Application Attacks

Below is information relating to a number of different types of attack aimed at software, web, and mobile applications.

Privilege Escalation

Often a cyber attack will involve a process containing a number of stages. An attacker may start off with a user account that has limited privileges. From here they may exploit vulnerabilities in processes that are already running to either increase privileges with the account they already have access to, or to gain access to one that has more access to enable them to perform administrative level tasks. This is known as privilege escalation.

To help guard against this type of attack, it is a good idea to limit the privileges to the minimum needed to run a process.

Cross-Site Scripting (XSS)

This is one of the most common attacks against web applications and exploits applications where input validation is weak. An attacker can include a script in their input, that is then executed as part of the normal processing of a web application. There are three different types of cross-site scripting attack, a non-persistent cross-site scripting attack, a persistent cross-site scripting attack, and a DOM-based cross-site scripting attack.

A non-persistent cross-site scripting attack is where a script is immediately executed and passed back via the web server. It is not persisted or stored anywhere.

As the name suggests, a persistent cross-site scripting attack is where a script is permanently stored on the web server, or some back-end storage, such as a database. Due to this, the script can then be used against other users who log in to the system.

Finally, a DOM-based cross-site scripting attack is where a script is executed in the browser, via the DOM, or Document Object Model, process as opposed to the web server.

Cross-site scripting attacks can be used to steal authentication details or other sensitive information, hijack sessions, deploy hostile content, change user settings, and more. To help defend against these attacks, anti-cross-site scripting libraries can be used to strip out erroneous input. Other measures include limiting the type and size of uploads.

Injections

Like cross-site scripting, injection attacks exploit applications where input validation is weak. They can take many forms and involve technologies such as Structured Query Language (SQL), Dynamic Link Libraries (DLL), Lightweight Directory Access Protocol (LDAP) and Extensible Markup Language (XML). Regardless of the technology employed, these attacks involve injecting extra code to exploit a vulnerability in an application, which usually results in gaining more access than would otherwise be allowed.

SQL injection attacks can be utilised on applications that rely on information from a database. Input from a user can be used as criteria within SQL queries to retrieve information. If the input isn't validated properly, it could be used to inject additional SQL to bring back more information than would otherwise be allowed.

Stored procedures are said to be the gold standard to guard against SQL injection. They are precompiled methods implemented within the database itself. They act as a security mechanism by isolating user input from the actual SQL statements being executed. Many programming languages also provide functionality to help guard against SQL injection.

A dynamic-link library contains code that can add functionality to a program through the inclusion of library routines linked at runtime. If an additional DLL is included in the correct directory of a program, or via the Windows registry, it can alter the way a program runs, potentially doing something undesirable, such as sharing sensitive information with an attacker.

LDAP can be used by applications to query user and other information from directory systems. Like SQL, if user input isn't validated correctly then more information may be returned than would usually be allowed.

XML injection attacks can be used to manipulate XML-based systems, which includes a lot of web-based applications. Maliciously altered XML can cause configuration changes, changes in data streams, and changes in application output.

Pointer/Object Dereference

Pointers are a concept in some programming languages. They are an area of memory that stores an address of another location in memory. An application performs a process called pointer de-referencing to access the desired item in memory. One particular scenario is where the point is empty, which causes a null pointer exception. This can cause a program to crash, with the potential of providing an attacker with useful debugging information, and, in some instances allow them to bypass security controls.

Directory Traversal

Directory traversal attacks can occur where a web server has a security misconfiguration that results in users being able to navigate the directory structure and access files that should remain secure. These are possible where a web server allows the inclusion of operators in user input, that navigate directory paths, and file system access controls don't properly restrict access.

Buffer Overflows

A buffer overflow attack occurs when an attacker manipulates a program into placing more data into an area of memory than is allocated for its use. The idea is to overwrite other information in memory with instructions that may be executed by a different process running on the system. This can result in a program crashing. Under certain circumstances, the program can execute a command by the attacker. Buffer overflows typically inherit the level of privilege of the program being exploited, which could be a security issue if that program has root or administrative level access. These attacks can be mitigated against by simply validating the length of input.

Race Conditions

Race conditions occur when the output of some function is dependent on the sequence or timing of inputs. Problems occur when the inputs do not happen in the order that was intended. Race conditions can occur in multithreaded or distributed applications, where there are multiple inputs vying to influence the output first and can in turn be used in privilege escalation and denial-of-service attacks. From an attack point of view, race conditions are also sometimes referred to as time of check/time of use (TOC/TOU) attacks.

Reference counters, kernel locks, and thread synchronisation can be used to combat race conditions. Reference counters are structures in the kernel that detail whether or not a resource is actively being used at the current moment.

Improper Error Handling

All applications encounter errors and exceptions, which need to be handled securely. This information is often recorded in log files, along with supporting information to help diagnose the cause. The alternative and incorrect method of doing this is to display the information to the user, as attackers can take advantage of this by forcing errors to find out sensitive information about the application.

Improper Input Handling

Improper input handling is a major cause of software vulnerabilities, which can lead to other attacks discussed here including, buffer overflow, cross-site scripting, cross-site request forgery and directory traversal. Care must be taken to valid input so that applications cannot be exploited.

Replay Attacks

Replay attacks attempt to recreate some form of activity that has previously occurred. If an attacker can record network packets, they can try to use these to, for example, repeat a previous set of financial transactions, or pass login security checks. There are a wide range of defences that developers can use to guard against these attacks.

Integer overflow

An integer overflow occurs where a program attempts to store a numeric integer value in a variable that is too small to hold it. The effects of this vary between programming languages, but often create major logic errors within a program. Static code analysers can be used to easily check for integer overflows, so these problems are relatively easy to detect.

Request Forgeries

A request forgery occurs where an attacker performs an action on behalf of its victim, usually without their knowledge. The attacker in effect adds information to their target's web responses.

Server-side request forgery occurs where an attacker sends requests to a domain of their choosing. It exploits the trust relationship between the server and the target, forcing a vulnerable application to perform unauthorised actions.

Cross-site request forgery (XSRF) attacks involve an attacker tricking a user into making unintended actions on a web application that they are previously authenticated on. The attacker's goal is to perform unauthorised actions, such as transferring funds or changing a password, by sending a malicious request to a web application that appears to be legitimate. Random cross-site request forgery tokens can be used in form submissions to mitigate these attacks. Limiting authentication times and cookie expiration can also be used.

Application Programming Interface (API) Attacks

An API is a set of instructions as to how to interface with a computer program so that developers can access defined interfaces in a program. Attacks on an API are usually through the manipulation of inputs to it. An API sometimes requires an enhanced level of privileges, and if they aren't monitored or moderated on the server side, it can result in data breaches, along with other security risks.

Resource Exhaustion

For applications to run as desired they require resources, such as memory, processing time, and other resources, depending on its function. A resource exhaustion attack is where an attacker aims to deplete the required resources and cause an application to slow down or cease to function all together.

Memory Leak

Memory management involves coordinating the use of memory within the programming of an application. Memory is assigned to variables and then reclaimed when it is no longer being used. This reclaiming of memory is carried out by what is known as a garbage collection routine. In programming languages such as C and C++, there is no automated garbage collection routine, it has to be explicitly initiated by the programmer, which is where memory leaks occur. If this isn't done properly it can result in a system crashing due to it running out of memory. In newer programming languages, such as Java, C#, Python and Rust, there are automated processes to manage the memory.

Secure Sockets Layer (SSL) Stripping

An SSL stripping attack is a type of man in the middle attack against all versions of SSL, along with versions of Transport Layer Security (TLS) prior to version 1.2. An attacker intercepts a connection request to a web application over HTTPS, then redirects it to the insecure version of the site over HTTP, and remains in the middle of the connection, with access to all the traffic between the victim and the web application. This attack works because the handshake process to set up a secure connection is vulnerable in all versions of SSL, as well as TLS versions prior to 1.2.

Driver Manipulation

A driver is a piece of software that acts as an intermediary between the operating system and peripheral devices, such as printers, enabling them to communicate. A driver manipulation attack involves an attacker altering the behaviour of a driver in some way to perform an unintended action.

Shimming can occur where an attacker places a layer of code between the driver and the operating system. This changes the behaviour of the driver without altering the driver itself.

Refactoring is a type of driver manipulation that doesn't stop the peripheral device from doing what is desired, but it introduces some additional behaviour.

Pass the Hash

A hash is a one-way cryptographic function that converts, a password, for example, into a fixed length alphanumeric string of characters. It is one way because the process cannot be reversed. A pass the hash attack is a hacking technique where the attacker captures a hash used as part of an authentication process, then tries to use it at a later date to gain access by injecting a copy of the hash directly into the system. This is a highly technical attack, which targets the Microsoft Windows authentication process.