SQL Injection FInal Video

AJAX Security Threats

Below are some sites listed that explain Ajax vulnerabilities and how to test for them:

• Testing for AJAX Vulnerabilities: https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_(OWASP-AJ-001)                           
• Top 10 AJAX Security Holes:                                                                             http://www.net-security.org/article.php?id=956
• AJAX Vulnerabilities Could Pose Serious Risks:                                                http://www.net-security.org/article.php?id=956

Top Security Threats

This post looks at three different lists of the top security threats in software. The lists come from the Open Web Application Security Projcect (OWASP), Common Weaknesses Enumeration(CWE), and the Department of Homeland Security. Although different threats show up in different positions among the lists, each list has SQL and OS injection at the top, along with cross site scripting towards the top. SQL injections are considered the most dangerous due to the ease of the attack, as well as the high frequency of attacks that occur online. To look further into each of these lists, please visit the sites below!


Department of Homeland Security:
http://www.informationweek.com/government/security/feds-identify-top-25-software-vulnerabil/231000504

Common Weaknesses Enumeration:
http://cwe.mitre.org/top25/#Listing

Open Web Application Security Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

SQL Injection

SQL injection allows attackers to inject arbitrary scripts into SQL queries. This gives the attacker the ability to read, insert new data , or alter existing data in your database. To avoid this, never build queries by string concatenation, instead use API calls. Here is the link to the official OWASP site for this topic.

Configuration Vulnerabilities

Configuration vulnerabilities can be exploited through certain default settings that come with applications. This can easily happen when an attacker has access to a copy of the same application that you are running. An example of a configuration vulnerability is when an application comes with a default username and password. Once an attacker finds those out, then he/she can pretty much do anything with your application that he/she wants. The following is an article regarding configuration vulnerabilities in ASP.NET: http://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html.

Code Execution

Code execution is the ability to run arbitrary code remotely on a server. This can lead to an attacker taking control of the program or even open up a new shell on the computer. To prevent this, a developer must perform validation of user input before passing it on, and the developer needs to implement functions with least privilege rights. For another resource over code execution please follow this link.

Path Traversal

The goal of a path traversal attack is to gain access to files and directories, including application source code and critical system files, that are stored outside of the web root folder. Attackers can do this by manipulating variables that reference ../ sequences. Please visit this link to go to the OWASP page for this topic.

Cross Site Scripting Example

Cross Site Script Inclusion (XSSI)

While browsers prevent pages from one domain reading pages from a different domain, they do not prevent pages from one domain referencing resources in a different domain. This means that pictures can be rendered and scripts can be ran from other domains. The problem with this is that the included scripts do not have their own security context, rather it runs in the security context of the page that included it.

Cross-Site Request Forgery

A browser sends cookies to a site when a request is made, regardless of where the request comes from. This coupled with the fact that web servers cannot distinguish between a request made from a user or from a browser allows an attacker to potentially fool the server into performing actions the user did not intentionally perform. This is known as a cross-site request forgery (XSRF). For more information about XSRF please follow the link to the official OWASP site.

Client-State Manipulation

Users interact with applications through browsers. When the user submits information, the browser has to send a request back to the web server. Since the information being sent is controlled by the user, the web application should not trust it without validation. An example of Client-State manipulation is modifying the request in a URL to gain admin access on a website. Once an attacker has admin access, he or she would be able to alter the website or gain private information that could be seen with an admin account.

Cross-Site Scripting

Cross-site scripting (XSS) is a vulnerability that allows a hacker inject code into areas of a website that the hacker cannot control. The code injected by the hacker executes every time the page is viewed. Because of this, the hacker can possibly gain personal information of the user related to that site.

Two types of XSS attacks are reflected XSS attacks and stored XSS attacks. Reflected XSS attacks occur when the malicious script is in the actual request and the server inserts the script in the response. It affects the user whenever he or she browses to the malicious URL. Stored XSS attacks are when the hacker stores the attack in the application itself. It's triggered when the user browses to a page on the server where the attack is stored.

For more information, please follow the link to the OWASP page regarding this topic.

Asymmetric, Symmetric, and Hybrid Encryption

One form of encryption employs the use of symmetric ciphers. These use the same key for encryption and decryption. The advantage of using symmetric ciphers is that the decryption process is usually faster, but a drawback is that the key distribution can be difficult. Symmetric ciphers are either block ciphers, which operates on blocks of a fixed size, or stream ciphers, which generate a stream of pseudo-random bits called a keystream. Two concepts related to block ciphers are confusion and diffusion. Confusion refers to the methods that are used to hide relationships between the plaintext, ciphertext, and the key. Diffusion spreads the influence of the plaintext bits and the key bits over as much of the ciphertext as possible.

