Monday, February 2, 2009

SCEA1.5 - Few Terms in Security

Man in the middle ---- Man-In-The-Middle attack is the type of attack where attackers intrude into an existing connection to intercept the exchanged data and inject false information. It involves eavesdropping on a connection, intruding into a connection, intercepting messages, and selectively modifying data.
Also known as:
Bucket-brigade attack
Fire brigade attack
Monkey-in-the-middle attack
Session hijacking
TCP hijacking
TCP session hijacking

SQL Injection: ----SQL injection attacks are attacks against websites that rely on relational databases.
In this type of site, parameters are passed to the database in the form of an SQL query. As such, if the designer does not verify the parameters passed in the SQL query, a hacker can modify the query in order to access the entire database and even to modify its content.
Some characters make it possible to string together several SQL queries or to ignore the rest of the query. By inserting this type of character in the query, a hacker can potentially execute the query of his choice.
Given the following query, waiting for a user name as a parameter:
SELECT * FROM users WHERE name="$name";A hacker simply needs to enter a name such as "toto" OR 1=1 OR name ="titi" for the query to become as follows:
SELECT * FROM users WHERE name="toto" OR 1=1 OR name ="titi";With the above query, the WHERE clause is always performed, which means it will return records that correspond to all users.
Stored proceduresMoreover, some database management systems such as Microsoft SQL Server have stored procedures that make it possible to launch administration commands. These stored procedures are potentially dangerous in that they can make it possible for a malicious user to execute system commands that may lead to a possible intrusion.
CountermeasuresA number of rules can help you protect yourself against SQL injection attacks:
Verify the format of input data and particularly the presence of special characters; Do not display explicit error messages displaying the query or a part of the SQL query; Delete unused user accounts, and particularly default accounts; Avoid accounts without passwords; Keep the privileges of used accounts to a minimum; Delete stored procedures.

Cross site scripting: ----Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.
Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.

Distributed denial of service: ----Distributed denial-of-service attacks are ones in which the hacker plants malicious code on numerous, scattered and usually unwitting, servers.Those servers, known as zombies then flood a single IP address with packets so it is driven offline, unable to handle the volume.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

Broken anuthentication: ---Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require reauthentication even if the user has a valid session id.
User authentication on the web typically involves the use of a userid and password. Stronger methods of authentication are commercially available such as software and hardware based cryptographic tokens or biometrics, but such mechanisms are cost prohibitive for most web applications. A wide array of account and session management flaws can result in the compromise of user or system administration accounts. Development teams frequently underestimate the complexity of designing an authentication and session management scheme that adequately protects credentials in all aspects of the site. Web applications must establish sessions to keep track of the stream of requests from each user. HTTP does not provide this capability, so web applications must create it themselves. Frequently, the web application environment provides a session capability, but many developers prefer to create their own session tokens. In either case, if the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. Creating a scheme to create strong session tokens and protect them throughout their lifecycle has proven elusive for many developers. Unless all authentication credentials and session identifiers are protected with SSL at all times and protected against disclosure from other flaws, such as cross site scripting, an attacker can hijack a user’s session and assume their identity.

Forced browsing: ---- Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.
An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.
This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.
This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration

Session hijacking: --- The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer

Insecure direct object reference: --- A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
For example, in Internet Banking applications, it is common to use the account number as the primary key. Therefore, it is tempting to use the account number directly in the web interface. Even if the developers have used parameterized SQL queries to prevent SQL injection, if there is no extra check that the user is the account holder and authorized to see the account, an attacker tampering with the account number parameter can see or change all accounts.

WS-Security: ---(Web Services Security) is a communications protocol providing a means for applying security to Web services.officially called WSS and developed via committee in Oasis-Open.
The protocol contains specifications on how integrity and confidentiality can be enforced on Web services messaging. The WSS protocol includes details on the use of SAML and Kerberos, and certificate formats such as X.509.
WS-Security describes how to attach signatures and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.
WS-Security incorporates security features in the header of a SOAP message, working in the application layer. Thus it ensures end-to-end security.

Principle of least privilege: --- In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.[1][2]
When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible