An attack of this type exploits a programs' vulnerabilities in
client/server communication channel authentication and data integrity. It
leverages the implicit trust a server places in the client, or more
importantly, that which the server believes is the client.
An attacker executes this type of attack by placing themselves in the
communication channel between client and server such that communication
directly to the server is possible where the server believes it is
communicating only with a valid client.
There are numerous variations of this type of attack.
Attack Prerequisites
Server software must rely on client side formatted and validated values,
and not re-inforce these checks on the server side.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Spoofing
Protocol Manipulation
Examples-Instances
Description
Web applications may use Javascript to perform client side validation,
request encoding/formatting, and other security functions, which
provides some usability benefits and eliminates some client-server
roundtripping. However, the web server cannot assume that the requests
it receives have been subject to those validations, because an attacker
can use an alternate method for crafting the HTTP Request and submit
data that contains poisoned values designed to spoof a user and/or get
the web server to disclose information.
Description
Web 2.0 style applications may be particularly vulnerable because they
in large part rely on existing infrastructure which provides scalability
without the ability to govern the clients. Attackers identify
vulnerabilities that either assume the client side is responsible for
some security services (without the requisite ability to ensure
enforcement of these checks) and/or the lack of a hardened, default deny
server configuration that allows for an attacker probing for weaknesses
in unexpected ways. Client side validation, request formatting and other
services may be performed, but these are strictly usability enhancements
not security enhancements.
Description
Many web applications use client side scripting like Javascript to
enforce authentication, authorization, session state and other
variables, but at the end of day they all make requests to the server.
These client side checks may provide usability and performance gains,
but they lack integrity in terms of the http request. It is possible for
an attacker to post variables directly to the server without using any
of the client script security checks and customize the patterns to
impersonate other users or probe for more information.
Description
Many message oriented middleware systems like MQ Series are rely on
information that is passed along with the message request for making
authorization decisions, for example what group or role the request
should be passed. However, if the message server does not or cannot
authenticate the authorization information in the request then the
server's policy decisions about authorization are trivial to subvert
because the client process can simply elevate privilege by passing in
elevated group or role information which the messgae server accepts and
acts on.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker must have fairly detailed knowledge of the syntax and
semantics of client/server communications protocols and grammars
Resources Required
Ability to communicate synchronously or asynchronously with server
Solutions and Mitigations
Design: Ensure that client process and/or message is authenticated so that
anonymous communications and/or messages are not accepted by the
system.
Design: Do not rely on client validation or encoding for security
purposes.
Design: Utilize digital signatures to increase authentication
assurance.
Design: Utilize two factor authentication to increase authentication
assurance.
Implementation: Perform input validation for all remote content.
"Infrastructure-based footprinting involves interacting with available
network or application resources for the purpose of gathering information
about the architecture, topology, configuration, or potential
vulnerabilities and exposures of a target networking infrastructure."
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Network Layer
Transport Layer
Stuart McClure, Joel Scambray, George Kurtz.
"Hacking Exposed: Network Security Secrets &
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
An attacker uses deceptive methods to cause a user or an automated process
to download and install dangerous code that originates from an attacker
controlled source. There are several variations to this strategy of attack.
An attacker engages in network reconnaissance operations to gather
information about a target network or its hosts. Network Reconnaissance
techniques can range from stealthy to noisy and utilize different tools and
methods depending upon the scope of the reconnaissance. Some techniques may
target single hosts while others are used against entire network address
ranges, such as a CIDR class C or B network. In general, reconnaissance
activities fall into 5 distinct categories.
1. Host Discovery: The ICMP methods, as well as messages of other
protocol types, commonly UDP and TCP, to determine if a host is active
on an IP address.
2. Port Scanning: The application of various methods to determine the
status of the ports on the remote device. Each machine can have a
possible 65535 UDP and TCP ports that provide a service to network
clients. The goal of port scanning is to determine which ports on a
machine are open, as well as which ports are firewalled or
filtered.
