THE ANATOMY OF A WEB ATTACK

TYPE OF ATTACKS POPULAR ATTACK VECTORS PROTECTING YOUR ENVIRONMENT Security measures are necessary to protect your data that may be subject As security vulnerabilities and motivations for attacks evolve, so do Whether your data lives on-premises, cloud or hybrid infrastructures, security measures are to attacks. Unfortunately, there are several types of attacks that can be the attack vectors used to compromise your network. necessary to protect your data from attacks. used to compromise your network.

INTRUSION WEB APPLICATION LOG COLLECTION DETECTION & ANALYSIS PING SWEEP METASPLOIT / KALI LINUX / NESSUS NMAP / NIKTO Secure HTTP Response Headers

VULNERABILITY SCANNING METASPLOIT / KALI LINUX / NESSUS Limit NMAP / NIKTO Priviledges

SQL INJECTION HAVIJ / SQLMAP / SQL NINJA / BEEF SQLI causes the database or source code calling Test & Sanitize All User Input the database to confuse [data context] and ANSI SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’ SQL [execution context].

CROSS SITE SCRIPTING OWASP XENOTIX / XSSSERVER XSS causes the browser to execute user supplied Developers should use tools like XSS Me to test input as code. The input breaks out of the [data their sites for vulnerabilites context] and becomes [execution context]. Sites vulnerable to XSS are exploited through features of the search engine, login forms and comment elds. There are three different types of attack vectors. Local, Non-Persistant, and Persistant

FIMAP / DARKJUMPER RFI: REMOTE FILE INCLUSION Never use arbitrary input data in a literal An attempt to damage, disrupt, or gain unauthorized access to a computer, computer $incfile = $_REQUEST[”file”]; include($incfile.”.”); file include request system, or electronic communications network

6 SENSITIVE DATA EXPOSURE OWASP TOP 10 2013 Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and credentials. Attackers may steal or modify such weakly protected data to conduct , , or other crimes. Sensitive data deserves extra protection such as at 1 INJECTION rest or in transit, as well as special precautions when exchanged with the Injection aws, such as SQL, OS, and LDAP injection occur when untrusted browser. data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper . 7 MISSING FUNCTION LEVEL ACCESS CONTROL Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same 2 BROKEN AUTHENTICATION & SESSION MANAGEMENT access control checks on the server when each function is accessed. If Application functions related to authentication and session management are requests are not veri ed, attackers will be able to forge requests in order to often not implemented correctly, allowing attackers to compromise passwords, access functionality without proper authorization. keys, or session tokens, or to exploit other implementation aws to assume other users’ identities. 8 CROSS-SITE REQUEST FORGERY (CSRF) 3 CROSS-SITE SCRIPTING (XSS) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically XSS aws occur whenever an application takes untrusted data and sends it to a included authentication information, to a vulnerable web application. This web browser without proper validation or escaping. XSS allows attackers to allows the attacker to force the victim’s browser to generate requests the execute scripts in the victim’s browser which can hijack user sessions, deface vulnerable application thinks are legitimate requests from the victim. web sites, or redirect the user to malicious sites. 9 USING COMPONENTS WITH KNOWN VULNERABILITES 4 INSECURE DIRECT OBJECT REFERENCES Components, such as libraries, frameworks, and other software modules, A direct object reference occurs when a developer exposes a reference to an almost always run with full privileges. If a vulnerable component is exploited, internal implementation object, such as a le, directory, or database key. such an attack can facilitate serious data loss or server takeover. Applications Without an access control check or other protection, attackers can manipulate using components with known vulnerabilities may undermine application these references to access unauthorized data. defenses and enable a range of possible attacks and impacts.

5 SECURITY MISCONFIGURATIONS 10 UNVALIDATED REQUESTS AND FORWARDS

Good security requires having a secure con guration de ned and deployed for Web applications frequently redirect and forward users to other pages and the application, frameworks, application server, web server, database server, websites, and use untrusted data to determine the destination pages. Without and platform. Secure settings should be de ned, implemented, and proper validation, attackers can redirect victims to or sites, maintained, as defaults are often insecure. Additionally, software should be or use forwards to access unauthorized pages. kept up to date.

WEB APP ATTACKS MADE UP OF Followed by Cyber-espionage at 22% Everything else at 6% POS intrusions at 14% at 4% 35% Card Skimmers at 9% Misc. Errors at 2% OF ALL BREACHES IN 2013 Reported by Verizon’s 2014 Investigations Report Insider Misuse at 8% Physical Theft/Loss < 1%

© COPYRIGHT 2015 ALERT LOGIC, INC. ALL RIGHTS RESERVED. WWW.ALERTLOGIC.COM