Web Attack Investigation On Windows based Servers in this there are different indications related to each type of attack. For example, in a denial of service (DoS) attack, the customers are denied any access to the information or services available on the website. In such cases, customers report the unavailability of online services because the attacker prevents the legitimate user from accessing websites, email accounts, and other services that rely on the victim’s computer.
Another indication of a web attack can be redirecting of a web page (redirection attack — a common technique observed if an Exploit Kit is present on the web application) to an unknown website. When a user types the URL in the address bar, he or she is unable to access the site, and instead of accessing the typed site, the server redirects the user to some unknown site.
Unusual slow network performance and frequent rebooting of the server also gives an indication of a web attack. Anomalies found in the log files are also an indication of web attacks. Change in the password and creation of a new user account also reveals the attack attempts. There may be other indications, such as the returning of error messages. For example, an HTTP 500 error message page indicates the occurrence of a SQL injection attack. There are other error messages, such as “an internal server error” or a “problem processing your request” that indicates a web attack.
Related Product : Computer Hacking Forensic Investigator | CHFI
Web Application Threats-1
Most of the security breaches occur in the web applications rather than the servers, as web applications might contain insecure code (or bugs), which may be due to improper coding at the development phase. Due to this, the web applications are prone to various types of threats, few of which have been mentioned below:
- Buffer Overflow: Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the adjacent memory locations. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack. The purpose of these attacks is to corrupt the execution stack of the web application.
- Cookie Poisoning: Cookie Poisoning refers to the modification of a cookie for bypassing security measures or gaining unauthorized information. The attackers bypass the authentication process by altering the information present inside a cookie. Once the attackers gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from the users ‘systems.
- Insecure Storage: The sensitive information, such as account records, credit card numbers, passwords or other authenticated information are generally stored by the web applications either in a database or on a file system. If the developers make any mistakes while enforcing the encryption techniques on a web application or ignore the security aspects of some parts of the application, this sensitive information might be at risk. Insecure storage of such data can allow the attacker to gain access to the web application as a legitimate user. Hence, the forensics investigators need to understand the process of storing the data.
- Information Leakage: Information leakage refers to a drawback in a web application where it unintentionally reveals the sensitive information to an unauthorized user. Such information leakage can cause great losses to any company. Hence, the company needs to employ proper content filtering mechanisms to protect all its information or data sources (such as systems or other network resources) from information leakage.
- Improper Error Handling: This threat arises when a web application is unable to handle internal errors properly. In such case, the website returns information, such as database dumps, stack traces, and error codes in the form of errors.
- Broken Account Management; It refers to vulnerable account management functions including account update, recovery of the forgotten or lost password or resetting the password, and such similar functions, which might weaken the valid authentication schemes.
- Directory Traversal: When attackers exploit HTTP by using directory traversal, they gain access to the unauthorized directories. Then, the attackers may execute commands outside the web server’s root directory.
- SQL Injection: In this type of attack, the attacker injects SQL commands via input data. Later, the attacker is able to tamper with the data.
- Parameter/Form Tampering: This type of tampering attack intends at manipulating the communication parameters exchanged between the client and server to make changes in the application data, like user IDs and passwords with event logs, cost, and quantity of products, etc. In order to improve the functionality and control of the application, the system collects the information and stores in hidden form fields, cookies or URL query strings. Man in the middle is one of the examples of this type of attack. Hackers use took like Webscarab and Paros proxy for the attacks.
- Denial of Service (DoS): The DoS attack is a method that intends at terminating the website operations or a server operation by making its resources unlivable to the clients. For example, a website related to banking or email service is not able to function for a few hours or even days, resulting in loss of both time and money.
- Log Tampering: Web applications maintain logs to track the usage patterns, such as admin login credentials and user login credentials. The attackers usually inject, delete or tamper the web application logs to engage in malicious activities or hide their identities.
- Unvalidated Input: In order to bypass the security system, the attackers tamper with the URL, FITTP requests, headers, hidden fields, form fields, query strings, etc. User login IDs and other related data get stored in the cookies and this becomes a source of attack. Examples of attacks that caused unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.
- Cross Site Scripting: The attackers bypass the client’s ID security mechanisms and gain access privileges; and then inject the malicious scripts into specific fields in the web pages. These malicious scripts can even rewrite the HTML content of a website.
- Injection Flaws: The attackers inject malicious code, commands or scripts into the input gates of flawed web applications in such a way that the applications interpret and run with the newly supplied malicious input, which in turn allows them to extract sensitive information.
- Cross Site Request Forgery: In this attacking method, an authenticated user in made to perform certain tasks on the web application that is chosen by an attacker. Example: A user clicking on a particular link sent through an email or chat.
- Broken Access Control: This is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.
Also Read : Understand Web Applications Architecture in Forensic Investigation
Web Application Threats – 2
Discussed below are a few more types of web application threats:
- Platform Exploits: The web developers use specific application platforms, for instance, Microsoft .Net, Sun Java technologies, IBM Websphere, etc., to develop web applications. These platforms may contain vulnerabilities, such as application misconfiguration, bugs, etc., which might act as attack vectors for exploiting the web applications.
- Insecure Direct Object References: When developers expose various internal implementation objects such as files, directories, database records, or key-through references, it results in an insecure direct object reference. For example, if a bank account number is a primary key, there is a chance of attackers compromising the application and taking advantage of such references.
- Insufficient Transport Layer Protection: The developers need to enforce SSL/TLS security technology for the website authentication. Failing to implement, attackers can access session cookies by monitoring the network flow. Various threats such as phishing attacks, account theft, and admin account creation may occur after gaining the cookies.
- SSL/TLS Downgrade Attack: All major browsers are susceptible to protocol downgrade attacks; an active M1Trvl can simulate failure conditions and force all browsers to downgrade from attempting to negotiate TLS 1.2, making them fall back to SSL 3. At that point, a cryptographic attack can occur (see POODLE attack); however, it requires MTiM access.
- Failure to Restrict URL Access: An application often safeguards or protects sensitive functionality and prevents the display of links or URLs for protection. Failure to Restrict URL Access refers to the vulnerability where a web application is unable to restrict a hacker from accessing a particular URL. Here, an attacker tries to bypass the website security using techniques, such as forced browsing and gains unauthorized access to specific web pages or other data files containing sensitive information.
- Insecure or Improper Cryptographic Storage: The sensitive data stored in a database should be properly encrypted using cryptography. However, some cryptographic encryption methods contain inherent vulnerabilities. Therefore, the developers should use strong encryption methods to develop secure applications. In addition, they must securely store the cryptographic keys, so that the attackers cannot easily obtain them and decrypt the sensitive data.
- Cookie Snooping: An attacker using a local proxy decodes or cracks user credentials. Once the attacker gains these plain text credentials, he/she logs into the system as a legitimate user and gains access to unauthorized information.
- Obfuscation Application: Obfuscation is a technique used by the attackers to create a number of variants of malicious code, thereby making it difficult for security mechanisms, such as web application firewalls, intrusion detection systems, etc., to detect it.
- Demilitarized Zone (DMZ) Protocol Attacks: The DMZ is a semi-trusted network zone that separates the untrusted Internet from the company’s trusted internal network. An attacker who is able to compromise a system that allows other DMZ protocols, also gets access to other DMZ and internal systems. This can further lead to:
– Web application and data compromise
– Website defacement
– Access to internal systems that includes backups, databases and source code - Security Management Exploits: Some attackers target security management systems, either on networks or on the application layer, in order to modify or disable security enforcement, An attacker who exploits security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources.
- Authentication Hijacking: All web applications rely on information, such as password and User ID, for user identification. The attackers try to hijack those credentials using various attack techniques like sniffing, social engineering, etc. Once they obtain these credentials, they perform various malicious acts, including session hijacking, service theft, and user impersonation.
- Network Access Attacks: These attacks can majorly affect the web applications, including the basic level of service. They can also allow levels of access that the standard HTTP application methods could not grant.
- Web Services Attacks: The attacker can get into the target web applications by exploiting an application integrated with vulnerable web services. An attacker injects a malicious script into a web service and is able to disclose and modify application data.
- Hidden Manipulation: The attackers attempting to compromise the e-commerce websites mostly use these types of attacks. They manipulate the hidden fields and change the data stored in them. They can substitute the original prices with the price of their choice and conclude the transactions. This sort of attack is faced by many online stores.
- Unvalidated Redirects and Forwards: The attackers lure the victim and make them click on the unvalidated links that appear to be legitimate. Such redirects may lead to the installation of malware or trick the victims to share their passwords or other sensitive information. Such unsafe forwards may lead to access control bypass, further resulting in:
– Session fixation attacks
– Security management exploits
– Failure to restrict URL access
– Malicious file execution - Session Fixation Attack: This type of attack assists the attacker in hijacking a valid user session. The attacker hijacks the user-validated session with prior knowledge of the user ID session, by authenticating with a known session ID. In this attack-type, the attacker tricks the user to access a genuine web server using an explicit session ID value. The attacker assumes the identity of the victim and exploits those credentials at the server.
The steps involved are as follows:
– The attacker visits the bank website and logs in using his credentials.
– The web server sets a session ID on the attacker’s machine.
– The attacker sends an email containing a link with a fixed session ID.
– The user clicks the link and is redirected to the bank website.
– The user logs in to the server using his credentials and fixed session
– The attacker logs into the server using the victim’s credentials with the same session ID. - CAPTCHA Attacks: Implementing Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs) prevents the automated software from performing actions that degrade the quality of service of a given system, which may be due to abuse or resource expenditure. CAPTCHAs aim at ensuring that the users of applications are human and ultimately aid in preventing unauthorized access and abuse. Each CAPTCHA implementation derives its strength by increasing the system’s complexity to perform segmentation, image preprocessing, and classification.
Investigating a Web Attack (Cont’d)
Web applications have become a primary source of information exchange and management, in various enterprises, government agencies, etc. Because of their wide usage, web applications are becoming the primary targets for attackers. Information security professionals implement specific security measures to detect or prevent the attacks, but they cannot trace these attacks; allowing attackers to attempt new attacks on the target. This is where forensic investigation helps mitigate the attacks occurring on the application.
Forensic investigators examine the affected application and trace the attack signatures. This result in decrease in the number of attacks targeting the application, thereby, improving its security.
The steps involved in an investigation of web attacks are discussed in the above slide
Investigating Web Attacks in Windows-Based Servers (Cont’d)
Microsoft Windows-based operating systems constitute 89.34% of the market share according to www.netmarketshare.com, which means that the developers might prefer to use Windows-based servers to deploy web applications compared to other operating systems. Due to their wide usage, these operating systems and web applications hosted in some of these operating systems become a primary target for the attackers. The attackers may attempt to either exploit the vulnerabilities contained in the Windows-based server or the web applications and gain unauthorized access to their resources.
When an attack occurs on a web application, the investigators examine the attack on the server hosting the web application by using some of the inbuilt tools and applications of Windows-based machines as shown above.
Questions related to this topic
- What is a Web application attack?
- What is a Web based attack?
- What is application attack?
- What are Web security issues?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Amazing article really useful thank you