Source: http://msdn.microsoft.com/en-us/library/ff650720.aspx

Another form of encryption is asymmetric encryption. This form uses asymmetric ciphers, which use a public and a private key, as opposed to just one key. A message is encrypted using the public key, and can only be  decrypted using the private key that corresponds with it. The advantages with asymmetric encryption are better key distribution and there's not a need for a out-of-band communication channel to transmit the secret key. The downside to asymmetric ciphers is that they are a lot slower than symmetric ciphers.

Source: http://msdn.microsoft.com/en-us/library/ff650720.aspx

The final from of encryption is hybrid encryption. A hybrid cryptosystem uses and asymmetric cipher to exchange a randomly generated key to encrypt the communications with a symmetric cipher. This offers the speed of a symmetric cipher, while providing a secure key exchange.

Nowadays, hackers are not able to crack most ciphers that are used. In order to get to the information, an attacker can use a man-in-the-middle (MitM) attack to get around encryption. MitM attacks occur when the attacker is able to intercept information from both parties, while the parties think they are communicating with each other. The attacker is able to sniff and modify traffic between the two parties without their knowledge.

Source: http://www.computerhope.com/jargon/m/mitma.htm

Information Theory

Developed by Claude Shannon, information theory is mathematical theory that deals with the content, transmission, storage, and retrieval of information. Many concepts the relate to cryptography stem from information theory. Among these concepts are unconditional security, one-time pads, quantum key distribution, and computational security.

Unconditional security refers to a cryptographic system that cannot be broken. If somethings is unconditionally secure, then cryptanalysis would be impossible to perform and even an extensive brute force attack would not be able to determine which key is correct. The one-time pad is an example of a cryptosystem that is unconditionally secure. This system uses blocks of random data called pads. The pad has to be at least the length of the message and the data on the pad has to be truly random. When this is used, two pads are made. One pad is for the sender and the other is for the receiver. When the message is encrypted using the pad, the message is sent and that pad is destroyed to ensure it can only be used once. When the recipient receives the message, the second pad helps decipher the message and displays it for the recipient to view it.

A system being computationally secure means that the best algorithm for cracking it requires an unreasonable amount of resources and time. So technically it is possible to crack it, but it is not very feasible to attempt it. Most modern cryptosystems belong to this category and would take tens of thousands of years to crack, even with extensive computing resources. The security of cryptosystem is always measured using the current best-known algorithm.


Reference: http://dictionary.reference.com/browse/information+theory

Cryptology - Introduction

Cryptology refers to the study of cryptography, which is the process of communicating through ciphers, and cryptanalysis, which is the process of cracking those ciphers. While mainly used for war purposes in the past,  cryptology is also used today to encrypt secure and private information over a network. Hackers can use cryptology not only to gain access to an individual or organization's private data, but they can also use it to avoid detection.

Image source: http://gdp.globus.org/gt3-tutorial/multiplehtml/ch10s03.html

Countermeasures - Intrusion Detection

Intrusion detection's main goal is to catch hackers in the act by monitoring system activity. One method of intrusion detection would be employing the use of integrity verifiers. These mainly detect when critical components of the system have changed. One of the types of integrity verifiers is known as a tripwire. This digitally signs files on your system, then compares new signatures to old ones to detect change. Another method of intrusion detection is to create and make use of deception systems. These are systems that intentionally appear to be easy targets for hackers, but end up trapping and identifying them whenever an attack is attempted.

The following is an interesting look into using deception as a way of protecting information systems:

Deception for Defense of Information Systems: Analogies from Conventional Warfare

Countermeasures - VPNs

Virtual Private Networks (VPN) allow the secure transfer of data over public networks through private connections from the private host network to the remote sites. Information over VPNs is kept secure through data encryption. VPNs also require some level of authentication from the user before he or she can access the network, so this adds another level of security. Another advantage to using VPNs is the fact that they're relatively cheap to set up and they can be accessed wherever there is internet access. For more information over VPNs, please visit the section on howstuffworks.

Countermeasures - Firewalls

Firewalls are used to keep networks secure by analyzing data packets and determining whether they should be allowed or not. The following are types of firewalls:

• Packet filters - Looks at each packet and decides whether to allow it or not; Most routers already have packet filters implemented.
• Network Address Translation (NAT) - Hides entire local network behind one IP address; Makes an entire network look like a single machine.
• Proxies - Prevent you from actually connecting to the internet; Proxies never connect to the URL, but instead connect to the proxy server, and the proxy server gets the URL for you. 

image source: http://www.howstuffworks.com/firewall.htm

Countermeasures

For this next section I decided to look outside of the book for primary sources. Doing this, I came across the website, http://www.iss.net/security_center/advice/Countermeasures/default.htm, which gives basic descriptions over multiple types of countermeasures that can be applied to a system. My posts over this topic will be summaries and additional resources regarding the countermeasures mentioned on the site.

