Graphic HTTP reading notes (10)

Graphic HTTP reading notes (10) Web attack technology

The HTTP protocol itself is not a security issue, so the protocol itself is hardly an attack object. Servers and clients that apply the HTTP protocol, as well as Web application resources running on the server, are the targets.

The client can tamper with the request

In a Web application, the entire contents of the HTTP request received from the browser can be changed and tampered with freely on the client.

By loading the attack code within the HTTP request message, you can initiate an attack on the Web application. Through URL query fields or forms, HTTP headers, cookies and other ways to pass the attack code, if there is a security vulnerability in the Web application, the internal information will be stolen, or by the attacker to get permission management.

Attack patterns for Web apps

There are two types of attack patterns for Web applications.

• Active attack
• Passive attack

Server-Targeted active attacks

Active attack: An attack pattern in which an attacker enters an attack code by directly accessing the Web application.

Because this pattern is directly targeted at the resources on the server, attackers need to be able to access those resources.

Representative attacks in active attack mode are SQL injection attacks and OS command injection attacks.

Passive attacks targeted at the server

Passive attack: This is the attack pattern that executes the attack code using a snare strategy. During a passive attack, the attacker does not directly attack the target Web App access.

Passive attacks the usual attack pattern:
-Step 1

攻击者诱使用户触发已设置好的陷阱，而陷阱会启动发送已嵌入攻击的HTTP请求。

• Step 2

  When the user unknowingly, the user's browser or mail client will trigger this trap.

• Step 3

  The user's browser after the call sends an HTTP request containing the attack code to the Web application that is the target of the attack and runs the attack code.

• Step 4

  After executing the attack code, a Web application with a security vulnerability could become an attacker's springboard, which could result in the theft of personal information such as cookies held by users, malicious misuse of user rights in the login state, and so on.

Representative attacks in passive attack mode are cross-site scripting attacks and cross-sites request forgery .

Security countermeasures for implementing Web applications

Security countermeasures for implementing Web applications are broadly divided into two parts

• Client Authentication
• Server-side validation
  
  • Input value Validation
  • Output value escape

Client-side validation is to identify input errors as early as possible, and input-value validation on the Web is often a preventative measure to check for compliance with business logic, or to check character encodings. Output escaping is a critical security policy that, when the output value is not fully escaped, can cause damage to the output object by triggering an attacker's incoming attack code.

Cross-site scripting attacks

Cross-site scripting attacks (Cross-site SCRIPTING,XSS) are the use of website vulnerabilities to maliciously steal information from users.

The dynamically created HTML section has the potential to hide security vulnerabilities. In this way, the attacker writes a trap, and when the user runs on his or her browser, it is accidentally attacked by a passive attacker.

Possible impact of cross-site scripting attacks

• Use false input forms to defraud users of personal information.
• Using a script to steal a user's cookie value, the victim unknowingly helps the attacker to send a malicious request.
• Displays a forged article or picture.

SQL injection attacks

SQL injection (SQL injection): refers to the database that is used by the Web app, and attacks that occur by running illegal SQL.

This security risk can lead to a great threat, and sometimes leads directly to the disclosure of personal information and confidential information.

SQL injection attacks can have the following effects.

• Illegally viewing or tampering with data in a database
• Bypass Certification
• Execute the program associated with the database server, etc.

For example:
The correct SQL statement:

select * from table_name where name=‘jack‘and age>20;

SQL Injection statement: (change just name= ' Jack ' to Name= ' jack– ', with the following statement:)

selectfromwhere name=‘jack‘--‘ age>20;

In the SQL statement, all are treated as comments, that is, the subsequent filter conditions are automatically ignored. This will have a significant impact on database additions and deletions.

OS Command injection attack

OS Command injection attacks (OS commands injection) refer to the purpose of executing an illegal operating system through a Web application to achieve an attack. There is a risk of being attacked wherever a shell function can be invoked.

You can invoke the operating system commands from the Web app through the shell. If there is an omission when invoking the shell, you can execute the inserted illegal OS command.

An OS command injection attack can send a command to the shell to start a program on the Windows or Linux operating system's command line. That is, an OS injection attack can execute various programs installed on the OS.

HTTP Header Injection Attack

HTTP Header Injection Attack (HTTP headers injection): Refers to an attacker who adds an arbitrary response header or body by inserting a newline within the response header field. belongs to passive attack mode.

HTTP header injection attacks can have the following effects:
-Set any cookie
-redirect to any URL
-Display arbitrary body (HTTP response truncation attack)

By%0d%0a (which represents a newline character in an HTTP message), in a field in the HTTP request header, such as location:xxx.../?index=1%0d%0aset-cookie:123456789.
Because%0d%0a represents a newline, this adds a header message to the HTTP request header. This allows the attacker to disguise themselves as users.

HTTP-Response truncation attack

An HTTP response truncation attack is an attack that is used in an HTTP header injection.

If we were to insert two%0d%0a%0d%0a in the header field in the response headers, we would send it by side. This will change 2 lines, as the HTTP header and the main part of the space required to separate the blank line. In this way, the subject can be forged to achieve the purpose of the attack.

With this attack, a browser that has triggered a trap will display a bogus web page, allowing the user to enter their own information to achieve the same effect as a cross-site scripting attack.

Mailbox Header Injection Attack

Mailbox Header Injection (mail header injextion): Refers to the message-sending feature in a web app that an attacker initiates by adding any illegal content to the message header to or subject.

With a Web site that has security vulnerabilities, you can send ad messages or virus messages to any email address.

%0D%0A represents newline characters in message messages. Similar to HTTP header injection and HTTP-response truncation.

eg
At the message header that sent the mail.

xxxxx%0D%0ABcc:user@example.com

It will be wrapped, append the BCC email address.

eg
If this

xxxxxx%0D%0A%0D%0ATest Message

The equivalent of 2 lines, it is possible to tamper with the message text content and send.

In the same way, it is possible to rewrite arbitrary headers such as to and subject, or to add attachments to text.

Directory traversal attacks

Directory Traversal (Directory traversal): An attack is a file directory that is not intended to be exposed, an attack that is achieved through an illegal truncation of its directory path.

This attack is also sometimes referred to as a path traversal (traversal) attack.

Detailed Directory Traversal

Remote file contains vulnerability

Remote file inclusion: Refers to a partial script content that needs to be read from another file, an attacker who uses the URL of the specified external server to act as a dependent file, so that the script can run arbitrary script attacks after it has been read.

This is mainly a security vulnerability in PHP, for PHP's include or require, this is a set, specify the external server's ur as the file name function. However, this feature is too dangerous to be disabled by default after PHP5.2.0.

Forced browsing due to a security vulnerability caused by a setup or design flaw

Forced browsing (forced browsing) refers to files that are not voluntarily disclosed, from files placed in the public directory of the Web server.

Forced browsing can have some of the following effects.

• Disclosure of personal information of customers, and other important information
• Disclosure of information content that would otherwise require access by a user
• Leaking files that are not connected to the outside world

Several forms of forced browsing:

• List of file directories

  By specifying a directory name, you can see the file name displayed in the list of files.

eg: http://www.example.com/log/

• Guess the file name and directory name

  The file name is easily inferred.

http://www.example.com/entry/entry_081202.log

• Backup files

http://www.example.com/cgi-bin/entry.cgi（原始文件）http://www.example.com/cgi-bin/entry.cgi~（备份文件）http://www.wxample.com/cgi-bin/entry.bak（备份文件）

Backup files that are automatically generated by the editing software have no execute permissions and may be displayed directly in source code.

• Files that are certified to display

  Access files (HTML files, pictures, PDFs, CSS, and other data) that would otherwise have to be certified for use on a Web page, directly through a URL.

Incorrect error message Handling

The security vulnerability of incorrect error message handling (error handing vulnerability) is that the Web app's error message contains information that is useful to the attacker.

Major error messages related to Web apps:

• Error message thrown by web App
• Error messages thrown by systems such as databases

The web app does not have to show detailed error messages on the user's browsing screen. For attackers, detailed error messages may prompt them for an attack.

Open redirection

Open Redirection (Redirect) is a feature that redirects jumps to any specified URL.

The security vulnerability associated with this feature is that if the specified redirect URL is to a malicious Web site, then the user is induced to that Web site.

eg

This is a normal request for a URL redirect jump

http://example.com/?redirect=http://tricorder.jp

However, if the attacker knows, the connection behind redirect is replaced by a set of trap Web site connections. Such as:

http://example.com/?redirect=http://hackr.jp

This will point to hackr.jp.

If the Web site is highly trusted, the open redirection feature is likely to be selected by the attacker and used as a springboard for phishing attacks.

Security vulnerabilities caused by session management negligence

Session management is a prerequisite for managing user state, but if you neglect the session management, it will result in the user's authentication status being stolen.

