Attack Patterns from Exploiting Software Attack patterns are extremely useful in generating valid abuse cases. Exploiting Software includes the identification and description of the 48 attack patterns and 1 fragment listed here [Hoglund and McGraw 2004]. This is an incomplete list of attack patterns, which as a catalog of knowledge is in a nascent stage. For examples and stories corresponding to these attack patterns, see Exploiting Software. Don't forget that these attack patterns are described from the point of view of the attacker. Make the Client Invisible Talk directly with the server, masquerading as the client. Explore the input space. Target Programs That Write to Privileged OS Resources Look for programs that write to system directories of registry keys. Use a User-Supplied Configuration File to Run Commands That Elevate Privilege Configuration files are excellent targets since they control high-privilege programs. System-wide configuration files are particularly interesting. Make Use of Configuration File Search Paths Try to put a malicious config file in the search path ahead of the default config file. Direct Access to Executable Files Run programs with privilege. Look for such programs on Web servers especially. Embedding Scripts within Scripts Take advantage of the hundreds of languages, compilers, and interpreters (as well as backwards compatibility constraints) to slip through filters. Forgotten nooks and crannies are most interesting. Leverage Executable Code in Nonexecutable Files Inject code through a seemingly innocuous route and have a process load and execute the attack. Argument Injection When input filtering is poor or nonexistent, spin a shell and use it. Command Delimiters Use off-nominal characters (like semicolons) to string commands together. Multiple Parsers and Double Escapes Take advantage of several parser pass-throughs with double escapes. User-Supplied Variable Passed to Filesystem Calls Filesystem calls are a good attack site since user input is directly consumed. Pass in parameters. Postfix NULL Terminator Play with NULL and its various representations to break parsing. Postfix, Null Terminate, and Backslash Alternate representations of NULL can be used to bypass filters. Relative Path Traversal Take advantage of the current working directory to play relative path games. Client-Controlled Environment Variables Supply environment variables before authentication. User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth) PHP has bad defaults. Try them. Session ID, Resource ID, and Blind Trust Change IDs in midstream, or otherwise guess IDs. Analog In-Band Switching Signals (aka "Blue Boxing") Play specific control commands across a normal link. When command and data lines are shared, this can be huge fun. Attack Pattern Fragment: Manipulating Terminal Devices Use shell commands to aim things at other terminals. Simple Script Injection Take advantage of stored data problems to inject scripts and pollute data. Embedding Scripts in Nonscript Elements Put scripts into HTML tags that are less obvious. XSS in HTTP Headers Play with HTTP headers. HTTP Query Strings Inject scripts into HTTP variables. User-Controlled Filenames Put HTML into filenames. Passing Local Filenames to Functions That Expect a URL Use local filenames that expect to consume a URL. Meta-characters in E-mail Headers E-mail headers are often consumed by client software. Try things. Filesystem Function Injection, Content Based Take advantage of headers in media files (and other files) to get elsewhere in the filesystem. Client-Side Injection, Buffer Overflow Aim buffer overflow attacks at clients through a malicious server. Cause Web Server Misclassification Take advantage of filename extension silliness. Alternate Encoding of the Leading Ghost Characters Use multiple encoding attacks to avoid filters. Using Slashes in Alternate Encoding Slash characters are interesting because they are related to the filesystem. Use both kinds of slashes. Using Escaped Slashes in Alternate Encoding Escape slashes to escape filtering. Unicode Encoding Unicode breaks filters. UTF-8 Encoding UTF-8 breaks filters. URL Encoding HEX breaks filters. URLs can be represented in many ways. Alternative IP Addresses Use alternate encodings for IP numbers. Slashes and URL Encoding Combined Combine encoding attacks. Web Logs Escape characters are translated before being placed in a log. Build fake entries. Overflow Binary Resource Files Modify sound, graphics, video, or font files (with a hex editor). Overflow Variables and Tags Take advantage of bad tag/variable parsing. Overflow Symbolic Links Try links to avoid access restrictions. MIME Conversion Play with conversion and translation issues. HTTP Cookies Use cookies as an attack vector. Filter Failure through Buffer Overflow Make a filter fail open. Buffer Overflow with Environment Variables Use environment variables as an attack vector. Buffer Overflow in an API Call Use API calls as an attack vector. Buffer overflows in libraries are very valuable. Buffer Overflow in Local Command-Line Utilities Use command-line programs as attack vectors. Parameter Expansion Parameter expansion can lead to buffer overflow. String Format Overflow in syslog() The syslog function is often misused. |