Account Harvesting

Targets authentication process (when web app requests usernames and passwords).

Works against applications that behave differently under the following circumstances:

1. User types in an incorrect user ID
2. User types in a correct user ID with an incorrect password.

Brute Force Password Guessing

Session Stealing

Session IDs tie a browser session to a logged-in user.

• Today there are non-persistent session cookies.
• Older websites may have poor session tracking (e.g., stored in URL)

A malicious intruder, if they get your session ID, may be able to spoof that user and steal their session.

Tools:

• Paros Proxy
• OWASP ZAP Proxy
• WebScarab

Defenses:

• IPSec Authenticated headers to authenticate header information.
• HTTPS and E2EE to prevent eavesdropping.
• Large session ID space to prevent guessing and accidental collisions.
• Random session IDs.
• Dynamic session IDs (e.g., new ID for every page)

Cross Site Scripting XSS

Use web app to send malicious code to clients.

Two Types:

• Reflection: Injected code is immediately reflected off the server
• Stored: Injected code is stored on the server (e.g., in a forum post)

Defenses:

• Input validation
  • Use built-in methods (e.g., PHP’s htmlspecialchars, strip_tags)
• TODO

TODO I vaguely remember built-in methods being discouraged(?)

SQL Injection

Attacks agaisnt web apps with backend databases.

• This is a subset of code injection attacks.

Effective against interpretted languages (e.g., SQL, LDAP, Perl, PDP)

• Takes advantage of improperly validated user input.

When securing, look for pages that let the user submit data.

Command Injection

Take advantage of poorly sanitized input.

• e.g., passing user input into exec()

Evading Detection

Encoding