INTRODUCTION

TO
CYBERSECURITY
Lecture 05
 SQL Injection
 These attacks, which result from failing to validate user inputs, have increased in
prevalence in the past several years and now often target thousands of sites at a time. One
of the most common and dangerous vulnerabilities in Web applications is structured query
language (SQL) injection.
 An attacker can exploit this query by providing input that the data-base does not know it
should treat as data and treats as SQL code instead. In this case, the attacker provided the
following string in place of the username variable: x’; SELECT uname,pwd FROM users;
--
 This attack accesses sensitive information but could just as easily modify the database to
include malicious content using an UPDATE command, or destroy the entire database
using a DROP command.
 Many languages provide a function that performs this task. The most commonly known is
PHP’s mysql_real_escape_string. An alternative technique to sanitizing user input is to
only allow good data into the application rather than escaping bad data.
 DoS
 DoS is a general term to describe a lack of access to a service. The lack of access can occur for many reasons and at
different points between the client and server.
 To consume the available bandwidth of a target, an attacker uses a technique known as flooding. Flooding describes the
overwhelm­ing traffic used to saturate network communications. Attackers use communication protocols (UDP),
(ICMP), and (TCP) to inundate the target with network traffic.
 A similar method to cause a DoS condition starves the resources of network devices. Overutilization of system
resources, such as central processing unit (CPU), memory, or data structures stored in memory, can cause system
failure. A particularly effective DoS attack on network device resources is a SYN Flood.
 To saturate network bandwidth or to starve a system’s resources successfully, it is beneficial for an attack to have more
resources than the target does.
 Another option to overwhelm a target’s resources becomes available through amplification, which involves using
techniques to magnify the effect of and attack beyond the capabilities of the attacker’s limited resources. E.g DNS
amplification attack.
 The common network-level safeguards using security devices can reduce DoS attempts by filtering out erroneous
traffic at edge routers and firewalls. Using a network device with anti-spoofing functionality, such as Unicast Reverse
Path Forwarding (uRPF), can reduce net­work DoS conditions, as the device verifies the validity of a source IP address
and discards the traffic if the source IP address is not valid or is spoofed.
 BRUTE FORCE/DICTIONARY ATTACKS
 A password-based authentication system is only as good as its underlying passwords. When attackers use brute force
attacks and dictionary attacks against these systems, these passwords may prove to be insufficient. When dealing with
the password component of the authentication system, it is not uncommon for the system to store the password in an
encrypted or hashed form.
 Password dictionaries, sometimes referred to as word lists, are compilations of known words and known variations on
these words that users may use as passwords. These variations can include charac­ter substitutions (e.g., changing 1’s to
i’s or l’s and vice versa), inter­jecting words from nonnative languages, and combining words into phrases.
 Dictionary attacks, like most attacks against unknown password-based authentication systems, can be slow when
attempting to probe the authentication system one password at a time. For any given user, there is no guarantee that the
dictionary will contain the password. When the user selects a suitably random pass ­word, such as @fA09wR&$xZQ.
 To clearly illustrate the amount of time required to brute force a password of sufficient complexity, given a character set
defined as abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(), which has a character set size of forty-six characters
and a maxi­mum password length of eight characters, the maximum number of iterations required to fully exhaust the
character set for the password length would be roughly 20 quadrillion iterations, or: 20,047,612,231,936 = 46 8
 If the authentication system took one-half of a second per password supplied to indicate the validity of a password and if
the password was “))))))))”, it would take the attacker roughly 10 quadrillion seconds to find the password. Ten
quadrillion seconds is the equivalent of 317,852.8 years.
 Cross-Site Scripting (XSS)
 Improper input validation can allow an attacker to execute malicious scripts on Web pages with the
same level of access as legitimately included scripts. Used to access form variables and take actions
on behalf of the user, cross-site scripting (XSS) attacks are the most commonly present and widely
exploited type of vulnerability.
 Like many common vulnerabilities, XSS flaws are essentially input validation errors. For an XSS
attack to occur, a website must accept input from an untrusted source, such as a Web request, and
serve the submitted input on a Web page.
 For example, a search engine must accept input from visitors to determine what the user is looking
for. In the fol­lowing example, the “query” variable is set to the value puppies.
http://example.com/search?query=puppies.
 Rather than inputting a real search query, a user might enter JavaScript code that causes the page to
show an alert that the query returns (e.g., http://example.com/ search?query=
><SCRIPT>alert(“XSS!”)</SCRIPT>).
 Using XSS, attackers can steal information from a victim’s browser related to the vulnerable page. If
the vulnerability exists in a bank­ing application, the attacker could retrieve account balances and
other private information from the page and send it off to his or her own server. XSS also enables
SOCIAL ENGINEERING/PHISHING/DRIVE-BY-DOWNLOADS
 Social Engineering - No matter how quickly an organization patches the latest zero-day
vulnerability or how many security products it deploys, one major vulnerability remains
in every system: the human being. Social engineering is the art and science of attacking
the human element of a system to gain sensitive information or access to restricted areas
or systems.
 Phishing - In phishing scams, intruders use Web-based services to launch attacks on
those devices connected to the Web to acquire information such as usernames, passwords,
and credit card details and other private data of the device owner by the intruder
masquerading as a trustworthy friend in an electronic communication like e-mail and text.
 Drive-by downloads – these are like pop-ups written by scammers to automatically
begin uploading treacherous application as soon as the device visits a Web page.
 Buffer Overflow
 Stack-based buffer overflows occur when a function passes more data to a stack variable than
the variable can hold. The objective in writing stack-based buffer overflows is to con­trol the
flow of code execution and execute potentially malicious code by adding more data than a
variable can hold.
 Simply filling a stack buffer with data and overwriting the return address are not enough for
attackers to run arbitrary code on victims’ computers successfully. Controlling the return
address is only one part of a successful stack-based buffer overflow.
 A successful shellcode will allow attackers to control the return addresses and point the return
addresses to memory locations that will allow those attackers to begin executing either
instructions. The results are, of course, the execution of arbitrary code on victims’ computers.
 Without excep­tion, the root cause of any stack-based buffer overflow is the lack of bounds
checking when accepting input. Buffers allocated on a stack are of finite, predetermined sizes,
and as such, it is up to the program­mer to ensure that the function copying data into them is
within this size constraint.
 INTEGER OVERFLOW

 Resulting from insufficient input validation, integer overflows can cause high-severity vulnerabilities. Not
to be confused with buffer overflows, integer errors are common and potentially severe. An integer
overflow occurs when an arithmetic operation produces a result larger than the maximum expected value.
 An example of an integer overflow involves an arithmetic operation error using a C and C++ standard
library function called malloc. malloc() is for allocating a block size of dynamic memory. An integer
overflow can cause malloc() to allocate less memory than required.
 Consider this example code in which multiplication and malloc() are involved:
 char *expand_string(char *string, size_t length) { char *strresult = (char *)malloc(length*2+1);
strcpy(strresult, string); }
 If an attacker controls the value of the parameter length, an integer overflow may occur
 In truncation errors, an integer value truncates while being cast to a data type with fewer bits. Consider the
following example: int i = -3; unsigned short int j; j = i; // j = 65533
 When a signed integer of a negative value converts to an unsigned integer of greater value, the most
significant bit loses its function as a sign bit. The result is that j is not set to −3, but rather to 65,533, the
unsigned representation of −3.
 FORMAT STRING VULNERABILITIES
 This section discusses vulnerabilities in the printf print formatting and similar functions. These
vulnerabilities put the stack, a critical component of program execution, at risk for corruption. The
printf C function (short for print-formatted output) normally prints output to the screen. It accepts a
parameter that allows a programmer to specify how the function should attempt to inter­pret the
string.
 Normally, a compiler will compare the number of parameters that a function accepts to the
function definition to prevent programming mistakes; however, the printf function and other
similar functions accept different numbers of parameters depending upon the format string itself.
Using only one parameter to printf can create a vulnerability if a user can influence that parameter.
 To do this, the program pushes the parameters onto the stack before calling the printf function.
Then, the printf function utilizes the %s : %d format to determine how many variables it should
remove from the stack to populate the values.
 When the user can control the format parameter, he or she can specify a format that removes extra
data from the stack in this manner. It allows the user to view the contents of memory because he or
she can specify any number of variables in the format string.
 SHELLCODE
 The wide availability of shellcode, injectable binary code used to per­form custom tasks
within another process, makes it simple for even novice attackers to create highly reliable
payloads for use after exploita­tion. Initially, shellcode simply spawned a shell from
another process; however, it is now used to perform a variety of custom tasks.
 Shellcode is binary code used as the payload in exploitation of software vulnerabilities.
The name shellcode originates from its ini­tial intentions to spawn a shell within another
process but has since evolved to define code that performs any custom tasks within
another process.
 Linux and UNIX operating systems are similar, as they both use system calls to allow
processes to interact with the kernel. These system calls allow shellcode to perform tasks,
such as reading or writing to files, binding, and listening on sockets, with the same
permissions as the original process into which the shellcode was injected.