Shellcode

Below are a couple of resources listed regarding shellcode:

• http://linuxdevcenter.com/pub/a/linux/2006/05/18/how-shellcodes-work.html
• http://www.vividmachines.com/shellcode/shellcode.html

Denial of Service Attack

A Denial of Sevice (DoS) attack is used to prevent access to a service or resource. This can be done by either crashing the service or flooding the service. DoS attacks that aim to crash the service look for vulnerabilities in software, usually from specific vendors. If the service is on a server then not only will the service and operating system crash, but the server will crash as well. Because of this, many of the vulnerabilities are known and are already patched. Flooding DoS attacks aim to merely overload the service so it can't respond, rather than crashing it altogether. This is primarily done by using up the user's bandwidth so that other traffic can't get through. This can only be done if the attacker has more bandwidth than the victim.

One example of a crashing DoS attack is "The Ping of Death." The basis of this attack is to overload the data portion of an Internet Control Message Protocol (ICMP) packet. The data portion is designed to hold 2^16 bytes of data, so if someone sent an ICMP echo message that contained more than this amount of bytes, it would crash the operating system. Although this is now a known problem and systems are already patched for this vulnerability, new technologies are still sometimes affected by this.

An example of a flooding DoS attack is an Amplification attack. This form of attack is different from a typical flooding attack by not using massive amounts of bandwidth. This is done by targeting a network that has a large amount of active hosts and then send those hosts large ICMP echo request packets. These packets have a spoofed source address of the victim's system, so when these packets are sent to the hosts, they will send ICMP echo reply packets of their own back to the spoofed source address and thus flood the victim's network.

Another type of a flooding DoS attack is a distributed DoS (DDoS) attack. The first step of this attack is to find other hosts and install daemons on them. These hosts are known as bots. Then, when the attacker finds a victim, he or she will execute some kind of program that controls the bots and makes them simultaneously perform a flooding DoS attack. The multiple bots that are used greatly increases the flooding effect and also makes it more difficult to trace the source of the attack.

Below is a link that offers defenses against DDoS attacks:

http://www.securityweek.com/content/how-defend-against-ddos-attacks

Sockets

Sockets are a way to perform network communication through the OS. The two main types of sockets are stream sockets and datagram sockets. Stream sockets are used to provide two-way communication, while datagram sockets only provide one-way communication and can be unreliable. Stream sockets use Transmission Control Protocol (TCP), which ensures that the packets of data being sent along the network will arrive in sequence and without error to their destination. Datagram sockets use User Datagram Protocol (UDP), which is not actually a real connection, but only serves as a basic method to send data. Both of these protocols exist on the transport layer of the OSI model. If you would like to view how to work with sockets in C, please follow this link.

The OSI Model

The Open Systems Interconnection (OSI) model provides standards to hardware that allows it to only focus on the type of communication that is relevant to that specific type of hardware(Ex. routers). The OSI model is broken up into the following seven layers:

1. Physical Layer - This layer communicates between two points through a physical connection. It communicates using raw bit streams and is responsible for activating, maintaining, and deactivating these communications. 
2. Data-link Layer - This layer actually sends the data between the two points and provides high-level functions, like error correction and flow control. 
3. Network Layer - The network layer passes information between the lower and higher layers. It provides the addressing and routing that is necessary to pass the information.
4. Transport Layer - This layer is responsible for transferring the data between the different systems. 
5. Session Layer - The session layer establishes and maintains connections between the different network applications. 
6. Presentation Layer - This layer makes it possible for applications to understand the incoming data by presenting it in a language that the application can interpret. 
7. Application Layer - This layer keeps track of the requirements for a particular application. 

Data is transported by packets through the different layers. The data is wrapped by each layer, starting with the application layer and ending with the physical layer, which is called encapsulation. Each layer has a header, which contains the protocol information for that layer; and a body, which contains the data for that particular layer.

