2/15/14

Attack types on Internet Applications.

There are many types of attacks on Internet Applications.

These include:

* Deep Hide : 'Protecting' resources by hiding them in a virtually unaccessible place, relying on unknown location instead of other protections. It's not attack per se, but it can be used as a part of larger attack. It's also a vulnerability to exploit.

Examples:

- we've internet resource file deeply hidden,
- we have internet resource web page deeply hidden,
- we have REST-ful Web Service internet resource deeply hidden.

Notes:

When served by a dynamic application, such resources can activate and appear as needed, for example on a signal or at a given time for a short duration or moment.

* Attack on Internet Application Form : Brute Force or Dictionary Attack, it's about trying large amount of user / password combinations in a short time.

Defenses to consider:

- Smarter or not, it can be defended with restricting user to maximum amount of login attempts per given time, or with use of security tool such as CAPTCHA that requires some kind of confirmation that user is human being, not a script that sends 'requests' to Internet Application.
- Let's not forget about at least informing about the danger of using password easy to guess.
- Further security measures such as storing user's IP address can give clues for investigating sources of such hack attempts. SSL/TLS and IPSec can also tighten security here, for user is either unanonymous (Secure Connection is established), or paid for account and/or misdirections, or has to rely on very powerful and often attracting attention hacking methods.

* Account Lockout Attack : Attack that results in locking out user's account after multiple failed login attempts.

Defenses to consider:

- Appropriate amount of login attempts allowed,
- Appropriate lockout duration,
- CAPTCHA use,
- Locking account by user's IP address, instead of global account lockout (this is problematic since there are dynamically assigned IP addresses),
- Consider Proxy Servers when locking by IP address (this is problematic since there are dynamically assigned IP addresses).

* Web Parameter Tampering : Sometimes Internet Application state is (unskillfully) stored on a client. Such data is considered unsafe, being prone to tampering by users.

Defenses to consider:

- Do not store Internet Application state on client if you do not have to.
- If You store such data on client, encrypt it, at least with MD5 cryptographic hash function.

* Path & Information Disclosure : Causing execution error in an Internet Application can lead to obtaining information about directory structure, file locations or other information that can be used in preparation for an attack on Internet Application.

Defenses to consider:

- Turn off error reporting to user in production environment,
- Check border cases.


(TODO: finish).

Source: [22].

No comments:

Post a Comment