Session Hijacking

Session Hijack: means that an attacker gets the user's session ID by some means and illegally uses this session ID to impersonate the user for the purpose of the attack.

Here are a few ways an attacker can obtain a session ID:
-The session ID is inferred from the informal generation method
-stealing session IDs through eavesdropping or XSS attacks
-forcibly get the session ID through session fixed attack (sessions fixation)

Session pinning attack

Session fixation: Forces the user to use a directly specified session ID, which is a passive attack.

One-way session attack mode fixed session ID

Cross-site Request forgery

Cross-site request forgery (Cross-site requests forgeries,csrf) attack is a passive attack in which an attacker enforces certain status updates, such as unexpected personal information or setting information, to a user who has completed authentication by setting a good trap.

Cross-site request forgery can have the following effects:
-Update setting information with authenticated user rights, etc.
-Purchase products with authenticated user rights
-Use authenticated user rights to make comments on the message board

Other security vulnerability password cracking

Password cracking attack (Password Cracking) is to calculate the password, breakthrough authentication.

2 ways to hack passwords
-Password trial and error over the network
-Decrypt the encrypted password

Password trial and error over the network

There are 2 main ways of doing this:
-Poor lifting method
-Dictionary attack

Poor Lifting method

The exhaustive method, also known as brute Force method, is a key space for all key sets, which is carried out in a poor way.

such as: bank password, 000000-999999 in the number of each attempt to produce, you can try out the real password. (Only try 3 times, of course)

Dictionary attacks

Dictionary attack refers to the use of pre-collected candidate password (after various combinations in the dictionary), enumerate the password in the dictionary, try to pass the authentication of an attack method.

Such as: Some people like to use the birthday as the password, you can save the birthday date value, 0101-1231 saved as a dictionary, to try.

Compared with the exhaustive method, the dictionary attack requires fewer candidate passwords, and the attack takes less time, although the dictionary cannot be cracked without the correct password, but the exhaustive method must find a correct password.

The decryption of the encrypted password

When a web app saves a password, it is generally not stored directly in clear text, processed by hashing or salt (add salt). If you want to get a password, you need to decrypt it into clear text.

There are usually several ways to import plaintext from encrypted data:

• By means of exhaustive dictionary attacks and analogy
• Rainbow Table
• Get the key.
• Vulnerabilities in cryptographic algorithms

By means of exhaustive dictionary attacks and analogy

such as: Crack MD5 value. The MD5 algorithm is processed by a large number of strings, and then each match is equal.

Rainbow Table
Rainbow table: A data table consisting of plaintext passwords and their corresponding hash values, which is a pre-fabricated rainbow table that shortens the time-consuming skills in the actual cracking process, such as exhaustive method and dictionary attack.

get the key.
Get the key, crack the password.

Vulnerabilities in cryptographic algorithms
Consider an algorithmic vulnerability that attempts to decrypt by exploiting the vulnerability. (difficulty is too big to succeed)

Click Hijack

Click Jacking: Refers to the use of transparent buttons or links to make a trap, overlay on the Web page. Then convince the user not to know, click on the button to access the link. This behavior is also known as Interface Spoofing (uiredressing).

Dos attacks

Dos Attack (Denial of service attack): is an attack that keeps a running service in a stopped state. Sometimes called a service stop attack or a denial of service attack.

Two ways to attack Dos attacks:
-Centralize access requests to overload resources, and when resources are exhausted, the service is actually in a stopped state.
-Stop the service header by attacking a security vulnerability.

Among them, the centralized use of access requests for DOS attacks, simply speaking, is to send a large number of legitimate requests. It is difficult for a server to distinguish between a normal request and an attack request, making it difficult to prevent Dos attacks.

Multiple computer-initiated Dos attacks are called DDoS attacks (distributed denial of Service attack)

DDoS attacks often use the virus-infected computer as an attack pad for attackers.

Backdoor procedures

Backdoor (Backdoor): Refers to the development of hidden portals of settings, you can not follow the normal steps to use the restricted function. A backdoor can be used to make use of the previously restricted functionality.

The usual backdoor is divided into the following 3 types:
-The development phase as a backdoor for debug calls
-a backdoor that developers put into their own interests
-backdoors set by an attacker in some way

The backdoor that is implanted can be found by listening to the status of the process and communication. But the backdoor that is set in the Web application, because and normal use of the difference is not big, it is often difficult to find.

Graphic HTTP reading notes (10)