Identifying different types of server attacks allows you to understand how hacker target server based applications, such as websites, in order to penetrate an organization.
Owning to their public nature and the fact they take in data from users, web servers are exposed to several types of attacks:
- Buffer overflow attacks
- SQL injection attacks,
- Command injection attacks.
Web Servers Explained
Although many applications make it easy to create web sites, they don’t always include security. This often results in many web sites being highly susceptible to attacks. Web servers, used to host site for internal and external users, are often placed within a demilitarized zone (DMZ) to provide a layer of protection as seen in the image below.
The two primary applications used for web servers are:
- Apache: the most popular web server used on the Internet. It’s free and can run on Unix, Linux, and Windows systems.
- Internet Information Services (IIS). IIS is a Microsoft web server, and it’s included free with any Windows Server product.
How Do Databases Work
A database is a structured set of data. It typically includes multiple tables and each table holds multiple columns and rows. The reality is that most attacks’ endgame is to target information stored in databases; databases use Structured Query Language (SQL) to communicate with databases in order to read, insert, update, and delete data. This means web sites use SQL statements to interact with a database, providing users with interactive, dynamic content.
Database Terms
- Primary Key: As demonstrated in the diagram below, a primary key is an entry in a relational database that is unique for each record that is used to relate entities to one another.
- Column: in a database table has a name and identifies the data type or attribute type allowed in the column and are sometimes referred to as attributes.
- Row: represents a record, rows are sometimes called records or tuples.
- Fields: individual elements in a database.
- Normalization: reduction in redundant data by organizing the tables and columns to improve overall database performance. Although there are several normal forms, the first three are the most important.
- First Normal Form criteria:
- Each row within a table is unique and identified with a primary key. For example, the Author table has a primary key of AuthorID and each row within the table has a different and unique AuthorID, or a different primary key. Primary keys are shown in Figure 7.3 as small key icons. The primary key in the Book table is BookID. The BookAuthor has a composite primary key using two values: Book_BookID and Author_AuthorID.
- Related data is contained in a separate table: The author information is contained in a different table. While it’s possible to create one single table to hold all the information, this creates multiple problems. First, you’d have to create several extra columns such as FirstName, LastName, and so on every time you added a book. Imagine Lisa Simpson writes five books. Each of her books in the book table would then need to include all of Lisa’s information. Entering the same information multiple times increases the chance for errors. If she moves to a new address, you need to change the address five times.
- None of the columns include repeating groups: As an example, the Author table includes FirstName for the first name and LastName for the last name. If you combine these into a single column of name, it violates this rule. It also makes it more difficult to access only one part of the repeating group, such as the first name or the last name.
- Second Normal Form: Only applies to tables that have a composite primary key, where two or more columns make up the full primary key. A database is in 2NF if it meets the following criteria:
- It is in 1NF.
- Non-primary key attributes are completely dependent on the composite primary key. If any column is dependent on only one column of the composite key, it is not in 2NF.
- Third Normal Form: Third normal form (3NF) helps eliminate unnecessary redundancies within a database. A database is in 3NF if it meets the following criteria:
- It is in 2NF. This implies it is also in 1NF.
- All columns that aren’t primary keys are only dependent on the primary key. In other words, none of the columns in the table are dependent on non-primary key attributes.
- First Normal Form criteria:
Understanding SQL Queries
As SQL based databases are a common attack vector, identifying different types of server attacks means understanding how SQL queries work, how to launch a SQL injection attack, and protecting against SQL injection attacks.
When you enter a search term and click enter on an SQL based web application, the following occurs:
- An SQL query gets created
- Sent to a database server
- Formats the results into a web page that it sends back to you.
If a user select the “Bikes” category and entered “Bianchi” on a sporting goods website . The result shows a list of bikes made by Bianchi available for sale. The query sent to the database from the web application might look like this:
SELECT * FROM Bikes WHERE Maker =‘Bianchi’
The “*” symbol functions as a wildcard, returns all columns in a table. Notice that the. query includes the search term entered into the web page form and encloses the search term in single quotes. If the web site simply plugs the search term into the SELECT statement, surrounded by single quotes, it leaves the system highly susceptible to SQL injection attacks.
SQL Injection Attacks: the attacker enters additional data into the web page form to generate different SQL statements. SQL query languages use a semicolon (;) to indicate the end of the SQL line and use two dashes (– ) as an ignored comment. With this knowledge, the attacker could enter different information into the web form like this:
Bianchi’; SELECT * FROM Customer;–
If the web application plugged this string of data directly into the SELECT statement surrounded by the same single quotes, it would look like this:
SELECT * FROM Bikes WHERE Maker =
‘Bianchi’; SELECT * FROM
Customers;
–’
This query breaks down as follows:
- The first line retrieves data from the database, just as before. However, the semicolon signals the end of the line and the database accepts another command.
- The next line reads all the data in the Customers table, which can give the attacker access to names, credit card data, and more.
- The last line comments out the second single quote to prevent a SQL error.
If the application doesn’t include error-handling routines, these errors provide details about the type of database the application is using. While different databases format SQL statements slightly differently, but once the attacker learns the database brand, it’s a simple matter to format the SQL statements required by that brand. The attacker then follows with SQL statements to access the database and may allow the attacker to read, modify, delete, and/or corrupt data. An SQL injection attack often starts by sending improperly formatted SQL statements to the system to generate errors. The defense against this is proper error to prevent the attacker from gaining information from these errors. Additionally, input validation and stored procedures reduce the risk of SQL injection attacks.
Many SQL injection attacks use a phrase of “or ‘1’ = ‘1’ ” to create a true condition like this:
SELECT * FROM Customers WHERE name =‘ or‘1’=’1’–‘
This is a single SELECT statement, but the “or” clause causes it to behave as two separate SELECT statements:
SELECT * FROM Customers WHERE
name =‘ ‘ SELECT * FROM Customers
WHERE ‘1’=’1’
The first clause probably doesn’t return any records because the table is unlikely to have any records with the name field empty. However, because the number 1 always equals the number 1, the WHERE clause in the second statement always equates to “True“, so the SELECT statement retrieves all records from the Customers table.
Protecting Against SQL Injection Attacks:
- Input validation provides protection against SQL injection attacks; before using the data entered into a web form, the web application verifies that the data is valid.
- Parameterized stored procedures, a group of SQL statements that execute as a whole, accept data as an input called a “parameter” that functions as follows:
- Instead of copying the user’s input directly into a SELECT statement, the input is passed to the stored procedure as a parameter.
- The stored procedure performs data validation, but it also handles the parameter (the inputted data) differently and prevents a SQL injection attack.
- Consider the previous example searching for a bike by a manufacturer where an attacker entered the following text:
Bianchi’; SELECT * From Customers;–.
- The web application passes this search string to a stored procedure. The stored procedure then uses the entire search string in a SELECT statement like this:
SELECT * From Bikes Where Maker =“Bianchi’; SELECT * From Customers;– ”
In this case, the text entered by the user is interpreted as harmless text rather than malicious SQL statements. It will look for bikes with a manufacturer name using all of this text: Bianchi’; SELECT * From Customers;–. Bikes don’t have names with SELECT statements embedded in them, so the query returns empty.
Depending on how well the database server is secured, SQL injection attacks may allow the attacker to access the structure of the database, all the data, and even modify data.
Additional Server Attack Vectors
Attackers can inject operating system commands into an application using web page forms or text boxes as any web page that accepts input from users is a potential threat.
Directory traversal: is a specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure. Input validation can prevent these types of attacks.
Cross-Site Scripting: Attackers embed HTML/JavaScript code into a web site’s code that executes when the user visits the site and can be prevented with input validation techniques and avoid any method allowing the web page to display untrusted data and using a security encoding library to sanitize HTML code, preventing XSS attacks.
Cross-Site Request Forgery (XSRF or CSRF): An attack where an attacker tricks a user into performing an action on a web site. The attacker creates a specially crafted HTML link and the user performs the action without realizing it. If a web site supports any action via an HTML link, an attack is possible. This includes making purchases, changing passwords, transferring money, and much more. Defence methods include:
- Not allowing these actions without users first logging on: The drawback to this approach is that authentication information is stored on a user’s system as either a cookie or in the web browser’s cache; it can be used to log users on as soon as they visit as a site can be used in a XSRF attack, allowing access the user’s password.
- Use dual authentication: Force the user to manually enter credentials prior to performing actions.
- Expire cookies: Use short duration cookies, preventing automatic logon for the user.
- Use XSRF tokens: Tokens are a large random number generated each time the form is displayed; the web page includes the token along with other form data when the user submits the form. The web application verifies that the token in the HTML request is the same as the token included in the web form. If the website receives a query with an incorrect token, it throws error.
Cybersecurity Frameworks
A framework is a structure used to provide a foundation as to how to implement security in various systems and generally breakdown into a number of categories:
Regulatory: based on relevant laws and regulations.
- Non-regulatory: A non-regulatory framework is not required by any law but rather identifies common standards and best practices that organizations can follow.
- National versus international: Some frameworks are used within a single country (and referred to as national frameworks), while others are used internationally.
- Industry-specific: Some frameworks only apply to certain industries.
Summary: Identifying Different Types of Server Attacks
- Normalization is a process used to optimize databases. While there are several normal forms available, a database is considered normalized when it conforms to the first three normal forms.
- Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the phrase ‘ or ‘1’=’1’ — to trick the database server into providing information.
- Cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.
- Cross-site request forgery (XSRF) scripting causes users to perform actions on web sites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords
