Web attacks (Threats (SERVER
Privacy loss - server logs, directory…
Client (browser) side: goal to protect users from data theft, intrusions.
Network connection: goal to protect privacy and data integrity (SSL); provide authentication of clients and servers; provide nonrepudation.
Server side: Protect data integrity and privacy, control access, maintain availability.
BROWSER - allows plugins (unsafe)
Privacy loss - cookies, web bugs, adware
Social engineering - phishing
Malware - drive-by-downloads
Privacy loss - server logs, directory traversal
Direct intrusions - password attacks, cookie reuse, exploits, social engineering
Input attacks - sql injection
Instead of performing a direct attack, lure victim to a website (even a valid one). A regular site might be compromised by bit of malware: might download a downloader.
Enter Web address-->UDP p.53 DNS-->IP address of website-->HTTP request (URI) TCP p.80--> HTTP response (HTML).
HTTP is "very chatty" and web browser and server offers a lot of information to each other. ==> that's why webservers are good to use as attacking machines!
Protect web servers from attacks
Protect web clients from threats carried out through browsers
Protect network connection between client and server (via IP Layer-->IPSec; via transport layer-->SSL/TLS).
2 stage attack: phishing email with link to fake website.
Can get around spam filters by:
- breaking up words;
- lots of filler text;
- text images (filters cannot read).
Floating menu to cover real address bar;
phishing window floats infront of legitimate site - as popups don't have an address bar;
Spear Phishing - highly personalised to individual high value targets - can be more successful - use of publicly available information.
Where input is not properly filtered for escape chars e.g. quotes--> no strict separation between program instructions and user data.
- Lured by malicious ads - redirect to other websites that stealthily attack computers and install malware. Scans for vulnerabilities too.
Cross site request forgery (CSRF)
- aka session riding - tricks users of Web sites using cookies for authentication
- iFrames are popular exploits- can create one that's 0x0 pixels which has java content drawn from malicious server (e.g. malicious code).
- Images could also be used to contain code that gets executed
Cross-site scripting (XSS)
- reflected attack (aimed at browser) - malicious site B creates a script and tricks user into running it on legitimate site A
- script is passed to site A as input to a dynamically generated page
- if site doesn't check, then script is reflected back to user's browser in the generated page. As it comes from legitimate site, browser executes script
XSS is preventable by web apps checking all input data as potentially harmful.
- Malware can be downloaded automatically when user visits a malicious/compromised legitimate site (can go to trusted site and still be 'attacked' if compromised by an iframe.
- scripts attempt browser exploits to compromise browser security.
- installation of malware or Trojan downloader, which triggers download of more malware later on. Keylogger/backdoor etc
Search engine poisoning
- create web page with topical keywords aimed at search engine crawlers - aim to make page appear high on search results and lure people to malicious pages
Computer setup to be vulnerable, so can observe how attackers work/up to.
Cookies theft - store session data, user credentials (IDs, passwords) or user preferences.
They can be stolen and replayed by:
- cross site scripting
- sniffing packets
- reading cookie file
- abused by cross site request forgery (CSRF)