2) Enter the URL in the Address Bar and Press Enter

Lab 3 Wednesday 3/9/2016 Page 1/6 MIS 4850 Systems Security Lab 3 Attacks | Firewalls Student Name:

Understanding Session Hijacking and XSS attacks

1) Start your Web browser 2) Enter the www.owasp.org URL In the Address bar and press Enter 3) Click the Attacks link on the left side of the main web page (Note: check under Reference) 4) Scroll down to the Pages in Category “Attacks” section 5) Scroll down to the letter S, and click on Session Hijacking attack. 6) Read the article in order to answer the following questions:

Question 1: What is a session token? (Choose all that apply). a) A key used to encrypt and decrypt messages being transmitted between a client and a server computer. b) A random number generated by the client computer and sent to the server computer during a TCP connection. c) A string of characters that the server generates and sends to the client after a successful client authentication. d) A string of characters that uniquely identify each of the many TCP connections that a network communication consists of. e) None of the above.

Question 2: Which of the following techniques can a session hijacker use in order to get the session token? (Choose all that apply). a) Using telephone social engineering to get a user reveals the session token. b) Predicting the session token based on prior knowledge about a communication taking place between a client and a server. c) Using sniffing techniques to intercept data being transmitted. d) Attacking the client using things like malicious JavaScript codes or Trojans. e) Performing a man-in-the-middle attack. f) All of the above.

Question 3: What is a cross-site scripting (XSS) attack? (Choose all that apply). a) A sort of attack that can be used to make two sites collide. b) A sort of attack that may be used to get information that could be used in a session hijacking. c) A sort of attack where the attacker sends a crafted link to the victim with a malicious JavaScript that could reveal a session token when executed. d) All of the above.

7) Scroll to the top of the page, and click the Home link in the Navigation section © Abdou Illia 08c446070f05ab869dffea3bd8c33848.doc 1 Lab 3 Wednesday 3/9/2016 Page 2/6 8) From the top-right side of the main page, click the Top Ten link 9) In the page that appears, scroll down to the Quick Download section, and click the OWASP Top 10 2013- wiki link. 10) Click the 2013 Top 10 List link 11) From the Top 10 2013 list of attacks, click A3 - Cross Site Scripting (XSS).

12) Read the article in order to answer the following questions:

Question 4. XSS attacks occur because some web applications are designed and developed in a way that input data are sent to web browsers or web servers T F without, first, being validated or escaped to prevent illegal or harmful input. Question 5. A successful XSS can lead to a hacker changing the front page of a website to something other than what was originally there, which is known as T F website defacement.

Question 6. Assessing a system’s vulnerability to XSS attacks shouldn’t include manually reviewing programs’ code and performing penetration testing. T F

Account Lockout attack 1) Scroll to the top of the page, and click the Home link in the Navigation section 2) Click the Attacks link on the left side of the main web page (Note: check under Reference) 3) Scroll down to the Pages in Category “Attack” section 4) Click on Account Lockout Attack. 5) Read the article in order to answer the following questions:

Answer the following two questions based on your understanding of that kind of attack and what you have learned in class about TCP/IP messages and how IP addresses are included in messages and requests that are exchanged between computers.

Question 7: It is possible that someone lockout your EIU email account? What do they need to in order to try to lockout the account? How can they get what they need? Explain in details.

Question 8: Is there a way for the IT staff in charge of the security of EIU network to locate the IP address of the computer used to attempt the account lockout attack? Can the IT staff pinpoint the location of the computer used? Explain in details.

Student Name:

Exhibit 1 Figure 1: Access Control List (ACL) for INGRESS Filtering at a border firewall Trusted network 60.47.3.1 60.47.3.5 Untruste Firewall d 60.47.3.2 60.47.3.9 network

1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] 2 If Source IP Address = 172.16.*.* to 172.31.*.*, DENY [Private IP Address Range] 3 If Source IP Address = 192.168.*.*, DENY [Private IP Address Range] 4 If source IP address = 60.47.*.*, DENY [internal address range] 5 If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 6 If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS 7 If TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection from the outside] 8 If TCP Destination Port = 20, DENY 9 If TCP Destination Port = 135 Through 139, DENY 10 If TCP destination port = 513, DENY [UNIX rlogin without password] 11 If UDP Destination Port = 69, DENY [Trivial FTP; no login necessary] 12 DENY ALL

The following questions are not related.

1. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 1 to add a rule that permits incoming requests to a particular computer (IP address 60.47.23.41) that hosts trivial file transfer service. (Note: the Appendix contains a list of TCP/UDP ports for common services). a. Write down the rule: _IF Dest IP Address = 60.47..23.41 AND Dest TCP port = 69, PASS b. Where should that rule be inserted? Why? _Anywhere between 5 and 7______

2. What would be the possible consequences of making the rule you created when answering Question 1 (above) the very first rule of the ACL? a. This may allow attackers spoofing internal IP addresses to succeed b. This may allow an attacker using IP spoofing with a Class A IP address in the private range to get to the corporate web server. c. This may allow an attacker using IP spoofing with a Class A IP address in the private range to get to target the DNS server. d. None of the above

The following questions do not refer to the exhibit above.

3. Create an ACL (i.e. write down the rules) for Ingress Filtering in a case where the only messages allowed are those coming from external web servers, external email servers, or external file transfer servers. (Note: the Appendix contains a list of TCP/UDP ports for common services).

IF Source TCP port = 80 or 443, PASS IF Source TCP port = 25 or 110, PASS IF Source TCP port = 20, 21 or 69, PASS DENY ALL

4. Create an ACL (i.e. write down the rules) for Egress Filtering in a case where the only messages allowed are those destined to external web servers, external email servers, or external file transfer servers. (Note: the Appendix contains a list of TCP/UDP ports for common services).

IF Destination TCP port = 80 or 443, PASS IF Destination TCP port = 25 or 110, PASS IF Destination TCP port = 20, 21 or 69, PASS DENY ALL

5. What does a firewall use to ensure that each packet is part of an established TCP (Transmission Control Protocol) session? a. a packet filter. b. a static filtering. c. a stateful filtering. d. a circuit level gateway.

6. Ingress filtering is used to filter packets... a. coming into the network from an external network b. going out of the network to an external network c. Both a. and b.

7. If a firewall is overloaded with more traffic than it can handle, what does it do with packets it cannot filter? a. It quarantines them. b. It drops them. c. It passes them without filtering. d. It passes them but copies them into the log file.

8. Static packet filter firewalls examine... a. headers (IP header, TCP header) b. application messages c. connections d. All of the above.

9. What type of firewall examines packets one at a time in isolation? a. static packet filtering firewall b. stateful packet filtering firewall c. both of the above.

10. In an ACL, I have two rules: A (to deny access to all mail servers) and B (to permit access to a particular mail server that will receive e-mail from the outside). Which rule will come first? a. A. b. B. c. It does not matter. d. Having these two rules is contradictory and should not be done.

11. Proxies are used to filter ______layer messages. a. application b. transport c. internet d. data link e. Both b. and c.

12. Which of the following are usually found in a DMZ? a. public web servers b. DNS servers c. All of the above. d. Neither a nor b

********************************************************************************************************** Appendix

Common TCP/UDP ports Port Primary Application Number Protocol 20 TCP FTP Data Traffic 21 TCP FTP Supervisory Connection. Passwords sent in the clear 22 TCP SSH (Secure Shell). Used for secure logins and file transfers (sftp) 23 TCP Telnet. Passwords sent in the clear 25 TCP Used for SMTP email transfer between email servers 53 TCP/UDP Domain Name System (DNS) 69 UDP Trivial File Transfer Protocol (TFTP). No login necessary 80 TCP Hypertext Transfer Protocol (HTTP). Used for transferring web pages b/w clients and non secure web servers. 110 TCP POP3 (Post Office Protocol Ver. 3). Used for retrieving emails b/w clients and mailservers 137-139 TCP NETBIOS service for P2P file sharing in older versions of Windows 443 TCP HTTP over SSL/TLS. Used for secured transfer of web pages b/w clients and web servers.