Application/Service Attacks - CompTIA Security+
- Man-in-the middle
- Buffer Overflow
- SQL Injection
- ARP/DNS Poisoning
- Zero Day
- Hijacking Attacks
DoS (Denial of Service)
A DoS (Denial of Service) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.
Commonly happen to web servers, and more often, by a single external user.
Often accomplished using buffer overflows or by using multiple servers and/or routers to overwhelm another router or host.
DDoS (Distributed Denial of Service)
In a DDoS (Distributed Denial of Service), large numbers of compromised systems (zombies/bots) attack a single target in attempt to crash it. These zombie computers are being remotely updated by a command and control center.
A form of active eavesdropping, or network sniffing, in which the attacker makes independent connections with the victims and relays messages between them.
A man-in-the-middle attack is when there is an interruption of network traffic for spying, and possibly accompanied by the insertion of malicious code.
A buffer overflow is a condition where a process attempts to store more data into a memory variable than that variable accepts. Basically it writes too much data into an application’s memory and causes the application to crash.
If successful, a buffer overflow can lead to a DoS.
The most common exploit of an Internet-exposed network service or a web server is a buffer overflow.
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
An attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored data.
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives.MS-SQL database port number is 1433.
An example of a SQL injection is ‘ or ‘1’ =‘1
Cross-Site Scripting (XSS) attacks are when malicious scripts are injected into benign or otherwise trusted websites.
Cross-site Request Forgery (XSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Unlike cross-site scripting , which exploits the trust a user has for a particular site, XSRF exploits the trust that a site has in a user's browser.
Cross-site Request Forgery, or XSRF, involves unauthorized commands coming from a trusted user to the website. This is often done without the user’s knowledge and employs some type of social networking to pull it off, such as forums.
For example, you log into your home router’s web administrative page on one tab, in another tab you click on a forum link and as this is done your router reboots.
To prevent XSS or XSRF attacks, use Input Validation and restrict the use of special characters in input.
DNS poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources.
For example: You are trying to connect to PayPal, but the URL changes to a different site (one that looks just like PayPal asking for your financial information).
The following two can cause you to be redirected to a spoofed website:
• DNS poisoning
• Altered hosts file
ARP is the method for finding a host's link layer (hardware) address when only its IP or some other Network Layer address is known.
ARP poisoning allows traffic to be redirected through a malicious machine by sending false hardware address updates to a victim.
Basically, an attacker convinces the victim that he, the attacker, is the default gateway for the network.
ARP poisoning is used to later launch a man-in-the-middle attack.
Domain hijacking is when an attacker manages to take control of somebody else’s domain. This can be accomplished a number of ways, but getting admin access is generally involved.
For example, an attacker gets admin control of example.com and forces anybody who goes to example.com to be redirected to a malicious site. This is possible since the admin has full control.
An attacker could also install malware on the hijacked site.
A zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer.
Also called zero-day vulnerabilities.
With a Zero-Day exploit, either there is no fix for the vulnerability yet, or the fix was just released and not everyone has patched their systems yet.
Clickjacking is tricking a user into clicking a link other than what they had initially intended to.
May redirect a user to a malicious site.
URL Hijacking, or Typo squatting, is an attack the relies on typographical errors made by users when inputting a web address in a browser.
Driver manipulation is when an attacker manages to sneak malicious code into a “legitimate” device driver.
The user thinks they are installing a driver for a device.
Driver actually contains a malicious attack that can compromise the system.
Spoofing is claiming to be something it/you are not.
MAC spoofing is a technique for changing a factory-assigned MAC address of a network interface on a networked device in order to deceive certain securities.
Similarly, IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network.