payload
Varies with instantiation of attack pattern. Malicious payload either pass
commands through valid paramters or supply metacharacters that cause unexpected
termination that redirects to shell
Activation Zone
Client machine and client network (e..g Intranet)
Payload Activation Impact
Description
Enables attacker to execute server side code with any commands that the
program owner has privileges to, this is particularly problematic when the
sprogram is run as a system or privileged account.
An attacker exploits a data structure shared between multiple applications
or an application pool to affect application behavior. Data may be shared
between multiple applications or between multiple threads of a single
application. Data sharing is usually accomplished through mutual access to a
single memory location. If an attacker can manipulate this shared data
(usually by co-opting one of the applications or threads) the other
applications or threads using the shared data will often continue to trust
the validity of the compromised shared data and use it in their
calculations. This can result in invalid trust assumptions, corruption of
additional data through the normal operations of the other users of the
shared data, or even cause a crash or compromise of the sharing
applications.
Attack Prerequisites
The target applications (or target application threads) must share data
between themselves.
The attacker must be able to manipulate some piece of the shared data
either directly or indirectly and the other users of the data must accept
the changed data as valid.
Resources Required
The attacker must be able to change the shared data. Usually this requires
that the attacker be able to compromise one of the sharing applications or
threads in order to manipulated the shared data.
An attacker obtains unauthorized access to an application, service or
device either through knowledge of the inherent weaknesses of an
authentication mechanism, or by exploiting a flaw in the authentication
scheme's implementation. In such an attack an authentication mechanism is
functioning but a carefully controlled sequence of events causes the
mechanism to grant access to the attacker. This attack may exploit
assumptions made by the target's authentication procedures, such as
assumptions regarding trust relationships or assumptions regarding the
generation of secret values. This attack differs from Authentication Bypass
attacks in that Authentication Abuse allows the attacker to be certified as
a valid user through illegitimate means, while Authentication Bypass allows
the user to access protected material without ever being certified as an
authenticated user. This attack does not rely on prior sessions established
by successfully authenticating users, as relied upon for the "Exploitation
of Session Variables, Resource IDs and other Trusted Credentials" attack
patterns.
Attack Prerequisites
An authentication mechanism or subsystem implementing some form of
authentication such as passwords, digest authentication, security
certificates, etc. which is flawed in some way.
Resources Required
A client application, command-line access to a binary, or scripting language
capable of interacting with the authentication mechanism.
An attacker gains access to application, service, or device with the
privileges of an authorized or privileged user by evading or circumventing
an authentication mechanism. The attacker is therefore able to access
protected data without authentication ever having taken place. This refers
to an attacker gaining access equivalent to an authenticated user without
ever going through an authentication procedure. This is usually the result
of the attacker using an unexpected access procedure that does not go
through the proper checkpoints where authentication should occur. For
example, a web site might assume that all users will click through a given
link in order to get to secure material and simply authenticate everyone
that clicks the link. However, an attacker might be able to reach secured
web content by explicitly entering the path to the content rather than
clicking through the authentication link, thereby avoiding the check
entirely. This attack pattern differs from other uthentication attacks in
that attacks of this pattern avoid authentication entirely, rather than
faking authentication by exploiting flaws or by stealing credentials from
legitimate users.
Attack Prerequisites
An authentication mechanism or subsystem impmenting some form of
authentication such as passwords, digest authentication, security
certificates, etc.
Resources Required
A client application, such as a web browser, or a scripting language capable
of interacting with the target.
Blind SQL Injection results from an insufficient mitigation for SQL
Injection. Although suppressing database error messages are considered best
practice, the suppression alone is not sufficient to prevent SQL Injection.
Blind SQL Injection is a form of SQL Injection that overcomes the lack of
error messages. Without the error messages that facilitate SQL Injection,
the attacker constructs input strings that probe the target through simple
Boolean SQL expressions. The attacker can determine if the syntax and
structure of the injection was successful based on whether the query was
executed or not. Applied iteratively, the attacker determines how and where
the target is vulnerable to SQL Injection.
For example, an attacker may try entering something like "username' AND
1=1; --" in an input field. If the result is the same as when the attacker
entered "username" in the field, then the attacker knows that the
application is vulnerable to SQL Injection. The attacker can then ask yes/no
questions from the database server to extract information from it. For
example, the attacker can extract table names from a database using the
following types of queries:
"username' AND ascii(lower(substring((SELECT TOP 1 name FROM
sysobjects WHERE xtype='U'), 1, 1))) > 108".
If the above query executes properly, then the attacker knows that the
first character in a table name in the database is a letter between m
and z. If it doesn't, then the attacker knows that the character must be
between a and l (assuming of course that table names only contain
alphabetic characters). By performing a binary search on all character
positions, the attacker can determine all table names in the database.
Subsequently, the attacker may execute an actual attack and send
something like:
"username'; DROP TABLE trades; --
Attack Execution Flow
Explore
Hypothesize SQL queries in
application:
Generated hypotheses regarding the SQL queries in
an application. For example, the attacker may
hypothesize that his input is passed directly into a
query that looks like:
"SELECT * FROM orders WHERE ordernum =
_____"
or
"SELECT * FROM orders WHERE ordernum IN
(_____)"
or
"SELECT * FROM orders WHERE ordernum in
(_____) ORDER BY _____"
Of course, there are many other
possibilities.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Research types of SQL queries and determine
which ones could be used at various places in an
application.
env-All
Determine how to inject information into
the queries:
Determine how to inject information into the
queries from the previous step such that the
injection does not impact their logic. For example,
the following are possible injections for those
queries:
"5' OR 1=1; --"
and
"5) OR 1=1; --"
and
"ordernum DESC; --"
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Add clauses to the SQL queries such that the
query logic does not change.
env-All
2
Add delays to the SQL queries in case server
does not provide clear error messages (e.g.
WAITFOR DELAY '0:0:10' in SQL Server or
BENCHMARK(1000000000,MD5(1) in MySQL). If these
can be injected into the queries, then the length
of time that the server takes to respond reveals
whether the query is injectable or not.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
At least one way to complete a
hypothesized SQL query that would violate the
application developer's
assumptions.
Experiment
Determine user-controllable input
susceptible to injection:
Determine the user-controllable input susceptible
to injection. For each user-controllable input that
the attacker suspects is vulnerable to SQL
injection, attempt to inject the values determined
in the previous step. If an error does not occur,
then the attacker knows that the SQL injection was
successful.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web browser to inject input through text
fields or through HTTP GET parameters.
env-Web
2
Use a web application debugging tool such as
Tamper Data, TamperIE, WebScarab,etc. to modify
HTTP POST parameters, hidden fields, non-freeform
fields, etc.
env-Web
3
Use network-level packet injection tools
such as netcat to inject input
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
Type
Security Control Description
1
Detective
Unusual queries such
as the ones described in the previous step, in
application logs. Log files may contain unusual
messages such as "User bob' OR 1=1; -- logged in".
Operators should be alerted when such SQL commands
appear in the logs.
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use APIs that help
mitigate SQL injection (such as PreparedStatement
in Java)
Determine database
type:
Determines the type of the database, such as MS
SQL Server or Oracle or MySQL, using logical
conditions as part of the injected queries
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Try injecting a string containing
char(0x31)=char(0x31) (this evaluates to 1=1 in
SQL Server only)
Inject other database-specific commands into
input fields susceptible to SQL Injection. The
attacker can determine the type of database that
is running by checking whether the query executed
successfully or not (i.e. wheter the attacker
received a normal response from the server or
not).
Desired information about
database schema extracted.
2
Failure
Desired information about
database schema could not be
extracted.
Security Controls
ID
Type
Security Control Description
1
Detective
Large number of
unusual queries in database
logs.
Exploit SQL Injection
vulnerability:
Use the information obtained in the previous steps
to successfully inject the database in order to
bypass checks or modify, add, retrieve or delete
data from the database
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use information about how to inject commands
into SQL queries as well as information about the
database schema to execute attacks such as
dropping tables, inserting records, etc.
Attacker achieves goal of
unauthorized system access, denial of service,
etc.
2
Failure
Attacker cannot exploit the
information gathered by blind SQL
Injection
Attack Prerequisites
SQL queries used by the application to store, retrieve or modify
data.
User-controllable input that is not properly validated by the application
as part of SQL queries.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Analysis
Examples-Instances
Description
In the PHP application TimeSheet 1.1, an attacker can successfully
retrieve username and password hashes from the database using Blind SQL
Injection. If the attacker is aware of the local path structure, the
attacker can also remotely execute arbitrary code and write the output
of the injected queries to the local path. Blind SQL Injection is
possible since the application does not properly sanitize the
$_POST['username'] variable in the login.php file.
Related Vulnerabilities
CVE-2006-4705
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Determining the database type and version, as well as the right number
and type of parameters to the query being injected in the absence of
error messages requires greater skill than reverse-engineering database
error messages.
Resources Required
None
Probing Techniques
Description
In order to determine the right syntax for the query to inject, the
attacker tries to determine the right number of parameters to the query
and their types. This is achieved by formulating conditions that result
in a true/false answer from the database. If the logical condition is
true, the database will execute the rest of the query. If not, a custom
error page or a default page is returned. Another approach is to ask
such true/false questions of the database and note the response times to
a query with a logically true condition and one with a false
condition.
Indicators-Warnings of Attack
Description
The only indicators of successful Blind SQL Injection are the
application or database logs that show similar queries with slightly
differing logical conditions that increase in complexity over time.
However, this requires extensive logging as well as knowledge of the
queries that can be used to perform such injection and return meaningful
information from the database.
Solutions and Mitigations
Security by Obscurity is not a solution to preventing SQL Injection.
Rather than suppress error messages and exceptions, the application must
handle them gracefully, returning either a custom error page or redirecting
the user to a default page, without revealing any information about the
database or the application internals.
Strong input validation - All user-controllable input must be validated
and filtered for illegal characters as well as SQL content. Keywords such as
UNION, SELECT or INSERT must be filtered in addition to characters such as a
single-quote(') or SQL-comments (--) based on the context in which they
appear.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify application
data
Confidentiality
Read application
data
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Injection Vector
User-controllable input to the application
Payload
SQL statements intended to bypass checks or retrieve information about the
database
Activation Zone
Back-end database
Payload Activation Impact
Description
The injected SQL statements are such that they result in a true/false
query to the database. If the database evaluates a statement to be logically
true, it responds with the requested data. If the condition is evaluated to
be logically false, an error is returned. The attacker modifies the boolean
condition each time to gain information from the database.
Custom error pages must be used to handle exceptions such that they do not
reveal any information about the architecture of the application or the
database.
Special characters in user-controllable input must be escaped before use
by the application.
Employ application-level safeguards to filter data and handle exceptions
gracefully.
Related Security Principles
Reluctance to Trust
Failing Securely
Defense in Depth
Related Guidelines
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Purposes
Penetration
CIA Impact
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
References
CWE - Input Validation
CWE - Improper Error Handling
Content History
Submissions
Submitter
Date
Comments
Chiradeep B Chhaya
2007-02-22
Third Draft - Revised to schema
v1.4
Modifications
Modifier
Organization
Date
Comments
Malik Hamro
Cigital, Inc
2007-02-27
Reformat to new schema and
review
Sean Barnum
Cigital, Inc
2007-03-05
Review and revise
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description,
Attack Prerequisites and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An application typically makes calls to functions that are a part of
libraries external to the application. These libraries may be part of the
operating system or they may be third party libraries. It is possible that
the application does not handle situations properly where access to these
libraries has been blocked. Depending on the error handling within the
application, blocked access to libraries may leave the system in an insecure
state that could be leveraged by an attacker.
Attack Execution Flow
Determine what external libraries the application
accesses.
Block access to the external libraries accessed by
the application.
Monitor the behavior of the system to see if it
goes into an insecure/inconsistent state.
If the system does go into an
insecure/inconsistent state, leverage that to obtain
information about the system functionality or data,
elevate access control, etc. The rest of this attack
will depend on the context and the desired
goal.
Attack Prerequisites
An application requires access to external libraries.
An attacker has the priviliges to block application access to external
libraries.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Modification of Resources
Examples-Instances
Description
A web-based system uses a third party cryptographic random number
generation library that derives entropy from machine's hardware. This
library is used in generation of user session ids used by the
applicatoin. If the library is inaccessible, the application instead
uses a software based weak pseudo random number generation library. An
attacker of the system blocks access of the application to the third
party cryptographic random number generation library (by renaming it).
The application in turn uses the weak pseudo random number generation
library to generate session ids that are predictable. An attacker then
leverages this weakness to guess a session id of another user to perform
a horizontal elevation of privilege escalation and gain access to
another user's account.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Solutions and Mitigations
Ensure that application handles situations where access to APIs in
external libraries is not available securely. If the application cannot
continue its execution safely it should fail in a consistent and secure
fashion.
An attacker carefully crafts small snippets of Java Script to efficiently
detect the type of browser the potential victim is using. Having this
knowledge allows an attacker to target the victim with attacks that
specifically exploit known or zero day weaknesses in the type and version of
the browser used by the victim.
The following code snippets can be used to detect various
browsers:
//Firefox 2/3
FF=/a/[-1]=='a'
//Firefox 3
FF3=(function x(){})[-5]=='x'
//Firefox 2
FF2=(function x(){})[-6]=='x'
//IE
IE='\v'=='v'
//Safari
Saf=/a/.__proto__=='//'
//Chrome
Chr=/source/.test((/a/.toString+''))
//Opera
Op=/^function \(/.test([].sort)
Attack Prerequisites
Victim's browser visits a website that contains contains attacker's Java
Script
Java Script is not disabled in the victim's browser
In this attack, some asset (information, functionality, identity, etc.) is
protected by a finite secret value. The attacker attempts to gain access to
this asset by using trial-and-error to exhaustively explore all the possible
secret values in the hope of finding the secret (or a value that is
functionally equivalent) that will unlock the asset. Examples of secrets can
include, but are not limited to, passwords, encryption keys, database lookup
keys, and initial values to one-way functions.
The key factor in this attack is the attacker's ability to explore the
possible secret space rapidly. This, in turn, is a function of the size of
the secret space and the computational power the attacker is able to bring
to bear on the problem. If the attacker has modest resources and the secret
space is large, the challenge facing the attacker is intractable. While the
defender cannot control the resources available to an attacker, they can
control the size of the secret space. Creating a large secret space involves
selecting one's secret from as large a field of equally likely alternative
secrets as possible and ensuring that an attacker is unable to reduce the
size of this field using available clues or cryptoanalysis. Doing this is
more difficult than it sounds since elimination of patterns (which, in turn,
would provide an attacker clues that would help them reduce the space of
potential secrets) is difficult to do using deterministic machines, such as
computers. Assuming a finite secret space, a brute force attack will
eventually succeed. The defender must rely on making sure that the time and
resources necessary to do so will exceed the value of the information. For
example, a secret space that will likely take hundreds of years to explore
is likely safe from raw-brute force attacks.
Attack Execution Flow
Explore
Determine secret testing
procedure:
Determine how a potential guess of the secret may
be tested. This may be accomplished by comparing
some manipulation of the secret to a known value,
use of the secret to manipulate some known set of
data and determining if the result displays specific
characteristics (for example, turning cryptotext
into plaintext), or by submitting the secret to some
external authority and having the external authority
respond as to whether the value was the correct
secret. Ideally, the attacker will want to determine
the correctness of their guess independently since
involvement of an external authority is usually
slower and can provide an indication to the defender
that a brute-force attack is being attempted.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine if there is a way to parallelize
the attack. Most brute force attacks can take
advantage of parallel techniques by dividing the
search space among available resources, thus
dividing the average time to success by the number
of resources available. If there is a single choke
point, such as a need to check answers with an
external authority, the attacker's position is
significantly degraded.
env-All
Reduce search space:
Find ways to reduce the secret space. The smaller
the attacker can make the space they need to search
for the secret value, the greater their chances for
success. There are a great many ways in which the
search space may be reduced.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
If possible, determine how the secret was
selected. If the secret was determined
algorithmically (such as by a random number
generator) the algorithm may have patterns or
dependencies that reduce the size of the secret
space. If the secret was created by a human,
behavioral factors may, if not completely reduce
the space, make some types of secrets more likely
than others. (For example, humans may use the same
secrets in multiple places or use secrets that
look or sound familiar for ease of recall.)
env-All
2
If the secret was chosen algorithmically,
cryptoanalysis can be applied to the algorithm to
discover patterns in this algorithm. (This is true
even if the secret is not used in cryptography.)
Periodicity, the need for seed values, or
weaknesses in the generator all can result in a
significantly smaller secret space.
env-All
3
If the secret was chosen by a person, social
engineering and simple espionage can indicate
patterns in their secret selection. If old secrets
can be learned (and a target may feel they have
little need to protect a secret that has been
replaced) hints as to their selection preferences
can be gleaned. These can include character
substitutions a target employs, patterns in
sources (dates, famous phrases, music lyrics,
family members, etc.). Once these patterns have
been determined, the initial efforts of a
brute-force attack can focus on these
areas.
env-All
4
Some algorithmic techniques for secret
selection may leave indicators that can be tested
for relatively easily and which could then be used
to eliminate large areas of the search space for
consideration. For example, it may be possible to
determine that a secret does or does not start
with a given character after a relatively small
number of tests. Alternatively, it might be
possible to discover the length of the secret
relatively easily. These discoveries would
significantly reduce the search space, thus
increasing speed with which the attacker discovers
the secret.
env-All
Expand victory
conditions:
It is sometimes possible to expand victory
conditions. For example, the attacker might not need
to know the exact secret but simply needs a value
that produces the same result using a one-way
function. While doing this does not reduce the size
of the search space, the presence of multiple
victory conditions does reduce the likely amount of
time that the attacker will need to explore the
space before finding a workable value.
Exploit
Gather information so attack can be
performed independently.:
If possible, gather the necessary information so a
successful search can be determined without
consultation of an external authority. This can be
accomplished by capturing cryptotext (if the goal is
decoding the text) or the encrypted password
dictionary (if the goal is learning
passwords).
Attack Prerequisites
The attacker must be able to determine when they have successfully
guessed the secret. As such, one-time pads are immune to this type of attack
since there is no way to determine when a guess is correct.
Methods of Attack
Brute Force
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
The attack simply requires basic scripting ability to automate the
exploration of the search space. More sophisticated attackers may be
able to use more advanced methods to reduce the search space and
increase the speed with which the secret is located.
Resources Required
Ultimately, the speed with which an attacker discovers a secret is directly
proportional to the computational resources the attacker has at their disposal.
This attack method is resource expensive: having large amounts of computational
power do not guarantee timely success, but having only minimal resources makes
the problem intractable against all but the weakest secret selection
procedures.
Indicators-Warnings of Attack
Description
Repeated submissions of incorrect secret values may indicate a brute
force attack. For example, repeated bad passwords when accessing user
accounts or repeated queries to databases using non-existent
keys.
Description
Attempts to download files protected by secrets (usually using
encryption) may be a precursor to an offline attack to break the file's
encryption and read its contents. This is especially significant if the
file itself contains other secret values, such as password files.
Description
If the attacker is able to perform the checking offline then there
will likely be no indication that an attack is ongoing.
Obfuscation Techniques
Description
The attack is impossible to detect if the attacker can test for
successful discovery of the secret value independently, without needing
to consult an external authority.
Description
If an external authority must be consulted, the attacker can attempt
to space out their guesses to avoid a large number of failed guesses in
a short period of time, but doing so slows the attack to the point of
making it unworkable against all but the most trivial secret spaces. As
such, if an external authority must be consulted the attacked is
unlikely to be able to keep the attack secret.
Solutions and Mitigations
Select a provably large secret space for selection of the secret. Provably
large means that the procedure by which the secret is selected does not have
artifacts that significantly reduce the size of the total secret
space.
Do not provide the means for an attacker to determine success
independently. This forces the attacker to check their guesses against an
external authority, which can slow the attack and warn the defender. This
mitigation may not be possible if testing material must appear externally,
such as with a transmitted cryptotext.
Protect sensitive data, even when the data is encrypted. If an attacker
can gain access to encrypted data, they can mount a brute-force attack
independently. The defender will not be aware of this attack or be able to
do anything about it and at that point it is purely a function of the
attacker's available resources as to how long it takes them to learn the
secret.
Monitor activity logs for suspicious activity. An attacker that must use
an external authority to check their brute-force guesses is easy to detect,
but only if that external authority is monitoring activity and detects the
abnormally large number of failed guesses.
Related Guidelines
Do not assume secrets will protect sensitive data in the long-term
An attacker manipulates a data buffer to change the execution flow of a
process to a sequence of events the attacker controls. Data buffers in
software applications provide a storage-space for external input. Buffer
attacks provide input the buffer cannot correctly handle. Buffer attacks are
distinguished in that it is the buffer space itself that is the target of
the attack rather than any code responsible for interpreting the content of
the buffer. In virtually all buffer attacks the content that is placed in
the buffer by the user is immaterial. Instead, most buffer attacks involve
providing more input than the buffer can store, resulting in the overwriting
of other program memory or even the program stack with user supplied
input.
Attack Prerequisites
The target must accept input provided by the attacker and store it in a
buffer.
Resources Required
The attacker must posess a programmatic means for supplying data to a buffer,
such as a compiled C or scripted exploit in perl. Network buffer overflows rely
on connectivity of a protocol to deliver the payload.
This attack targets libraries or shared code modules which are vulnerable
to buffer overflow attacks. An attacker who has access to an API may try to
embed malicious code in the API function call and exploit a buffer overflow
vulnerability in the function's implementation. All clients that make use of
the code library thus become vulnerable by association. This has a very
broad effect on security across a system, usually affecting more than one
software process.
Attack Execution Flow
An attacker can call an API exposed by the target
host.
On the probing stage, the attacker injects
malicious code using the API call and observes the
results. The attacker's goal is to uncover a buffer
overflow vulnerability.
The attacker finds a buffer overflow
vulnerability, crafts malicious code and injects it
through an API call. The attacker can at worst
execute remote code on the target host.
Attack Prerequisites
The target host exposes an API to the user.
One or more API functions exposed by the target host has a buffer overflow
vulnerability.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
API Abuse
Injection
Examples-Instances
Description
A buffer overflow in the FreeBSD utility setlocale (found in the libc
module) puts many programs at risk all at once.
Description
A buffer overflow in the Xt library of the X windowing system allows
local users to execute commands with root privileges.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Solutions and Mitigations
Use a language or compiler that performs automatic bounds checking.
Use secure functions not vulnerable to buffer overflow.
If you have to use dangerous functions, make sure that you do boundary
checking.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: crash / exit /
restart
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Read memory
Integrity
Modify memory
Injection Vector
The user supplied data.
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
This attack targets command-line utilities available in a number of
shells. An attacker can leverage a vulnerability found in a command-line
utility to escalate privilege to root.
Attack Execution Flow
Attacker identifies command utilities exposed by
the target host.
On the probing stage, the attacker interacts with
the command utility and observes the results of its
input. The attacker's goal is to uncover a buffer
oveflow in the command utility. For instance the
attacker may find that input data are not properly
validated.
The attacker finds a buffer overflow vulnerability
in the command utility and tries to exploit it. He
crafts malicious code and injects it using the
command utility. The attacker can at worst execute
remote code on the target host.
Attack Prerequisites
The target host exposes a command-line utility to the user.
The command-line utility exposed by the target host has a buffer overflow
vulnerability that can be exploited.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
API Abuse
Examples-Instances
Description
A buffer overflow in the HPUX passwd command allows local users to
gain root privileges via a command-line option.
A buffer overflow in Solaris's getopt command (found in libc)
allows local users to gain root privileges via a long
argv[0].
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Probing Techniques
Description
The attacker can probe for services available on the target host. Many
services may expose a command utility. For instance Telnet is a service
which can be invoked through a command shell.
Solutions and Mitigations
Carefully review the service's implementation before making it available
to user. For instance you can use manual or automated code review to uncover
vulnerabilities such as buffer overflow.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Operational: Use OS-level preventative functionality. Not a complete
solution.
Apply the latest patches to your user exposed services. This may not be a
complete solution, specially against zero day attack.
Do not unnecessarily expose services.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Integrity
Modify memory
Availability
DoS: crash / exit /
restart
Confidentiality
Read memory
Injection Vector
The user supplied data.
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
This attack pattern involves causing a buffer overflow through
manipulation of environment variables. Once the attacker finds that they can
modify an environment variable, they may try to overflow associated buffers.
This attack leverages implicit trust often placed in environment
variables.
Attack Execution Flow
The attacker tries to find an environment variable
which can be overwritten for instance by gathering
information about the target host (error pages,
software's version number, etc.).
The attacker manipulates the environment variable
to contain excessive-length content to cause a
buffer overflow.
The attacker potentially leverages the buffer
overflow to inject maliciously crafted code in an
attempt to execute privileged command on the target
environment.
Attack Prerequisites
The application uses environment variables.
An environment variable exposed to the user is vulnerable to a buffer
overflow.
The vulnerable environment variable uses untrusted data.
Tainted data used in the environment variables is not properly validated.
For instance boundary checking is not done before copying the input data to
a buffer.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A buffer overflow in sccw allows local users to gain root access via
the $HOME environmental variable.
Related Vulnerabilities
CVE-1999-0906
Description
A buffer overflow in the rlogin program involves its consumption of
the TERM environmental variable.
Related Vulnerabilities
CVE-1999-0046
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Probing Techniques
Description
While interacting with a system an attacker would typically
investigate for environment variables that can be overwritten. The more
a user knows about a system the more likely she will find a vulnerable
environment variable.
Description
On a web environment, the attacker can read the client side code and
search for environment variables that can be overwritten.
Description
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unix that support loading a
shared library. Attackers can use such tools to uncover a buffer
overflow in an environment variable.
Indicators-Warnings of Attack
Description
If the application does bound checking, it should fail when the data
source is larger than the size of the destination buffer. If the
application's code is well written, that failure should triger an
alert.
Solutions and Mitigations
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unixes that support loading a
shared library. You can use Sharefuzz to determine if you are exposing an
environment variable vulnerable to buffer overflow.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: crash / exit /
restart
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
The user modifiable environment variable.
Payload
User supplied data potentially containing malicious code.
Activation Zone
When the subroutine which uses the environment variable returns control to the
main program, it jumps to the return address portion of the stack frame.
Unfortunately that return address may have been overwritten by the overflowed
buffer and the address may contain a call to a privileged command or to a
malicious code.
In this attack, the target software is given input that the attacker knows
will be modified and expanded in size during processing. This attack relies
on the target software failing to anticipate that the expanded data may
exceed some internal limit, thereby creating a buffer overflow.
Attack Execution Flow
Consider parts of the program where user supplied
data may be expanded by the program. Use a
disassembler and other reverse engineering tools to
guide the search.
Find a place where a buffer overflow occurs due to
the fact that the new expanded size of the string is
not correctly accounted for by the program. This may
happen perhaps when the string is copied to another
buffer that is big enough to hold the original, but
not the expanded string. This may create an
opportunity for planting the payload and redirecting
program execution to the shellcode.
Write the buffer overflow exploit. To be
exploitable, the "spill over" amount (e.g. the
difference between the expanded string length and
the original string length before it was expanded)
needs to be sufficient to allow the overflow of the
stack return pointer (in the case of a stack
overflow), without causing a stack corruption that
would crash the program before it gets to execute
the shellcode. Heap overflow will be more difficult
and will require the attacker to get more lucky, by
perhaps getting a chance to overwrite some of the
accounting information stored as part of using
malloc().
Attack Prerequisites
The program expands one of the parameters passed to a function with input
controlled by the user, but a later function making use of the expanded
parameter erroneously considers the original, not the expanded size of the
parameter.
The expanded parameter is used in the context where buffer overflow may
becomes possible due to the incorrect understanding of the parameter size
(i.e. thinking that it is smaller than it really is).
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
Attack Example: FTP glob()
The glob() function in FTP servers has been susceptible to attack as a
result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap
Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow
condition. The overflow occurs when the LIST command is issued with an
argument that expands into an oversized string after being processed by
glob().
This buffer overflow occurs in memory that is dynamically allocated.
It may be possible for attackers to exploit this vulnerability and
execute arbitrary code on the affected host.
To exploit this, the attacker must be able to create directories on
the target host.
The glob() function is used to expand short-hand notation into
complete file names. By sending to the FTP server a request containing a
tilde (~) and other wildcard characters in the pathname string, a remote
attacker can overflow a buffer and execute arbitrary code on the FTP
server to gain root privileges. Once the request is processed, the
glob() function expands the user input, which could exceed the expected
length. In order to exploit this vulnerability, the attacker must be
able to create directories on the FTP server.
From G. Hoglund and G. McGraw. Exploiting Software: How to Break Code.
Addison-Wesley, February 2004.
Related Vulnerabilities
CVE-2001-0249
Description
Buffer overflow in the glob implementation in libc in NetBSD-current
before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the
FTP daemon, allows remote authenticated users to execute arbitrary code
via a long pathname that results from path expansion.
The limit computation of an internal buffer was done incorrectly. The
size of the buffer in byte was used as element count, even though the
elements of the buffer are 2 bytes long. Long expanded path names would
therefore overflow the buffer.
Related Vulnerabilities
CVE-2006-6652
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Finding this particular buffer overflow may not be trivial. Also,
stack and especially heap based buffer overflows require a lot of
knowledge if the intended goal is aribtrary code execution. Not only
that the attacker needs to write the shell code to accomplish his or her
goals, but the attacker also needs to find a way to get the program
execution to jump to the planted shellcode. There also needs to be
sufficient room for the payload. So not every buffer overflow will be
exploitable, even by a skilled attacker.
Resources Required
Access to the program source or binary. If the program is only available in
binary then a disassembler and other reverse engineering tools will be
helpful.
Solutions and Mitigations
Ensure that when parameter expansion happens in the code that the
assumptions used to determine the resulting size of the parameter are
accurate and that the new size of the parameter is visible to the whole
system
This type of attack leverages the use of symbolic links to cause buffer
overflows. An attacker can try to create or manipulate a symbolic link file
such that its contents result in out of bounds data. When the target
software processes the symbolic link file, it could potentially overflow
internal buffers with insufficient bounds checking.
Attack Execution Flow
The attacker creates or modifies a symbolic link
pointing to a resources (e.g., file, directory). The
content of the symbolic link file includes
out-of-bounds (e.g. excessive length) data.
The target host consumes the data pointed to by
the symbolic link file. The target host may either
intentionally expect to read a symbolic link or it
may be fooled by the replacement of the original
resource and read the attacker's symbolic
link.
While consuming the data, the target host does not
check for buffer boundary which can lead to a buffer
overflow. If the content of the data is controlled
by the attacker, this is an avenue for remote code
execution.
Attack Prerequisites
The attacker can create symbolic link on the target host.
The target host does not perform correct boundary checking while consuming
data from a ressources.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
The EFTP server has a buffer overflow that can be exploited if an
attacker uploads a .lnk (link) file that contains more than 1,744 bytes.
This is a classic example of an indirect buffer overflow. First the
attacker uploads some content (the link file) and then the attacker
causes the client consuming the data to be exploited. In this example,
the ls command is exploited to compromise the server software.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
Skill or Knowledge Level: High
Exploiting a buffer overflow to inject malicious code into the stack
of a software system or even the heap can require a higher skill
level.
Probing Techniques
Description
The attacker will look for temporary files in the world readable
directories. Those temporary files are often created and read by the
system.
Description
The attacker will look for Symbolic link or link target file that she
can overide.
Indicators-Warnings of Attack
Description
An attacker creating or modifying Symbolic links is a potential signal
of attack in progress.
Description
An attacker deleting temporary files can also be a sign that the
attacker is trying to replace legitimate resources with malicious
ones.
Solutions and Mitigations
Pay attention to the fact that the ressource you read from can be a
replaced by a Symbolic link. You can do a Symlink check before reading the
file and decide that this is not a legitimate way of accessing the
resource.
Because Symlink can be modified by an attacker, make sure that the ones
you read are located in protected directories.
Pay attention to the resource pointed to by your symlink links (See attack
pattern named "Forced Symlink race"), they can be replaced by malicious
resources.
Always check the size of the input data before copying to a buffer.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: crash / exit /
restart
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Read memory
Integrity
Modify memory
Injection Vector
The resource pointed to by the Symbolic link (e.g., file, directory,
etc.)
Payload
The buffer overrun by the attacker.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to a malicious code.
An attacker exploits a weakness in ATA security on a drive to gain access
to the information the drive contains without supplying the proper
credentials. ATA Security is often employed to protect hard disk information
from unauthorized access. The mechanism requires the user to type in a
password before the BIOS is allowed access to drive contents. Some
implementations of ATA security will accept the ATA command to update the
password without the user having authenticated with the BIOS. This occurs
because the security mechanism assumes the user has first authenticated via
the BIOS prior to sending commands to the drive. Various methods exist for
exploiting this flaw, the most common being installing the ATA protected
drive into a system lacking ATA security features (a.k.a. hot swapping).
Once the drive is installed into the new system the BIOS can be used to
reset the drive password.
Attack Prerequisites
Access to the system containing the ATA Drive so that the drive can be
physically removed from the system.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker bypasses the security of a card-based system by using
techniques such as cloning access cards or using brute-force techniques.
Card-based systems are widespread throughout business, government, and
supply-chain management. Attacks against card-based systems vary widely
based on the attackers goals, but commonly include unauthorized reproduction
of cards, brute-force creation of valid card-values, and attacks against
systems which read or process card data. Due to the inherent weaknesses of
card and badge security, high security environments will rarely rely upon
the card or badge alone as a security mechanism. Common card based systems
are used for financial transactions, user identification, and access
control. Cloning attacks involve making an unauthorized copy of a user's
card while brute-force attacks involve creating new cards with valid values.
Denial of service attacks against card-based systems involve rendering the
reader, or the card itself, to become disabled. Such attacks may be useful
in a fail-closed system for keeping authorized users out of a location while
a crime is in progress, whereas fail-open systems may grant access, or an
alarm my fail to trigger, if an attacker disables or damages the card
authentication device.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker exploits security assumptions to bypass electronic locks or
other forms of access controls. Most attacks against electronic access
controls follow similar methods but utilize different tools. Some electronic
locks utilize magnetic strip cards, others employ RFID tags embedded within
a card or badge, or may involve more sophisticated protections such as
voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID
technologies are the most widespread because they are cost effective to
deploy and more easily integrated with other electronic security measures.
These technologies share common weaknesses that an attacker can exploit to
gain access to a facility protected by the mechanisms via copying legitimate
cards or badges, or generating new cards using reverse-engineered
algorithms.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Some web applications require users to submit information through an
ordered sequence of web forms. This is often done if there is a very large
amount of information being collected or if information on earlier forms is
used to pre-populate fields or determine which additional information the
application needs to collect. An attacker who knows the names of the various
forms in the sequence may be able to explicitly type in the name of a later
form and navigate to it without first going through the previous forms. This
can result in incomplete collection of information, incorrect assumptions
about the information submitted by the attacker, or other problems that can
impair the functioning of the application.
Attack Prerequisites
The target must collect information from the user in a series of forms
where each form has its own URL that the attacker can anticipate and the
application must fail to detect attempts to access intermediate forms
without first filling out the previous forms.
Resources Required
No special resources are required for this attack.
An attacker uses techniques and methods to bypass physical security
mesures of a building or facility. Physical locks may range from traditional
lock and key mechanisms, cable locks used to secure laptops or servers,
locks on server cases, or other such devices. Techniques such as lock
bumping, lock forcing via snap guns, or lock picking can be employed to
bypass those locks and gain access to the facilities or devices they
protect, although stealth, evidence of tampering, and the integrity of the
lock following an attack, are considerations that may determine the method
employed. Physical locks are limited by the complexity of the locking
mechanism. While some locks may offer protections such as shock resistant
foam to prevent bumping or lock forcing methods, many commonly employed
locks offer no such countermeasures.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Facilities often used layered models for physical security such as
traditional locks, Electronic-based card entry systems, coupled with
physical alarms. Hardware security mechanisms range from the use of computer
case and cable locks as well as RFID tags for tracking computer assets. This
layered approach makes it difficult for random physical security breaches to
go unnoticed, but is less effective at stopping deliberate and carefully
planned break-ins. Avoiding detection begins with evading building security
and surveillance and methods for bypassing the electronic or physical locks
which secure entry points.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker exploits the functionality of cache technologies to cause
specific data to be cached that aids the attackers’ objectives. This
describes any attack whereby an attacker places incorrect or harmful
material in cache. The targeted cache can be an application's cache (e.g. a
web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the
cache is refreshed, most applications or clients will treat the corrupted
cache value as valid. This can lead to a wide range of exploits including
redirecting web browsers towards sites that install malware and repeatedly
incorrect calculations based on the incorrect value.
Attack Execution Flow
Explore
Identify and explore
caches:
Use tools to sniff traffic and scan a network in
order to locate application's cache (e.g. a web
browser cache) or a public cache (e.g. a DNS or ARP
cache) that may have vulnerabilities. Look for
poisoning point in cache table entries.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Run tools that check available entries in
the cache.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Entries do not exist in the cache.
env-All
2
Positive
Applications or servers are not updated to
new versions.
env-All
3
Negative
Entries exist in the cache.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A list of server’s information.
No target entry found in the
cache.
2
Success
A list of browser’s
information. No target entry found in the
cache.
3
Failure
The results show target entries
in the cache.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor network scans
and examine system logs. The scans may be from
unknown local IP or MAC
address.
Experiment
Cause specific data to be
cached:
An attacker sends bogus request to the target, and
then floods responses that trick a cache to remember
malicious responses, which are wrong answers of
queries.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Intercept or modify a query, or send a bogus
query with known credentials (such as transaction
ID).
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Request that the attacker intercepts
includes transaction ID.
env-All
2
Positive
The attacker successfully sends response
before authorized server.
env-All
3
Inconclusive
Transaction ID has been randomized.
env-Web env-CommProtocol
env-ClientServer
4
Inconclusive
The application or server cache has recorded
correct table entry. In this case, the attacker
needs to figure out a way to overwrite table
entries to succeed
env-All
5
Inconclusive
The attacker fails to send responses before
authorized responses. In this case, the attacker
needs to figure out a way to overwrite table
entries to succeed
env-All
Outcomes
ID
Type
Outcome Description
1
Success
Any request of the targeted
form results in the seeded
response.
2
Failure
Any request of the targeted
form results in the correct response and not the
seeded response.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor log file and
see a large number of responses sent from the same
host. This host may be manipulated by attacker.
Exploit
Redirect users to malicious
website::
As the attacker succeeds in exploiting the
vulnerability, he is able to manipulate and
interpose malicious response data to targeted victim
queries.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Intercept or modify a query, or send a bogus
query with known credentials (such as transaction
ID).
env-Web
2
Man-in-the-Middle intercepts secure
communication between two parties.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Any request of the targeted
form results in the seeded
response.
2
Failure
Any request of the targeted
form results in the correct response and not the
seeded response.
Security Controls
ID
Type
Security Control Description
1
Preventative
Be less trusting of
the information passed to them by other parties,
and ignoring any records passed back which are not
directly relevant to the
query.
Attack Prerequisites
The attacker must be able to modify the value stored in a cache to match a
desired value.
The targeted application must not be able to detect the illicit
modification of the cache and must trust the cache value in its
calculations.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
In this example, an attacker sends request to a local DNS server to
look up www.example .com. The associated IP address of www.example.com
is 1.3.5.7.
Local DNS usually caches IP addresses and do not go to remote DNS
every time. Since the local record is not found, DNS server tries to
connect to remote DNS for queries. However, before the remote DNS
returns the right IP address 1.3.5.7, the attacker floods local DNS with
crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is
stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious
website www.maliciousexampsle.com
When users connect to www.example.com, the local DNS will direct it
to www.maliciousexample.com, this works as part of a Pharming attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
To overwrite/modify targeted cache
Solutions and Mitigations
Configuration: Disable client side caching.
Implementation: Listens for query replies on a network, and sends a
notification via email when an entry changes.
The attacker may submit a malicious signed code from another language to
obtain access to privileges that were not intentionally exposed by the
sandbox, thus escaping the sandbox. For instance, Java code cannot perform
unsafe operations, such as modifying arbitrary memory locations, due to
restrictions placed on it by the Byte code Verifier and the JVM. If allowed,
Java code can call directly into native C code, which may perform unsafe
operations, such as call system calls and modify arbitrary memory locations
on their behave. To provide isolation, Java does not grant untrusted code
with unmediated access to native C code. Instead, the sandboxed code is
typically allowed to call some subset of the pre-existing native code that
is part of standard libraries.
Attack Execution Flow
Explore
Probing:
The attacker probes the target application to see
whether calling signed code from another language is
allowed within a sandbox.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker probes the target application
to see whether calling signed code from another
language is allowed within a sandbox.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The target application allows calling signed
code from another language within a
sandbox.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
The attacker knows that the
target application is calling signed code from
another language within a
sandbox.
Analysis:
The attacker analyzes the target application to
get a list of cross code weaknesses in the standard
libraries of the sandbox.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker analyzes the target application
to get a list of cross code weaknesses in the
standard libraries of the sandbox.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The standard library of the sandbox has some
cross code security weaknesses.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
The attacker gets a list of
cross code security weaknesses in the standard
libraries.
Security Controls
ID
Type
Security Control Description
1
Preventative
Sanitize the code of
the standard libraries to make sure there is no
security weaknesses in them.
2
Preventative
If possible, use
obfuscation and other techniques to prevent
reverse engineering the libraries.
Experiment
Verify the exploitable security
weaknesses:
The attacker tries to craft malicious signed code
from another language allowed by the sandbox to
verify the security weaknesses of the standard
libraries found in the Explore phase.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker tries to explore the security
weaknesses by calling malicious signed code from
another language allowed by the sandbox.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker identifies a list
exploitable security weaknesses in the standard
libraries.
Security Controls
ID
Type
Security Control Description
1
Preventative
Sanitize the code of
the standard libraries to make sure there are no
security weaknesses in
them.
Exploit
Exploit the security weaknesses in the
standard libraries:
The attacker calls signed malicious code from
another language to exploit the security weaknesses
in the standard libraries verified in the Experiment
phase. The attacker will be able to obtain access to
privileges that were not intentionally exposed by
the sandbox, thus escaping the sandbox.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker calls signed malicious code
from another language to exploit the security
weaknesses in the standard libraries.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
The attacker escapes the
sandbox to obtain access to privileges that were
not intentionally exposed by the
sandbox.
Security Controls
ID
Type
Security Control Description
1
Preventative
Sanitize the code of
the standard libraries to make sure there is no
security weaknesses in
them.
Attack Prerequisites
A framework-based language that supports code signing and sandbox (such
as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by
its authoring vendor, or a partner
Typical Likelihood of Exploit
Likelihood: Low
Methods of Attack
Analysis
API Abuse
Examples-Instances
Description
Exploit: Java/ByteVerify.C is a detection of malicious code that
attempts to exploit a vulnerability in the Microsoft Virtual Machine
(VM). The VM enables Java programs to run on Windows platforms. The
Microsoft Java VM is included in most versions of Windows and Internet
Explorer. In some versions of the Microsoft VM, a vulnerability exists
because of a flaw in the way the ByteCode Verifier checks code when it
is initially being loaded by the Microsoft VM. The ByteCode Verifier is
a low level process in the Microsoft VM that is responsible for checking
the validity of code - or byte code - as it is initially being loaded
into the Microsoft VM. Exploit:Java/ByteVerify.C attempts to download a
file named "msits.exe", located in the same virtual directory as the
Java applet, into the Windows system folder, and with a random file
name. It then tries to execute this specific file. This flaw enables
attackers to execute arbitrary code on a user's machine such as writing,
downloading and executing additional malware. This vulnerability is
addressed by update MS03-011, released in 2003.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
The attacker must have a good knowledge of the platform specific
mechanisms of signing and verifying code. Most code signing and
verification schemes are based on use of cryptography, the attacker
needs to have an understand of these cryptographic operations in good
detail.
Resources Required
No special resource is required.
Solutions and Mitigations
Assurance: Sanitize the code of the standard libraries to make sure there
is no security weaknesses in them.
Design: Use obfuscation and other techniques to prevent reverse
engineering the standard libraries.
Assurance: Use static analysis tool to do code review and dynamic tool to
do penetration test on the standard library.
Configuration: Get latest updates for the computer.
J. Cappos, A. Dadgar, J. Rasley, J. Samuel, I. Beschastnikh,
C. Barsan, A. Krishnamurthy, T. Anderson.
"Retaining Sandbox Containment Despite Bugs in Privileged
Memory-Safe Code". The 17th ACM Conference on Computer and Communications
Security (CCS '10). 2010.
An attack of this type exploits a Web server's decision to take action
based on filename or file extension. Because different file types are
handled by different server processes, misclassification may force the Web
server to take unexpected action, or expected actions in an unexpected
sequence. This may cause the server to exhaust resources, supply debug or
system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers
including IIS, Lotus Domino, and Orion. The attacker's job in this case is
straightforward, standard communication protocols and methods are used and
are generally appended with malicious information at the tail end of an
otherwise legitimate request. The attack payload varies, but it could be
special characters like a period or simply appending a tag that has a
special meaning for operations on the server side like .jsp for a java
application server. The essence of this attack is that the attacker deceives
the server into executing functionality based on the name of the request,
i.e. login.jsp, not the contents.
Attack Execution Flow
Explore
Footprint file input
vectors:
Manually or using an automated tool, an attacker
searches for all input locations where a user has
control over the filenames or MIME types of files
submitted to the web server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker manually crawls application to
identify file inputs
env-Web
2
Attacker uses an automated tool to crawl
application identify file inputs
env-Web
3
Attacker manually assesses strength of
access control protecting native application files
from user control
env-Web
4
Attacker explores potential for submitting
files directly to the web server via independently
constructed HTTP Requests
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Application submits files under user control
to the web server
env-Web
2
Negative
Application does not submit files under user
control to the web server
env-Web
3
Negative
Application strictly protects all native
application files from user control
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
User-controllable files are
identified
Experiment
File misclassification
shotgunning:
An attacker makes changes to file extensions and
MIME types typically processed by web servers and
looks for abnormal behavior.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker submits files with switched
extensions (e.g. .php on a .jsp file) to web
server.
env-Web
2
Attacker adds extra characters (e.g. adding
an extra . after the file extension) to filenames
of files submitted to web server.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Web server exhibits unexpected
behavior.
Security Controls
ID
Type
Security Control Description
2
Detective
Monitor web server
logs for excessive file processing
errors
3
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
File misclassification
sniping:
Understanding how certain file types are processed
by web servers, an attacker crafts varying file
payloads and modifies their file extension or MIME
type to be that of the targeted type to see if the
web server is vulnerable to misclassification of
that type.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Craft a malicious file payload, modify file
extension to the targeted file type and submit it
to the web server.
env-Web
2
Craft a malicious file payload, modify its
associated MIME type to the targeted file type and
submit it to the web server.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Attacker's payload is acted on
by web server.
2
Failure
The attacker cannot get the web
server to misclassify a
file.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor web server
logs for excessive file processing
errors
2
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Exploit
Disclose information:
The attacker, by manipulating a file extension or
MIME type is able to make the web server return raw
information (not executed).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manipulate the file names that are
explicitly sent to the server.
env-Web
2
Manipulate the MIME sent in order to confuse
the web server.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker gets the
information from the server
Security Controls
ID
Type
Security Control Description
1
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Attack Prerequisites
Web server software must rely on file name or file extension for
processing.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
J2EE application servers are supposed to execute Java Server Pages
(JSP). There have been disclosure issues relating to Orion Application
Server, where an attacker that appends either a period (.) or space
characters to the end of a legitimate Http request, then the server
displays the full source code in the attacker's web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from
the JSP, this is a potentially very serious issue.
To use misclassification to force the Web server to disclose
configuration information, source, or binary data
Resources Required
Ability to execute HTTP request to Web server
Solutions and Mitigations
Implementation: Server routines should be determined by content not
determined by filename or file extension.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read memory
Read application
data
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
Malicious input delivered through standard Web application calls, e.g. HTTP
Request.
Payload
Varies with instantiation of attack pattern. Malicious payload may alter or
append filename or extension to communicate with processes in unexpected
order.
Activation Zone
Client machine and client network
Payload Activation Impact
Description
Enables attacker to force web server to disclose configuration, source,
and data
An attacker spoofs a checksum message for the purpose of making a payload
appear to have a valid corresponding checksum. Checksums are used to verify
message integrity. They consist of some value based on the value of the
message they are protecting. Hash codes are a common checksum mechanism.
Both the sender and recipient are able to compute the checksum based on the
contents of the message. If the message contents change between the sender
and recipient, the sender and recipient will compute different checksum
values. Since the sender's checksum value is transmitted with the message,
the recipient would know that a modification occurred. In checksum spoofing
an attacker modifies the message body and then modifies the corresponding
checksum so that the recipient's checksum calculation will match the
checksum (created by the attacker) in the message. This would prevent the
recipient from realizing that a change occurred.
Attack Prerequisites
The attacker must be able to intercept a message from the sender (keeping
the recipient from getting it), modify it, and send the modified message to
the recipient.
The sender and recipient must use a checksum to protect the integrity of
their message and transmit this checksum in a manner where the attacker can
intercept and modify it.
The checksum value must be computable using information known to the
attacker. A cryptographic checksum, which uses a key known only to the
sender and recipient, would thwart this attack.
Resources Required
The attacker must be able to intercept and modify messages between the sender
and recipient.
Attackers aware that more data is being fed into a multicast or public
information distribution means can 'select' information bound only for
another client, even if the distribution means itself forces users to
authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged
information, possibly perpetrate other attacks through the distribution
means by impersonation.
If the channel/message being manipulated is an input rather than output
mechanism for the system, (such as a command bus), this style of attack
could change its identifier from a less privileged to more so privileged
channel or command.
Attack Execution Flow
Determine the nature of messages being transported
as well as the identifiers to be used as part of the
attack
If required, authenticate to the distribution
channel
If any particular client's information is
available through the transport means simply by
selecting a particular identifier, an attacker can
simply provide that particular identifier.
Attackers with client access connecting to output
channels could change their channel identifier and
see someone else's (perhaps more privileged)
data.
Attack Prerequisites
Information and client-sensitive (and client-specific) data must be
present through a distribution channel available to all users.
Distribution means must code (through channel, message identifiers, or
convention) message destination in a manner visible within the distribution
means itself (such as a control channel) or in the messages
themselves.
Typical Likelihood of Exploit
Likelihood: Very High
Examples-Instances
Description
A certain B2B interface on a large application codes for messages
passed over a MQSeries queue, on a single "Partners" channel. Messages
on that channel code for their client destination based on a partner_ID
field, held by each message. That field is a simple integer. Attackers
having access to that channel, perhaps a particularly nosey partner, can
simply choose to store messages of another parnter's ID and read them as
they desire. Note that authentication does not prevent a partner from
leveraging this attack on other partners. It simply disallows Attackers
without partner status from conducting this attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
All the attacker needs to discover is the format of the messages on
the channel/distribution means and the particular identifier used within
the messages.
Resources Required
The Attacker needs the ability to control source code or application
configuration responsible for selecting which message/channel id is absorbed
from the public distribution means.
Probing Techniques
Description
Assisted protocol analysis: because the protocol under attack is a
public channel, or one in which the attacker likely has authorized
access to, they need simply to decode the aspect of channel or message
interpretation that codes for message identifiers.
Probing is as simple as changing this value and watching its
effect.
Solutions and Mitigations
Associate some ACL (in the form of a token) with an authenticated user
which they provide middleware. The middleware uses this token as part of its
channel/message selection for that client, or part of a discerning
authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper
authentication/authorization with each channel/message.
Rearchitect system input/output channels as appropriate to distribute
self-protecting data. That is, encrypt (or otherwise protect)
channels/messages so that only authorized readers can see them.
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly: this refers to Ambiguity of
authentication. Many authorization systems use ambiguous symbols (i.e.,
principal names) to identify principals allowing circumvention of
authorization by using a different, though equivalent, principal name. For
example, there are many implementations for restricting remote host access
to local services that may allow many proper—but apparently different—names
for unique hosts (e.g., fully qualified domain names, shortened names,
CNAMEs, IPv4 addresses, IPv6 addresses).
Purposes
Penetration
CIA Impact
Confidentiality Impact: Medium
Integrity Impact: Low
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
In a clickjacking attack the victim is tricked into unknowingly initiating
some action in one system while interacting with the UI from seemingly
completely different system. While being logged in to some target system,
the victim visits the attacker's malicious site which displays a UI that the
victim wishes to interact with. In reality, the clickjacked page has a
transparent layer above the visible UI with action controls that the
attacker wishes the victim to execute. The victim clicks on buttons or other
UI elements they see on the page which actually triggers the action controls
in the transparent overlaying layer. Depending on what that action control
is, the attacker may have just tricked the victim into executing some
potentially privileged (and most certainly undesired) functionality in the
target system to which the victim is authenticated. The basic problem here
is that there is a dichotomy between what the victim thinks he's clicking on
versus what he or she is actually clicking on.
Attack Execution Flow
Experiment
Craft a clickjacking
page:
The attacker utilizes web page layering techniques
to try to craft a malicious clickjacking page
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker leveraged iFrame overlay
capabilities to craft a malicious clickjacking
page
env-Web
2
The attacker leveraged Flash file overlay
capabilities to craft a malicious clickjacking
page
env-Web
3
The attacker leveraged Silverlight overlay
capabilities to craft a malicious clickjacking
page
env-Web
4
The attacker leveraged cross-frame scripting
to craft a malicious clickjacking page
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Overlay capabilities are enabled in the
browser
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A page is created that performs
unseen actions when the user interacts with the
visible UI
Security Controls
ID
Type
Security Control Description
1
Preventative
Disable overlay
functionality in the browser. This can have
obvious impact on the utility of the browser with
some sites and web
applications.
Exploit
Attacker lures victim to clickjacking
page:
Attacker utilizes some form of temptation,
misdirection or coercion to lure the victim to
loading and interacting with the clickjacking pagen
a way that increases the chances that the victim
will click in the right areas.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Lure the victim to the malicious site by
sending the victim an e-mail with a URL to the
site.
env-Web
2
Lure the victim to the malicious site by
manipulating URLs on a site trusted by the
victim.
env-Web
3
Lure the victim to the malicious site
through a cross-site scripting attack.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The victim loads the
clickjacking page.
Trick victim into interacting with the
clickjacking page in the desired
manner:
The attacker tricks the victim into clicking on
the areas of the UI which contain the hidden action
controls and thereby interacts with the target
system maliciously with the victim's level of
privilege.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Hide action controls over very commonly used
functionality.
env-Web
2
Hide action controls over very
psychologically tempting content.
env-Web
Attack Prerequisites
The victim is communicating with the target application via a web based UI
and not a thick client
The victim's browser security policies allow at least one of the following
JavaScript, Flash, iFrames, ActiveX, or CSS.
The victim uses a modern browser that supports UI elements like clickable
buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and
supports the ability for initiating sensitive actions on behalf of the user
in the target system
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Spoofing
Social Engineering
Examples-Instances
Description
A victim has an authenticated session with a site that provides an
electronic payment service to transfer funds between subscribing
members. At the same time, the victim receives an e-mail that appears to
come from an online publication to which he or she subscribes with links
to today's news articles. The victim clicks on one of these links and is
taken to a page with the news story. There is a screen with an
advertisement that appears on top of the news article with the 'skip
this ad' button. Eager to read the news article, the user clicks on this
button. Nothing happens. The user clicks on the button one more time and
still nothing happens.
In reality, the victim activated a hidden action control located in a
transparent layer above the 'skip this ad' button. The ad screen
blocking the news article made it likely that the victim would click on
the 'skip this ad' button. Clicking on the button, actually initiated
the transfer of $1000 from the victim's account with an electronic
payment service to an attacker's account. Clicking on the 'skip this ad'
button the second time (after nothing seemingly happened the first time)
confirmed the transfer of funds to the elctronic payment service.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Crafting the proper malicious site and luring the victim to this site
are not trivial tasks.
Resources Required
Low: A computer connected to the internet.
Solutions and Mitigations
If using the Firefox browser, use the NoScript plug-in that will help
forbid iFrames.
Turn off JavaScript, Flash and disable CSS.
When maintaining an authenticated session with a privileged target system,
do not use the same browser to navigate to unfamiliar sites to perform other
activities. Finish working with the target system and logout first before
proceeding to other tasks.
Enforce maximum security restrictions in the browser: JavaScript disabled,
Flash disabled, CSS disabled, iFrames forbidden
Related Security Principles
Shed elevated privileges as soon as possible (i.e. log out of the target
application once finished with it and before doing other things in the
browser)
This attack utilizes the frequent client-server roundtrips in Ajax
conversation to scan a system. While Ajax does not open up new
vulnerabilities per se, it does optimize them from an attacker point of
view. In many XSS attacks the attacker must get a "hole in one" and
successfully exploit the vulnerability on the victim side the first time,
once the client is redirected the attacker has many chances to engage in
follow on probes, but their is only one first chance. In a widely used web
application this is not a major problem because 1 in a 1,000 is good enough
in a widely used application.
A common first step for an attacker is to footprint the environment to
understand what attacks will work. Since footprinting relies on enumeration,
the conversational pattern of rapid, multiple requests and responses that
are typical in Ajax applications enable an attacker to look for many
vulnerabilities, well known ports, network locations and so on.
Attack Prerequisites
The user must allow Javscript to execute in their browser
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Protocol Manipulation
Injection
Brute Force
Examples-Instances
Description
Footprinting can be executed over almost any protocol including HTTP,
TCP, UDP, and ICMP, with the general goal of gaining further information
about a host environment to launch further attacks. By appending a
malicious script to an otherwise normal looking URL, the attacker can
probe the sysem for banners, vulnerabilities, filenames, available
services, and in short anything the host process has access to. The
results of the probe are either used to execute additional javascript
(for example, if the attacker's footprint script identifies a
vulnerability in a firewall permission, then the client side script
executes a javascript to change client firewall settings, or an attacker
may simply echo the results of the scan back out to a remote host for
targeting future attacks).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
To land and launch a script on victim's machine with appropriate
footprinting logic for enumerating services and vulnerabilities in
Javascript
Solutions and Mitigations
Design: Use browser technologies that do not allow client side
scripting.
Design: Utilize strict type, character, and encoding enforcement
Implementation: Ensure all content that is delivered to client is
sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as Javascript in
browser
Implementation: Patching software. There are many attack vectors for XSS
on the client side and the server side. Many vulnerabilities are fixed in
service packs for browser, web servers, and plug in technologies, staying
current on patch release that deal with XSS countermeasures mitigates
this.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read application
data
Injection Vector
Payload delivered through standard communication protocols, such as Ajax
application.
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Description
Enables attacker to execute probes against client system.
An attacker takes advantage of weaknesses in the protocol by which a
client and server are communicating to perform unexpected actions.
Communication protocols are necessary to transfer messages between client
and server applications. Moreover, different protocols may be used for
different types of interactions. For example, an authentication protocol
might be used to establish the identities of the server and client while a
separate messaging protocol might be used to exchange data. If there is a
weakness in a protocol used by the client and server, an attacker might take
advantage of this to perform various types of attacks. For example, if the
attacker is able to manipulate an authentication protocol, the attacker may
be able spoof other clients or servers. If the attacker is able to
manipulate a messaging protocol, the may be able to read sensitive
information or modify message contents. This attack is often made easier by
the fact that many clients and servers support multiple protocols to perform
similar roles. For example, a server might support several different
authentication protocols in order to support a wide range of clients,
including legacy clients. Some of the older protocols may have
vulnerabilities that allow an attacker to manipulate client-server
interactions.
Attack Prerequisites
The client and/or server must utilize a protocol that has a weakness
allowing attacker manipulation of the interaction.
Resources Required
The attacker must be able to identify the weakness in the utilized protocol
and exploit it. This may require a sniffing tool as well as packet creation
abilities. The attacker will be aided if they can force the client and/or server
to utilize a specific protocol known to contain exploitable weaknesses.
This type of attack exploits a buffer overflow vulnerability in targeted
client software through injection of malicious content from a custom-built
hostile service.
Attack Execution Flow
The attacker creates a custom hostile
service
The attacker acquires information about the kind
of client attaching to her hostile service to
determine if it contains an exploitable buffer
overflow vulnerability.
The attacker intentionally feeds malicious data to
the client to exploit the buffer overflow
vulnerability that she has uncovered.
The attacker leverages the exploit to execute
arbitrary code or to cause a denial of
service.
Attack Prerequisites
The targeted client software communicates with an external server.
The targeted client software has a buffer oveflow vulnerability.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Injection
Examples-Instances
Description
Authors often use <EMBED> tags in HTML documents. For
example
If an attacker supplies an overly long path in the SRC= directive, the
mshtml.dll component will suffer a buffer overflow. This is a standard
example of content in a Web page being directed to exploit a faulty
module in the system. There are potentially thousands of different ways
data can propagate into a given system, thus these kinds of attacks will
continue to be found in the wild.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To achieve a denial of service, an attacker can simply overflow a
buffer by inserting a long string into an attacker-modifiable injection
vector.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap requires a more in-depth
knowledge and higher skill level.
Probing Techniques
Description
The server may look like a valid server, but in reality it may be a
hostile server aimed at fooling the client software. For instance the
server can use honey pots and get the client to download malicious
code.
Description
Once engaged with the client, the hostile server may attempt to scan
the client's host for open ports and potential vulnerabilities in the
client software.
Description
The hostile server may also attempt to install and run malicious code
on the client software. That malicious code can be used to scan the
client software for buffer overflow.
Indicators-Warnings of Attack
Description
An example of indicator is when the client software crashes after
executing code downloaded from a hostile server.
Solutions and Mitigations
The client software should not install untrusted code from a non
authenticated server.
The client software should have the latest patches and should be audited
for vulnerabilities before being used to communicate with potentially
hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read memory
Integrity
Modify memory
Availability
DoS: resource consumption
(memory)
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Payload
Attacker-supplied data potentially containing malicious code.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to malicious code.
Payload Activation Impact
Description
The most common are remote code execution or denial of service.
An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe
card' or ‘magstripe’) to gain unauthorized access to a physical location or
a person's private information. Magstripe cards encode data on a band of
iron-based magnetic particles arrayed in a stripe along a rectangular card.
Most magstripe card data formats conform to ISO standards 7810, 7811, 7813,
8583, and 4909. The primary advantage of magstripe technology is ease of
enconding and portability, but this also renders magnetic strip cards
susceptible to unauthorized duplication. If magstripe cards are used for
access control, all an attacker need do is obtain a valid card long enough
to make a copy of the card and then return the card to its location (i.e. a
co-worker’s desk). Magstripe reader/writers are widely available as well as
software for analyzing data encoded on the cards. By swiping a valid card,
it becomes trivial to make any number of duplicates that function as the
original.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker analyzes data returned by an RFID chip and uses this
information to duplicate a RFID signal that responds identically to the
target chip. In some cases RFID chips are used for building access control,
employee identification, or as markers on products being delivered along a
supply chain. Some organizations also embed RFID tags inside computer assets
to trigger alarms if they are removed from particular rooms, zones, or
buildings. Similar to Magnetic strip cards, RFID cards are susceptible to
duplication (cloning) and reuse. RFID (Radio Frequency Identification) are
passive devices which consist of an integrated circuit for processing RF
signals and an antenna. RFID devices are passive in that they lack an on
on-board power source. The majority of RFID chips operate on either the
13.56 MHz or 135 KHz frequency. The chip is powered when a signal is
received by the antenna on the chip, powering the chip long enough to send a
reply messge. An attacker is able to capture and analyze RFID data by either
stimulating the chip to respond or being proximate to the chip when it sends
a response to a remote transmitter. This allows the attacker to duplicate
the signal and conduct attacks such as gaining unauthorized access to a
building or impersonating a user’s identification.
Stuart McClure,
Joel Scambray and George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker exploits a weakness in input validation on the target to force
arbitrary code to be retrieved from a remote location and executed. This
differs from script injection in that script injection involves the direct
inclusion of scripting code while code inclusion involves the addition or
replacement of a reference to a code file, which is subsequently loaded by
the target and used as part of the code of some application. One example of
this sort of attack is PHP file include attacks where the parameter of an
include() function is set by a variable that an attacker is able to control.
The result is that arbitrary code could be loaded into the PHP application
and executed.
Attack Prerequisites
The target application must include external code/libraries that are
executed when the application runs and the attacker must be able to
influence the specific files that get included.
The victim must run the targeted application, possibly using the crafted
parameters that the attacker uses to identify the code to include.
Resources Required
The attacker may need to be able to host code modules if they wish their own
code files to be included.
An attack of this type exploits a programs' vulnerabilities that allows an
attacker's commands to be concatenated onto a legitimate command with the
intent of targeting other resources such as the file system or database. The
system that uses a filter or a blacklist input validation, as opposed to
whitelist validation is vulnerable to an attacker who predicts delimiters
(or combinations of delimiters) not present in the filter or blacklist. As
with other injection attacks, the attacker uses the command delimiter
payload as an entry point to tunnel through the application and activate
additional attacks through SQL queries, shell commands, network scanning,
and so on.
Attack Execution Flow
Explore
Assess Target Runtime
Environment:
In situations where the runtime environment is not
implicitly known, the attacker makes connections to
the target system and tries to determine the
system's runtime environment. Knowing the
environment is vital to choosing the correct
delimiters.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Port mapping using network connection-based
software (e.g., nmap, nessus, etc.)
Operating environment
(operating system, language, and/or middleware) is
correctly identified.
2
Inconclusive
Multiple candidate operating
environments are suggested.
Security Controls
ID
Type
Security Control Description
1
Preventative
Provide misleading
information on TCIP/IP fingerprints (some
operating systems can be configured to send
signatures that match other operating
systems).
2
Preventative
Provide misleading
information at the server level (e.g., Apache,
IIS, WebLogic, etc.) to announce a different
server software.
3
Detective
Some fingerprinting
techniques can be detected by operating systems or
by network IDS systems because they leave the
network connection half-open, or they do not
belong to a valid, open
connection.
Survey the
Application:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
-1
Spidering web sites for all available
links
env-Web
-1
Inventory all application inputs
env-All
Indicators
ID
Type
Indicator Description
Environments
-1
Positive
Attacker develops a list of valid
inputs
env-Web
env-ClientServer
Outcomes
ID
Type
Outcome Description
0
Success
The attacker develops a list of
likely command delimiters.
Security Controls
ID
Type
Security Control Description
0
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
0
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
0
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
0
Detective
Monitor velocity of
feature activations (non-web software). Humans who
activate features (click buttons, request actions,
invoke APIs, etc.) will do so far slower and far
less regularly than tools. Tools make requests
very quickly and the requests are typically spaced
apart regularly (e.g. 0.8 seconds between
them).
Experiment
Attempt delimiters in
inputs:
The attacker systematically attempts variations of
delimiters on known inputs, observing the
application's response each time.
Inject command delimiters using web test
frameworks (proxies, TamperData, custom programs,
etc.)
env-Web
3
Enter command delimiters directly in input
fields.
env-Embedded env-Local
env-ClientServer
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Attack step 2 is successful.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
One or more command delimiters
for the platform provokes an unexpected response
from the software, which can be varied by the
attacker based on the input.
Exploit
Use malicious command
delimiters:
The attacker uses combinations of payload and
carefully placed command delimiters to attack the
software.
Outcomes
ID
Type
Outcome Description
1
Success
The software performs as
expected by the attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Attack Prerequisites
Software's input validation or filtering must not detect and block
presence of additional malicious command.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
By appending special characters, such as a semicolon or other commands
that are executed by the target process, the attacker is able to execute
a wide variety of malicious commands in the target process space,
utilizing the target's inherited permissions, against any resource the
host has access to. The possibilities are vast including injection
attacks against RDBMS (SQL Injection), directory servers (LDAP
Injection), XML documents (XPath and XQuery Injection), and command line
shells. In many injection attacks, the results are converted back to
strings and displayed to the client process such as a web browser
without tripping any security alarms, so the network firewall does not
log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile,
password, and group information that is used to authenticate and
authorize users. An attacker that can query the directory at will and
execute custom commands against the directory server is literally
working with the keys to the kingdom in many enterprises. When user,
organizational units, and other directory objects are queried by
building the query string directly from user input with no validation,
or other conversion, then the attacker has the ability to use any LDAP
commands to query, filter, list, and crawl against the LDAP server
directly in the same manner as SQL injection gives the ability to the
attacker to run SQL commands on the database.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker has to identify injection vector, identify the specific
commands, and optionally collect the output, i.e. from an interactive
session.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Perform whitelist validation against a positive specification for
command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input
validation or filter routines then commands do not running under a
privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared
statements.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Read application
data
Injection Vector
Malicious input delivered through appending delimiters to standard input
Payload
Command(s) appended to valid parameters to enable attacker to execute commands
on host
Activation Zone
Client machine and client network
Payload Activation Impact
Description
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
An attacker uses standard SQL injection methods to inject data into the
command line for execution. This could be done directly through misuse of
directives such as MSSQL_xp_cmdshell or indirectly through injection of data
into the database that would be interpreted as shell commands. Sometime
later, an unscrupulous backend application (or could be part of the
functionality of the same application) fetches the injected data stored in
the database and uses this data as command line arguments without performing
proper validation. The malicious data escapes that data plane by spawning
new commands to be executed on the host.
Attack Execution Flow
Explore
Probe for SQL Injection
vulernability:
The attacker injects SQL syntax into
user-controllable data inputs to search unfiltered
execution of the SQL syntax in a query.
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
Type
Security Control Description
1
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Exploit
Achieve arbitrary command execution
through SQL Injection with the MSSQL_xp_cmdshell
directive:
The attacker leverages a SQL Injection attack to
inject shell code to be executed by leveraging the
xp_cmdshell directive.
Outcomes
ID
Type
Outcome Description
1
Success
Attacker's injected code is
executed.
Security Controls
ID
Type
Security Control Description
1
Preventative
Disable xp_cmdshell
stored procedure on the
database.
2
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
3
Preventative
Input validation of
user-controlled data before including it in a SQL
query
4
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Inject malicious data in the
database:
Leverage SQL injection to inject data in the
database that could later be used to achieve command
injection if ever used as a command line
argument
Security Controls
ID
Type
Security Control Description
1
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Trigger command line execution with
injected arguments:
The attacker causes execution of command line
functionality which leverages previously injected
database content as arguments.
Outcomes
ID
Type
Outcome Description
1
Success
Attacker's injected code is
executed.
Attack Prerequisites
The application does not properly validate data before storing in the
database
Backend application implicitly trusts the data stored in the
database
Malicious data is used on the backend as a command line argument
Typical Likelihood of Exploit
Likelihood: Low
Methods of Attack
Analysis
Injection
Examples-Instances
Description
SQL injection vulnerability in Cacti 0.8.6i and earlier, when
register_argc_argv is enabled, allows remote attackers to execute
arbitrary SQL commands via the (1) second or (2) third arguments to
cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands
since the SQL query results are later used in the polling_items array
and popen function (CVE-2006-6799).
The attacker most likely has to be familiar with the internal
functionality of the system to launch this attack. Without that
knowledge, there are not many feedback mechanisms to give an attacker
the indication of how to perform command injection or whether the attack
is succeeding.
Resources Required
No specialized resources are required
Solutions and Mitigations
Disable MSSQL xp_cmdshell directive on the database
Properly validate the data (syntactically and semantically) before writing
it to the database.
Do not implicitly trust the data stored in the database. Re-validate it
prior to usage to make sure that it is safe to use in a given context (e.g.
as a command line argument).
An attacker exploits well known locations for resources for the purposes
of undermining the security of the target. In many, if not most, systems,
files and resources are organized in the same tree structure. This can be
useful for attackers because they often know where to look for resources or
files that are necessary for attacks. Even when the precise location of a
targeted resource may know be known, naming conventions may indicate a small
area of the target machine's file tree where the resources are typically
located. For example, configuration files are normally stored in the /etc
director on Unix systems. Attackers can take advantage of this to commit
other types of attacks.
Attack Prerequisites
The targeted applications must either expect files to be located at a
specific location or, if the location of the files can be configured by the
user, the user either failed to move the files from the default location or
placed them in a conventional location for files of the given type.
Resources Required
No special resources are required for most variants of this attack. In some
cases, the attacker need not even have direct access to the locations on the
target computer where the targeted resources reside.
An attacker manipulates files or settings external to a target application
which affect the behavior of that application. For example, many
applications use external configuration files and libraries - modification
of these entities or otherwise affecting the application's ability to use
them would constitute a configuration/environment manipulation
attack.
Attack Prerequisites
The target application must consult external files or configuration
controls to control its execution. All but the very simplest applications
meet this requirement.
Resources Required
The attacker must have the access necessary to affect the files or other
environment items the targeted application uses for its operations.
An attacker modifies content to make it contain something other than what
the original content producer intended while keeping the apparent source of
the content unchanged. The term content spoofing is most often used to
describe modification of web pages hosted by a target to display the
attacker's content instead of the owner's content. However, any content can
be spoofed, including the content of email messages, file transfers, or the
content of other network communication protocols. Content can be modified at
the source (e.g. modifying the source file for a web page) or in transit
(e.g. intercepting and modifying a message between the sender and
recipient). Usually, the attacker will attempt to hide the fact that the
content has been modified, but in some cases, such as with web site
defacement, this is not necessary. Content Spoofing can lead to malware
exposure, financial fraud if the content governs financial transactions,
privacy violations, and other results.
Attack Prerequisites
The target must provide content but fail to adequately protect it against
modification.
Resources Required
No special resources are required by the client for most forms of the attack.
If the content is to be modified in transit, the attacker must be able to
intercept the targeted messages. In some variants, the targeted content is
altered so that all or some of it is redirected towards content published by the
attacker (for example, images and frames in the target's web site might be
modified to be loaded from a source controlled by the attacker). In these cases,
the attacker must be able to host the replacement content.
An attacker manipulates either egress or ingress data from a client within
an application framework in order to change the content of messages.
Performing this attack allows the attacker to manipulate content in such a
way as to produce messages or content that look authentic but may contain
deceptive links, spam-like content, or links to the attackers code. In
general, content-spoofing within an application API can be employed to stage
many different types of attacks varied based on the attacker's intent. The
techniques require use of specialized software that allow the attacker to
man-in-the-middle communications between the web browser and the remote
system.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Application Layer
Target Attack Surface Localities
Client-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: Any
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
Targeted software is utilizing application framework APIs
Resources Required
A software program that allows a user to man-in-the-middle communications
between the client and server, such as a man-in-the-middle proxy.
An attacker exploits file location algorithms in an operating system or
application by creating a file with the same name as a protected or
privileged file. The attacker could manipulate the system if the
attacker-created file is trusted by the operating system or an application
component that attempts to load the original file. Applications often load
or include external files, such as libraries or configuration files. These
files should be protected against malicious manipulation. However, if the
application only uses the name of the file when locating it, an attacker may
be able to create a file with the same name and place it in a directory that
the application will search before the directory with the legitimate file is
searched. Because the attacker's file is discovered first, it would be used
by the target application. This attack can be extremely destructive if the
referenced file is executable and/or is granted special privileges based
solely on having a particular name.
Attack Prerequisites
The target application must exclude external files. Most non-trivial
applications meet this criterion.
The target application does not verify that a located file is the one it
was looking for through means other than the name. Many applications fail to
perform checks of this type.
The directories the target application searches to find the included file
include directories writable by the attacker which are searched before the
protected directory containing the actual files. It is much less common for
applications to meet this criterion, but if an attacker can manipulate the
application's search path (possibly by controlling environmental variables)
then they can force this criterion to be met.
Resources Required
The attacker must have sufficient access to place an arbitrarily named file
somewhere early in the application's search path.
An attacker creates a client application to interface with a target
service where the client violates assumptions the service makes about
clients. Services that have designated client applications (as opposed to
services that use general client applications, such as IMAP or POP mail
servers which can interact with any IMAP or POP client) may assume that the
client will follow specific procedures. For example, servers may assume that
clients will accurately compute values (such as prices), will send correctly
structured messages, and will attempt to ensure efficient interactions with
the server. By reverse-engineering a client and creating their own version,
an attacker can take advantage of these assumptions to abuse service
functionality. For example, a purchasing service might send a unit price to
its client and expect the client to correctly compute the total cost of a
purchase. If the attacker uses a malicious client, however, the attacker
could ignore the server input and declare any total price. Likewise, an
attacker could configure the client to retain network or other server
resources for longer than legitimately necessary in order to degrade server
performance.
Even services with general clients can be susceptible to this attack if
they assume certain client behaviors. However, such services generally can
make fewer assumptions about the behavior of their clients in the first
place and, as such, are less likely to make assumptions that an attacker can
exploit.
This attack differs from most other forms of identity spoofing in that the
attacker is not attempting to impersonate a specific user or device.
Instead, the attacker attempts to impersonate a class of applications,
namely the client applications of a service. As such, the attacker is not
violating the service's trust in an identity, but its trust in expected
behavior.
Attack Prerequisites
The targeted service must make assumptions about the behavior of the
client application that interacts with it, which can be abused by an
attacker.
Resources Required
The attacker must be able to reverse engineer a client of the targeted
service. However, the attacker does not need to reverse engineer all client
functionality - they only need to recreate enough of the functionality to access
the desired server functionality.
An attacker exploits a weakness in the MD5 hash algorithm (weak collision
resistance) to generate a certificate signing request (CSR) that contains
collision blocks in the "to be signed" part. The attacker specially crafts
two different, but valid X.509 certificates that when hashed with the MD5
algorithm would yield the same value. The attacker then sends the CSR for
one of the certificates to the Certification Authority which uses the MD5
hashing algorithm. That request is completely valid and the Certificate
Authority issues an X.509 certificate to the attacker which is signed with
its private key. An attacker then takes that signed blob and inserts it into
another X.509 certificate that the attacker generated. Due to the MD5
collision, both certificates, though different, hash to the same value and
so the signed blob works just as well in the second certificate.
The net effect is that the attacker's second X.509 certificate, which the
Certification Authority has never seen, is now signed and validated by that
Certification Authority. To make the attack more interesting, the second
certificate could be not just a regular certificate, but rather itself a
signing certificate. Thus the attacker is able to start their own
Certification Authority that is anchored in its root of trust in the
legitimate Ceritifcation Authority that has signed the attacker's first
X.509 certificate. If the original Certificate Authority was accepted by
default by browsers, so will now the Certifiate Authority set up by the
attacker and of course any certificates that it signs. So the attacker is
now able to generate any SSL certificates to impersonate any web server, and
the user's browser will not issue any warning to the victim. This can be
used to compromise HTTPS communications and other types of systems where PKI
and X.509 certificates may be used (e.g., VPN, IPSec) .
Attack Prerequisites
Certification Authority is using the MD5 hash function to generate the
certificate hash to be signed
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Understanding of how to force an MD5 hash collision in X.509
certificates
Skill or Knowledge Level: High
An attacker must be able to craft two X.509 certificates that produce
the same MD5 hash
Skill or Knowledge Level: Medium
Knowledge needed to set up a certification authority
Solutions and Mitigations
Certification Authorities need to stop using the weak collision prone MD5
hashing algorithm to hash the certificates that they are about to sign.
Instead they should be using stronger hashing functions such as SHA-256 or
SHA-512.
Alexander Sotirov,
Marc Stevens,
Jacob Appelbaum,
Arjen Lenstra,
David Molnar,
Dag Arne Osvik and Benne de Weger .
"MD5 Considered Harmful Today: Creating a Rogue CA
Certificate". http://www.phreedom.org/research/rogue-ca/. 2008-12-30.
An attacker harvests identifying information about a victim via an active
session that the victim's browser has with a social networking site. A
victim may have the social networking site open in one tab or perhaps is
simply using the "remember me" feature to keep his or her session with the
social networking site active. An attacker induces a payload to execute in
the victim's browser that transparently to the victim initiates a request to
the social networking site (e.g., via available social network site APIs) to
retrieve identifying information about a victim. While some of this
information may be public, the attacker is able to harvest this information
in context and may use it for further attacks on the user (e.g., spear
phishing).
In one example of an attack, an attacker may post a malicious posting that
contains an image with an embedded link. The link actually requests
identifying information from the social networking site. A victim who views
the malicious posting in his or her browser will have sent idenditifying
information to the attacker, as long as the victim had an active session
with the social networking site. There are many other ways in which the
attacker may get the payload to execute in the victim's browser mainly by
finding a way to hide it in some reputable site that the victim visits. The
attacker could also send the link to the victim in an e-mail and trick the
victim into clicking on the link.
This attack is basically a cross site request forgery attack with two main
differences. First, there is no action that is performed on behalf of the
user aside from harvesting information. So standard CSRF protection may not
work in this situation. Second, what is important in this attack pattern is
the nature of the data being harvested, which is identifying information
that can be obtained and used in context. This real time harvesting of
identifying information can be used as a prelude for launching real time
targetted social engineering attacks on the victim.
Attack Prerequisites
The victim has an active session with the social networking site.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
An attacker should be able to create a payload and deliver it to the
victim's browser.
Skill or Knowledge Level: Medium
An attacker needs to know how to interact with various social
networking sites (e.g., via available APIs) to request information and
how to send the harvested data back to the attacker.
Solutions and Mitigations
Usage: Users should always explicitly log out from the social networking
sites when done using them.
Usage: Users should not open other tabs in the browser when using a social
networking site.
An attacker crafts malicious web links and distributes them (via web
pages, email, etc.), typically in a targeted manner, hoping to induce users
to click on the link and execute the malicious action against some
third-party application. If successful, the action embedded in the malicious
link will be processed and accepted by the targeted application with the
users' privilege level.
This type of attack leverages the persistence and implicit trust placed in
user session cookies by many web applications today. In such an
architecture, once the user authenticates to an application and a session
cookie is created on the user's system, all following transactions for that
session are authenticated using that cookie including potential actions
initiated by an attacker and simply "riding" the existing session
cookie.
Attack Execution Flow
Explore
Explore target
website:
The attacker first explores the target website to
determine pieces of functionality that are of
interest to him (e.g. money transfers). The attacker
will need a legitimate user account on the target
website. It would help to have two accounts.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web application debugging tool such as
WebScarab, Tamper Data or TamperIE to analyze the
information exchanged between the client and the
server
env-Web
2
Use network sniffing tool such as Wireshark
to analyze the information exchanged between the
client and the server
env-Web
3
View HTML source of web pages that contain
links or buttons that perform actions of
interest.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Attacker identifies at least
one piece of interesting functionality that can be
executed by making a single HTTP GET or POST
request containing no session-specific
parameters.
1
Failure
Attacker cannot identify any
functionality that can be executed without sending
a session-specific parameter other than the cookie
in the HTTP request.
Experiment
Create a link that when clicked on, will
execute the interesting
functionality.:
The attacker needs to create a link that will
execute some interesting functionality such as
transfer money, change a password, etc.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Create a GET request containing all required
parameters (e.g.
https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
env-Web
2
Create a form that will submit a POST
request (e.g. <form method="POST"
action="https://www.somebank.com/members/transfer.asp"><input
type="hidden" Name="to"
value="012345678901"/><input type="hidden"
Name="amt" value="10000"/><input
type="submit"
src="clickhere.jpg"/></form>
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Success outcome in previous step.
env-Web
2
Negative
Failure outcome in previous step.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A link that performs an
operation that the attacker desires when it is
clicked.
2
Failure
Creating a link that performs
an operation that the attacker desires when it is
clicked, is impossible, because the site has
implemented protections against
CSRF.
Security Controls
ID
Type
Security Control Description
1
Preventative
Include a unique HTTP
parameter value in forms every time they are sent
to the client. Verify that the expected value is
in the response received from the client. In this
case, the attacker will not have access to the
correct parameter value for another user, and
thus, will not be able to create forged
requests.
2
Preventative
Check HTTP referrer
for each request to ensure that it is from the
expected site. Note that if the site is vulnerable
to XSS, then the attacker will be able to bypass
this.
Exploit
Convince user to click on
link:
Finally, the attacker needs to convince a user
that is logged into the target website to click on a
link to execute the CSRF attack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Execute a phishing attack and send the user
an e-mail convincing him to click on a
link.
env-Web
2
Execute a stored XSS attack on a website to
permanently embed the malicious link into the
website.
env-Web
3
Execute a stored XSS attack on a website
where a XMLHTTPRequest object will automatically
execute the attack as soon as a user visits the
page. This removes the step of convincing a user
to click on a link.
env-Web
4
Include the malicious link on the attacker's
own website where the user may have to click on
the link, or where an XMLHTTPRequest object may
automatically execute the attack when a user
visits the site.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Success outcome in previous step.
env-Web
2
Negative
Failure outcome in previous step.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A user executes the malicious
link crafted by the
attacker.
2
Failure
Failure outcome in previous
step.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking CSRF links through forums or other web
postings, their web browsers will be providing
Referer headers most of the time. These can help
indicate that the actual request is
illegitimate.
2
Corrective
Deny requests and
invalidate session IDs for requests that contain
unexpected referrers. Note that this will not
protect against cases where the target website is
also vulnerable to cross site
scripting.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Spoofing
Analysis
Examples-Instances
Description
While a user is logged into his bank account, an attacker can send an
email with some potentially interesting content and require the user to
click on a link in the email.
The link points to or contains an attacker setup script, probably even
within an iFrame, that mimicks an actual user form submission to perform
a malicious activity, such as transferring funds from the victim's
account.
The attacker can have the script embedded in, or targeted by, the link
perform any arbitrary action as the authenticated user. When this script
is executed, the targeted application authenticates and accepts the
actions based on the victims existing session cookie.
Related Vulnerabilities
Cross-site request forgery (CSRF) vulnerability in util.pl in
@Mail WebMail 4.51 allows remote attackers to modify arbitrary
settings and perform unauthorized actions as an arbitrary user, as
demonstrated using a settings action in the SRC attribute of an IMG
element in an HTML e-mail.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to figure out the exact invocation of the targeted
malicious action and then craft a link that performs the said action.
Having the user click on such a link is often accomplished by sending an
email or posting such a link to a bulletin board or the likes.
Resources Required
All the attacker needs is the exact representation of requests to be made to
the application and to be able to get the malicious link across to a
victim.
Probing Techniques
Description
The attacker can observe the way the application accepts requests for
actions. If the application uses a persistent cookie, a non-random
identifier or any such static identification token that does not change
with every request, the attack is fairly straightforward to
accomplish
Obfuscation Techniques
Description
In order to obfuscate the actual URL and its contents passed to the
victim, the attacker can employ a service such as TinyURL and optionally
redirect the request to the actual malicious script
Solutions and Mitigations
Use cryptographic tokens to associate a request with a specific action.
The token can be regenerated at every request so that if a request with an
invalid token is encountered, it can be reliably discarded. The token is
considered invalid if it arrived with a request other than the action it was
supposed to be associated with.
Although less reliable, the use of the optional HTTP Referer header can
also be used to determine whether an incoming request was actually one that
the user is authorized for, in the current context.
Additionally, the user can also be prompted to confirm an action every
time an action concerning potentially sensitive data is invoked. This way,
even if the attacker manages to get the user to click on a malicious link
and request the desired action, the user has a chance to recover by denying
confirmation. This solution is also implicitly tied to using a second factor
of authentication before performing such actions.
In general, every request must be checked for the appropriate
authentication token as well as authorization in the current session
context.
Use Authentication Mechanisms, Where Appropriate, Correctly
Purposes
Exploitation
CIA Impact
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
Frameworks
J2EE
.NET
Platforms
All
Languages
All
References
"Session Riding: A Widespread Vulnerability in Today's Web
Applications", Thomas Schreiber, SecureNet GmbH, Dec 2004.
http://www.securenet.de/papers/Session_Riding.pdf
Content History
Submissions
Submitter
Organization
Date
Chiradeep B.Chhaya
Cigital, Inc
2007-02-27
Modifications
Modifier
Organization
Date
Comments
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An attacker may leverage a system weakness where logs are susceptible to
log injection to insert scripts into the system's logs. If these logs are
later viewed by an administrator through a thin administrative interface and
the log data is not properly HTML encoded before being written to the page,
the attacker's scripts stored in the log will be executed in the
administrative interface with potentially serious consequences. This attack
pattern is really a combination of two other attack patterns: log injection
and stored cross site scripting.
Attack Execution Flow
Explore
Probe for log injection
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for log injection
vulnerabilities. This may be difficult (unless the
attacker has a white box view of the system) because
there may not be a feedback event to indicate to the
attacker that certain information is being
logged.
Outcomes
ID
Type
Outcome Description
1
Success
User injected input shows up in
the logs
Security Controls
ID
Type
Security Control Description
1
Preventative
Apply appropriate
input validation and filtering of
user-controllable input before writing to
logs
Probe for cross-site scripting
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for any cross-site
scripting vulnerabilities. Cross-site scripting
vulnerabilities identified anywhere in the
application indicate an increased potential that
such vulnerabilities may exist in the log management
portions of the application.
Outcomes
ID
Type
Outcome Description
1
Success
Attacker-injected script is
executed in user's browser.
Security Controls
ID
Type
Security Control Description
1
Preventative
HTML encode all log
contents before displaying in log management
interfaces.
Experiment
Confirm
exploitability:
Create a simple script and inject it into one of
the potentially vulnerable fields. This script
should take some action which will give an attacker
an indication that the attack vector exists.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The idea is to receive some sort of a
feedback event that confirms that an attack is
succeeding. That is done with a simple script
prior to crafting possibly a more complex script
to launch an actual attack.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Expected script execution
feedback event is observed.
Exploit
Inject System Logs with Malicious
Scripts:
Create a malicious script to run in the
administrator's web based interface and inject it in
the system's logs through one of the user controlled
fields that are being logged.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Inject the vulnerable fields by tampering
with their values to contain the malicious
scripts. Possibly trigger another event that makes
it more likely that injected logs are viewed in
the vulnerable UI as soon as possible.
env-Web
Attack Prerequisites
The system uses a web based interface
The system does not cleanse / validate user supplied data before writing
it to logs
Information from logs is displayed in a web based interface
The web based log interface does not HTML output encode the log data prior
to displaying it in the administrator console.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
An attacker determines that a particular system uses a web based
interface for administration. The attacker creates a new user record and
supplies a malicious script in the user name field. The script will
steal the administrator's authentication cookie and forward it to a site
controlled by the attacker. The user name field is not validated by the
system and is logged as is in the log. At some point later, an
administrator reviews the log activity in the administrative console.
When the administrator comes across the attacker's activity record, the
malicious script is executed in the context of the attacker's browser,
stealing the administrator's authentication cookie and forwarding it to
the attacker. An attacker then uses the received authentication cookie
to log in to the system as an administrator, assuming that the
administrator console can be accessed remotely.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Requires to ability to write a simple scipt and try to inject it
through various user controlled fields in the system.
Resources Required
No specialized hardware is required
Probing Techniques
Description
Locate system screens for operations that are likely to be logged and
use these as starting points for injection
Solutions and Mitigations
Cleanse all user supplied data before placing it in the logs. Reject all
bad data. Ensure that the data is in the expected form.
Use proper HTML output encoding techniques to strip the log data of
potentially dangerous scripting characters before displaying it in the
administrative console
If possible, disable script execution in the administrative
interface.
Cross Site Tracing (XST) enables an attacker to steal the victim's session
cookie and possibly other authentication credentials transmitted in the
header of the HTTP request when the victim's browser communicates to
destination system's web server. The attacker first gets a malicious script
to run in the victim's browser that induces the browser to initiate an HTTP
TRACE request to the web server. If the destination web server allows HTTP
TRACE requests, it will proceed to return a response to the victim's web
browser that contains the original HTTP request in its body. The function of
HTTP TRACE, as defined by the HTTP specification, is to echo the request
that the web server receives from the client back to the client. Since the
HTTP header of the original request had the victim's session cookie in it,
that session cookie can now be picked off the HTTP TRACE response and sent
to the attacker's malicious site. XST becomes relevant when direct access to
the session cookie via the "document.cookie" object is disabled with the use
of httpOnly attribute which ensures that the cookie can be transmitted in
HTTP requests but cannot be accessed in other ways. Using SSL does not
protect against XST.
If the system with which the victim is interacting is susceptible to XSS,
an attacker can exploit that weakness directly to get his or her malicious
script to issue an HTTP TRACE request to the destination system's web
server. In the absense of an XSS weakness on the site with which the victim
is interacting, an attacker can get the script to come from the site that he
controls and get it to execute in the victim's browser (if he can trick the
victim's into visiting his malicious website or clicking on the link that he
supplies). However, in that case, due to the single origin policy protection
mechanism in the browser, the attacker's malicious script cannot directly
issue an HTTP TRACE request to the destination system's web server because
the malicious script did not originate at that domain. An attacker will then
need to find a way to exploit another weakness that would enable him or her
to get around the single origin policy protection.
Attack Execution Flow
Explore
Determine if HTTP Trace is
enabled:
Determine if HTTP Trace is enabled at the web
server with which the victim has a an active
session
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
An attacker may issue an HTTP Trace request
to the target web server and observe if the
response arrives with the original request in the
body of the response.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
HTTP Trace is enabled on the web
server
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The original request is
returned after the HTTP Trace
request.
Experiment
Identify mechanism to launch HTTP Trace
request:
The attacker attempts to force the victim to issue
an HTTP Trace request to the targeted
application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker probes for cross-site scripting
vulnerabilities to force the victim into issuing
an HTTP Trace request.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Attacker's script is executed
within the browser context.
Exploit
Create a malicious script that pings the
web server with HTTP TRACE request:
Create a malicious script that will induce the
victim's browser to issue an HTTP TRACE request to
the destination system's web server. The script will
further intercept the response from the web server,
pick up sensitive information out of it, and forward
to the site controlled by the attacker.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker's malicious script circumvents
the httpOnly cookie attribute that prevents from
hijacking the victim's session cookie directly
using document.cookie and instead leverages the
HTTP TRACE to catch this information from the
header of the HTTP request once it is echoed back
from the web server in the body of the HTTP TRACE
response.
env-Web
Execute malicious HTTP Trace launching
script:
The attacker leverages a vulnerability to force
the victim to execute the malicious HTTP Trace
launching script
Attack Prerequisites
HTTP TRACE is enabled on the web server
The destination system is susceptible to XSS or an attacker can leverage
some other weakness to bypass the single origin policy
Scripting is enabled in the client's browser
HTTP is used as the communication protocol between the server and the
client
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Protocol Manipulation
Injection
Examples-Instances
Description
An attacker determines that a particular system is vulnerable to
reflected cross-site scripting (XSS) and endeavors to leverage this
weakness to steal the victim's authentication cookie. An attacker
realizes that since httpOnly attribute is set on the user's cookie, it
is not possible to steal it directly with his malicious script. Instead,
the attacker has his script use XMLHTTP ActiveX control in the victim's
IE browser to issue an HTTP TRACE to the target system's server which
has HTTP TRACE enabled. The original HTTP TRACE request contains the
session cookie and so does the echoed response. The attacker picks the
session cookie from the body of HTTP TRACE response and ships it to the
attacker. The attacker then uses the newly acquired victim's session
cookie to impersonate the victim in the target system.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Understanding of the HTTP protocol and an ability to craft a malicious
script
Resources Required
No specialized resources are needed
Probing Techniques
Description
Send HTTP TRACE requests to the destination web server to see if it
responds
Solutions and Mitigations
Administrators should disable support for HTTP TRACE at the destination's
web server. Vendors should disable TRACE by default.
Patch web browser against known security origin policy bypass
exploits.
An attacker is able to cause a victim to load content into their
web-browser that bypasses security zone controls and gain access to
increased privileges to execute scripting code or other web objects such as
unsigned ActiveX controls or applets. This is a privilege elevation attack
targeted at zone-based web-browser security. In a zone-based model, pages
belong to one of a set of zones corresponding to the level of privilege
assigned to that page. Pages in an untrusted zone would have a lesser level
of access to the system and/or be restricted in the types of executable
content it was allowed to invoke. In a cross-zone scripting attack, a page
that should be assigned to a less privileged zone is granted the privileges
of a more trusted zone. This can be accomplished by exploiting bugs in the
browser, exploiting incorrect configuration in the zone controls, through a
cross-site scripting attack that causes the attacker's content to be treated
as coming from a more trusted page, or by leveraging some piece of system
functionality that is accessible from both the trusted and less trusted
zone. This attack differs from "Restful Privilege Escalation" in that the
latter correlates to the inadequate securing of RESTful access methods (such
as HTTP DELETE) on the server, while cross-zone scripting attacks the
concept of security zones as implemented by a browser.
Attack Execution Flow
Explore
Find systems susceptible to the
attack:
Find systems that contain functionality that is
accessed from both the internet zone and the local
zone. There needs to be a way to supply input to
that functionality from the internet zone and that
original input needs to be used later on a page from
a local zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Leverage knowledge of common local zone
functionality on targeted platforms to guide
attempted injection of code through relevant
internet zone mechanisms. In some cases this may
be due to standard system configurations enabling
shared functionality between internet and local
zones. The attacker can search for indicators that
these standard configurations are in place.
env-Web
Security Controls
ID
Type
Security Control Description
1
Preventative
Ensure standard system
configurations do not enable shared functionality
between internet and local
zones
Experiment
Find the insertion point for the
payload:
The attacker first needs to find some system
functionality or possibly another weakness in the
system (e.g. susceptibility to cross site scripting)
that would provide the attacker with a mechanism to
deliver the payload (i.e.the code to be executed) to
the user. The location from which this code is
executed in the user's browser needs to be within
the local machine zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Finding weaknesses in functionality used by
both privileged and unprivileged users.
env-Web
Exploit
Craft and inject the
payload:
Develop the payload to be executed in the higher
privilged zone in the user's browser. Inject the
payload and attempt to lure the victim (if possible)
into executing the functionality which unleashes the
payload.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker makes it as likely as possible
that the vulnerable functionality into which he
has injected the payload has a high likelihood of
being used by the victim.
env-Web
2
Leverage cross-site scripting vulnerability
to inject payload.
env-Web
Attack Prerequisites
The target must be using a zone-aware browser.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Analysis
Injection
Examples-Instances
Description
There was a cross zone scripting vulnerability discovered in Skype
that allowed one user to upload a video with a maliciously crafted title
that contains a script. Subsequently, when the victim attempts to use
the "add video to chat" feature on attacker's video, the script embedded
in the title of the video runs with local zone privileges. Skype is
using IE web controls to render internal and external HTML pages. "Add
video to chat" uses these web controls and they are running in the Local
Zone. Any user who searched for the video in Skype with the same
keywords as in the title field, would have the attacker's code executing
in their browser with local zone privileges to their host machine (e.g.
applications on the victim's host system could be executed).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Ability to craft malicious scripts or find them elsewhere and ability
to identify functionality that is running web controls in the local zone
and to find an injection vector into that functionality
Resources Required
No specialized equipment is needed
Solutions and Mitigations
Disable script execution.
Ensure that sufficient input validation is performed for any potentially
untrusted data before it is used in any privileged context or zone
Limit the flow of untrusted data into the privileged areas of the system
that run in the higher trust zone
Limit the sites that are being added to the local machine zone and
restrict the privileges of the code running in that zone to the bare
minimum
Ensure proper HTML output encoding before writing user supplied data to
the page
An attacker initiates cross domain HTTP / GET requests and times the
server responses. The timing of these responses may leak important
information on what is happening on the server. Browser's single origin
policy prevents the attacker from directly reading the server responses (in
the absense of any other weaknesses), but does not prevent the attacker from
timing the responses to requests that the attacker issued cross
domain.
For GET requests an attacker could for instance leverage the "img" tag in
conjunction with "onload() / onerror()" javascript events. For the POST
requests, an attacker could leverage the "iframe" element and leverage the
"onload()" event. There is nothing in the current browser security model
that prevents an attacker to use these methods to time responses to the
attacker's cross domain requests.
The timing for these responses leaks information. For instance, if a
victim has an active session with their online e-mail account, an attacker
could issue search requests in the victim's mailbox. While the attacker is
not able to view the responses, based on the timings of the responses, the
attacker could ask yes / no questions as to the content of victim's e-mails,
who the victim e-mailed, when, etc. This is but one example; There are other
scenarios where an attacker could infer potentially sensitive information
from cross domain requests by timing the responses while asking the right
questions that leak information.
Attack Prerequisites
Ability to issue GET / POST requests cross domain
Java Script is enabled in the victim's browser
The victim has an active session with the site from whicht the attacker
would like to receive information
The victim's site does not protect search functionality with cross site
request forgery (CSRF) protection
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
ome knowledge of Java Script
Resources Required
Ability to issue GET / POST requests cross domain
Solutions and Mitigations
Design: The victim's site could protect all potentially sensitive
functionality (e.g. search functions) with cross site request forgery (CSRF)
protection and not perform any work on behalf of forged requests
Design: The browser's security model could be fixed to not leak timing
information for cross domain requests
An attacker is able to trick the victim into executing a Flash document
that passes commands or calls to a Flash player browser plugin, allowing the
attacker to exploit native Flash functionality in the client browser. This
attack pattern occurs where an attacker can provide a crafted link to a
Flash document (SWF file) which, when followed, will cause additional
malicious instructions to be executed. The attacker does not need to serve
or control the Flash document. The attack takes advantage of the fact that
Flash files can reference external URLs. If variables that serve as URLs
that the Flash application references can be controlled through parameters,
then by creating a link that includes values for those parameters, an
attacker can cause arbitrary content to be referenced and possibly executed
by the targeted Flash application.
Attack Execution Flow
Explore
Identification::
Using a browser or an automated tool, an attacker
records all instances of URLs (or partial URL such
as domain) passed to a flash file (SWF).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use an automated tool to record the
variables passed to a flash file.
env-Web
2
Use a browser to manually explore the
website and analyze how the flash file receive
variables, e.g. JavaScript using
SetVariable/GetVariable, HTML FlashVars param tag,
etc.
env-Web
3
Use decompilers to retrieve the flash source
code and record all user-controllable variables
passed to a loadMovie* directive.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
A URL is passed as parameter to a flash file
(SWF).
env-Web
2
Inconclusive
No variable appear on the URL. Even though
none appear, the flash movie may still use them if
they are provided.
env-Web
3
Negative
Application doesn’t use variable to specify
what URL to load remote flash movies from.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A list of flash files, with
their corresponding parameters is created by the
attacker.
Experiment
Attempt to inject a remote flash
file::
The attacker makes use of a remotely available
flash file (SWF) that generates a uniquely
identifiable output when executed inside the
targeted flash file.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Modify the variable of the SWF file that
contains the remote movie URL to the attacker
controlled flash file.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The attacker’s flash movie is being executed
in the targeted movie.
env-Web
2
Inconclusive
The targeted flash movie doesn’t appear to
allow the inclusion of flash movies from untrusted
domains (specified in the crossdomain.xml or in
the flash movie itself).
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker’s flash movie can
access the targeted flash movie internal
variables
2
Failure
The attacker’s flash movie
cannot access any content of the targeted flash
movie
Exploit
Access or Modify Flash Application
Variables::
As the attacker succeeds in exploiting the
vulnerability, he targets the content of the flash
application to steal variable content, password,
etc.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious Flash application that is
injected through vectors identified during the
Experiment Phase and loaded by the victim
browser’s flash plugin and sends document
information to the attacker.
env-Web
2
Develop malicious Flash application that is
injected through vectors identified during the
Experiment Phase and takes commands from an
attacker's server and then causes the flash
application to execute appropriately.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker gets the user's
session identifiers or other type of
credentials
2
Success
The attacker gets the content
of the variables used in the flash
application
3
Success
The attacker causes the flash
application to be remotely
controlled
Security Controls
ID
Type
Security Control Description
1
Preventative
Apply appropriate
configuration settings for cross domain flash
applications in the crossdomain.xml
file.
2
Preventative
Apply appropriate
configuration settings for cross domain flash
applications inside the flash
application.
Execute JavaScript in victim’s
browser:
When the attacker targets the current flash
application, he can choose to inject JavaScript in
the client’s DOM and therefore execute cross-site
scripting attack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected from the rogue flash movie to the
targeted flash application through vectors
identified during the Experiment Phase and loaded
by the victim's browser.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker is able to execute
a DOM based cross-site scripting attack on the
victim.
Security Controls
ID
Type
Security Control Description
1
Preventative
Apply appropriate
configuration settings for cross domain flash
applications in the crossdomain.xml
file.
2
Preventative
Apply appropriate
configuration settings for cross domain flash
applications inside the flash
application.
Attack Prerequisites
The targeted Flash application must reference external URLs and the
locations thus referenced must be controllable through parameters. The Flash
application must fail to sanitize such parameters against malicious
manipulation. The victim must follow a crafted link created by the
attacker.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
The attacker tries to get his malicious flash movie to be executed in
the targeted flash application. The malicious file is hosted on the
attacker.com domain and the targeted flash application is hosted on
example.com The crossdomain.xml file in the root of example.com allows
all domains and no specific restriction is specified in the targeted
flash application. When the attacker injects his malicious file in the
vulnerable flash movie, the rogue flash application is able to access
internal variables and parameter of the flash movie.
View Data
