Attack Vectors

From sheep
Jump to navigation Jump to search

References http://java.boot.by/scea5-guide/ch08s03.html


Input Validation

  • data type
  • format
  • length
  • range
  • nulls
  • special characters e.g. [ % * | '
    • square brackets special in sql server?

Output sanitation

  • prevent special tags being output by user generated content
  • change content
  • malicious scripts
  • screen this on input?

Buffer overflow

  • typically attack on input parameters
  • may also target output sanitisation, data injection

Data Injection

  • inject malicious code along with normal user data
  • pop up windows - window injection
    • hijack pop up window from a second site
  • data passed to DB - sql injection
  • prevent with input validation
    • input, query strings, cookies - sever side validation

XSS Cross site scripting

  • links or scripts included in user generated content
  • javascript, vbscript, activex, html, flash
  • gathers data from other users
  • steel accounts, change privileges, steel information, poison content

Improper error handling

  • disclosure of errors on failure
  • information leaked can be used to generate an attack
  • display user friendly messages
    • e.g. unique reference that can be looked up in logs
  • don't display stack trace or internal details of error

Insecure data transfer/storage

  • use cryptographic techniques for sensitive data
  • prevents eves dropping
  • prevent tampering

Weak session identifiers

  • session identifiers before authorised
  • session identifier passed over insecure channels
  • failure to validate the session identifier
  • failure to expire session

Weak security tokens

  • poor passwords - guessable
  • echoing back passwords e.g. in cookie without proper encryption
  • use strong/multifactor authentication
    • digital certificates, biometrics, smart cards
  • validate passwords

Weak password exploits

  • weaknesses: guessable, captured from keystrokes, password cracking tools
  • most common security issue
  • see above - weak security tokens

Weak encryption

  • faster computers => algorithms/key lengths becoming viable to brute force attacks
  • weaknesses in algorithms discovered e.g. MD5
  • use longer key lengths - approved algorithms e.g. AES, SHA

Session theft

  • steeling/snooping/reusing/guessing sessionid/session cookie
  • invalidate session after use
  • encrypt session information
    • use secure channel SSL/TLS

Insecure configuration

  • particularly web tier
  • certificate configuraion/encryption settings
  • default/debugging accounts
  • unnecessary/insecure plugins/options
  • unnecessary ports
  • authentication configuration
  • credential management

Broken access control

  • ability to view source
  • restricted files
  • configuration data
  • penetration test

Policy failures

  • organisations policy must have all required rules
  • rules must not conflict - appropriate qualification
  • issues for design

Audit and Loggin

  • Key to non-repudiation
  • Required to diagnose/foil attacks
  • required to resolve bugs/race conditions
  • Should be secured and restricted access

DOS DDOS (distributed) denial of service

  • impact logging
  • router filtering
  • fault tolerant redundant servers
  • host name verification
  • secure pipe, intercepting web agent, intercepting validator patterns

MITM man in the middle

  • SSL/TLS IPSEC or secure pipe pattern

Multiple sign on

  • user has to log in multiple times
  • possible to exploit multiple simultaneous sessions/ loss of productivity forcing logout from each application
  • use SSO to resolve

Deployment problems

  • review and test infrastructure security policies
  • verify application policies consistent with infrastructure policies

Code quality

  • coding review
  • secure code scanning