3. Operating System Fingerprinting: use of various probing methods to
determine idiosyncratic behaviors of a remote device that allow the
attacker to determine the operating system. Although networking
protocols are governed by standards, each operating system exhibits
unique characteristics of its implementation of these standards. By
sending malformed packets or datagrams an attacker can solicit responses
from an device that allow a highly reliable inference about its
operating system.
4. Service Enumeration: Application-layer services can run on
arbitrary ports, so an attacker must probe or interact with a remote
port in order to obtain a fingerprint or signature of the application or
protocol daemon using the port for communication.
5. Firewall Auditing: An attacker uses a number of techniques to
determine which types of data can be infiltrated or exfiltrated through
a firewall. These techniques require a responsive host protected by a
firewall so that the attacker can map out which types of protocols and
message types reach the' host or hosts and generate a response.
Applied together these activities allow an attack to map out a target
network, its topology, as well as gather detailed device configuration
information.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Network Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: Internet Protocol
Protocol 2: User Datagram Protocol
Protocol 3: Internet Control Messaging Protocol
Protocol 4: Transmission Control Protocol
Attack Prerequisites
The ability to send data to hosts on a target network segment and receive
responses.
Resources Required
Each type of reconnaissance uses specific tools and methodologies to acquire
information from the target.
Stuart McClure, Joel Scambray, George Kurtz.
"Hacking Exposed: Network Security Secrets and
Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Gordon "Fyordor" Lyon.
"Nmap Network Scanning: The Official Nmap Project Guide to
Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN:
978-0-9799587-1-7. 2008.
An attacker discovers the structure, function, and composition of an
object, resource, or system by using a variety of analysis techniques to
effectively determine how the analyzed entity was constructed or operates.
The goal of reverse engineering is often to duplicate the function, or a
part of the function, of an object in order to duplicate or "back engineer"
some aspect of its functioning. Reverse engineering techniques can be
applied to mechanical objects, electronic devices or components, or to
software, although the methodology and techniques involved in each type of
analysis differ widely.
Resources Required
Access to or control of an object, resource, or system, to be analyzed. The
technical resources required to engage in reverse engineering differ in
accordance with the type of object, resource, or system being analyzed.
An attacker initiates a series of events designed to cause a user,
program, server, or device to perform actions which undermine the integrity
of software code, device data structures, or device firmware, achieving the
modification of the target's integrity to achieve an insecure state.
Attacker Skills or Knowledge Required
Manual or user-assisted attacks require deceptive mechanisms to trick
the user into clicking a link or downloading and installing software.
Automated update attacks require the attacker to host a payload and then
trigger the installation of the payload code.
Resources Required
Software Integrity Attacks are usually a late stage focus of attack activity
which depends upon the success of a chain of prior events. The resources
required to perform the attack vary with respect to the overall attack strategy,
existing countermeasures which must be bypassed, and the success of early phase
attack vectors.
An attacker discovers the structure, function, and composition of a type
of computer software by using a variety of analysis techniques to
effectively determine how the software functions and operates, or if
vulnerabilities or security weakness are present within the implementation.
Reverse engineering methods, as applied to software, can utilize a wide
number approaches and techniques.
Methodologies for software reverse engineering fall into two broad
categories, 'white box' and 'black box.' White box techniques involve
methods which can be applied to a piece of software when an executable or
some other compiled object can be directly subjected to analysis, revealing
at least a portion of its machine instructions that can be observed upon
execution. 'Black Box' methods involve interacting with the software
indirectly, in the absence of the ability to measure, instrument, or analyze
an executable object directly. Such analysis typically involves interacting
with the software at the boundaries of where the software interfaces with a
larger execution environment, such as input-output vectors, libraries, or
APIs.
Resources Required
Reverse engineering of software requires varying tools and methods depending
upon whether an executable or other compiled object is present directly for
analysis by tools capable of decompiling or monitoring its execution within an
operating environment, as in the case of white box methods. Black box methods
require at minimum the ability to interact with the functional boundaries where
the software communicates with a larger processing environment, such as
inter-process communication on a host operating system, or via networking
protocols.
View Data
