Archive for the Vulnerabilities Category

Vulnerabilities by layer

Posted August 29, 2008 at 7:04 pm in Vulnerabilities | No Comments

This is a short list of network layers and their possible vulnerabilities/attack vectors.

Human Social engineering, phishing, dumpster diving, shoulder surfing, scams, caller ID spoofing, poor policies
 
Application Buffer overflows, XSS, malware, virii, worms, trojans, code exploits, application attacks
 
Presentation Cleartext extraction/sniffing, NetBIOS enumeration, protocol attacks
 
Session Session hijacking, SYN flooding, password attacks
 
Transport Port scans, DoS attacks, service manipulation, flag manipulation
 
Network IP attacks, ARP poisoning, MAC flooding, ICMP attacks, routing attacks
 
Data Link Sniffing, MAC spoofing, WEP attacks
 
Physical Wiretapping, interception, hardware hacks, lock picking, physical access attacks

Cross-site Scripting (XSS)

Posted August 22, 2008 at 10:32 pm in Vulnerabilities | No Comments

Cross-site Scripting (XSS) is the most recurring high-risk exploit. In recent years XSS surpassed buffer overflows to become the most common of all publicly reported security vulnerabilities.

XSS is an attack vector that targets the web application layer through embedded scripts on the client side (web browser). Common client-side scripting languages such as HTML, JavaScript, ActiveX, VBScript, and Adobe Flash are targeted. The idea is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. XSS is often used in conjunction with phishing and spear-phishing attacks.

By injecting code into websites an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects. The website has not actually been hacked, however, it is made to appear as something other than it truly is.

XSS is often overlooked as a security vulnerability. As Web 2.0 and it’s future successor press on, this must change. Reasons why XSS vulnerabilities must receive attention include:

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

Continue reading..

ARP Cache Poisoning

Posted August 18, 2008 at 10:51 am in Vulnerabilities | No Comments

ARP is vulnerable because ARP trusts everyone. There is no authentication so when a device sends out an ARP Request, the device that responds to this request is trusted to be the correct device. ARP is so trusting that even if no ARP Request was sent but the device receives an ARP Reply, it still accepts this ARP Reply and adds it to or modifies its ARP table!

This is an astounding statement when you truly think about it. An attacker can broadcast forged ARP Replies to any device on the network and that device will believe the Reply and add it to its ARP table. All of a sudden we have a few devices on the network who believe someone is somebody else and network chaos ensues.

ARP poisoning typically leads to three types of attack vectors: Denial of Service, Man in the Middle, and MAC Flooding.

ARP poisoning is done from within the network perimeter, which means it is local. An attacker has to be on the same physical segment or has to gain access to a device that resides within the network. If an ARP attack is noticed, immediately suspect an in-house attacker.

You may use the following Windows command: 

arp /?

and the following Linux/Unix command: 

man arp

for more information about local ARP command use.

I would suggest observing a few ARP packets with Wireshark if you’re interested in actually seeing the make-up of these packets. Continue reading..

Page 1 of 11