Original image from: http://compnetworking.about.com/library/graphics/basics_osimodel.jpg

Another Buffer Overflow Example

Format String Vulnerability

The format string vulnerability can happen when the data submitted by the user is read as a command by the program. It occurs when you use a format print statement (ex. printf()) in your code without using a parameter to check and convert the input by the user. For example, the wrong way to write a format print statement would be "printf(stringValue);" whereas the correct and more secure way would be to include a parameter in the format printf statement like so: "printf("%s", stringValue);." If an attacker was able to exploit this vulnerability, he or she would be able to execute code, read the stack, cause new behaviors that could affect the security and stability of the system, or completely crash the program and make it unavailable. For more information over the format string vulnerability, please visit the official OWASP page!

Reference: https://www.owasp.org/index.php/Format_string_attack

Buffer Overflows

Buffer overflows stem from C's inability to check whether or not a variable can fit into a specific memory space. Buffer overflow attacks are when a hacker inserts more data into a specified memory location than what that location is allocated. This can lead to the process of executing arbitrary code, which is when the hacker tricks the program into running a piece of malicious code that has been inserted into the memory. This gives power to the hacker to make the program do pretty much anything the hacker wants it to. To look at an example of a buffer overflow, please follow this link.

File Access and File Permissions

In C there are two main ways to access files. The first is through file descriptors, which use a set of low-level I/O functions. The second is through filestreams which is a higher-level way to access that is based on the lower-level functions. The file descriptors are more direct to program. A file descriptor is represented as a number that is used to reference open files. 

When a file is newly created, permissions can be set for different groups. There are three different groups that permissions can be turned on and off for: user, group, and other. The description of these groups are pretty straightforward. 'User' refers to the permissions the owner has, 'group' refers to the permissions a specified group has, and 'other' refers to the permissions everyone else has. Each user on a Unix system has a unique ID that is associated with them. This makes it possible to keep track of which permissions particular users can have. 

Memory Segmentation

A program's memory are divided up into five different segments. The text segments are where the program's assembled machine language instructions are stored. The text segment has read-only permissions. If someone  attempts to write in this segment of memory, the program will terminate. Data and bss segments both store the variables in a program. The data segment stores initialized variables while the bss segment stores unitialized variables. The heap segment is the segment of memory that the programmer can actually control. This segment allows the user to reserve or free memory as he or she sees fit. The fifth segment is the stack segment. This segment temporarily stores local variables when a particular function is called.

Basic Programming

The primary higher level language that will be focused on in the book is C. I have had previous experience with java, and I can see many similarities in the syntax of the two languages. They use the same arithmetic and comparison operators. Also, they use the same loop logic and if-else statements. One capability of C that java doesn't have are pointers. Pointers can be used as variables, but instead of actually defining a variable, pointers instead point to a particular piece of data of that variable type.

Resources Used

1. Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson       (Amazon Link)
2. Google's Web Application Exploits and Defenses                         (Section Link)
3. OWASP                                                                                   (OWASP Link)

Tentative Schedule

• 1/30/2013 - Complete the Programming section of: Hacking: The Art of Exploitation
• 2/6/2013 - Complete the Exploitation section of:  Hacking: The Art of Exploitation
• 2/13/2013 - Complete the Networking section of:  Hacking: The Art of Exploitation
• 2/20/2013 - Complete the Shellcode section of:  Hacking: The Art of Exploitation
• 2/27/2013 - Complete the Countermeasures section of:  Hacking: The Art of Exploitation
• 3/6/2013 - Complete the Cryptology section of:  Hacking: The Art of Exploitation
• 3/13/2013 - Complete the Cross-Site Scripting course of Google's Web Application Exploits and Defenses 
• 3/20/2013 - Complete the Client-State Manipulation and Cross-Site Request Forgery courses of Google's Web Application Exploits and Defenses 
• 3/27/2013 - Complete the Cross-Site Script Inclusion and Path Traversal courses of Google's Web Application Exploits and Defenses 
• 4/3/2013 - Complete the Denial of Service and Code Execution courses of Google's Web Application Exploits and Defenses 
• 4/10/2013 - Complete the Configuration Vulnerabilities course of Google's Web Application Exploits and Defenses 
• 4/17/2013 - Complete the AJAX Vulnerabilities and Other Vulnerabilities courses of Google's Web Application Exploits and Defenses 
• 4/23/2013 - Create some demo videos of some of the concepts learned throughout the semester

Introduction

This semester I will be gaining familiarity with a few concepts and techniques pertaining to ethical hacking. I plan on achieving this by reading and going through exercises in "Hacking: The Art of Exploitation, 2nd Edition," by Jon Erickson. Along with this book, I will be making use of the exercises found in  Google's Code University section, Web Application Exploits and Defenses. Topics that will be covered include the learning of C, assembly language, cross-site scripting, client-state manipulation, path traversal, denial of service, altering a server's logging behavior, and redirecting network traffic.