Information disclosure
An attacker usually observes and obtains an abundance of information that the programmer left inadvertently or the application discloses. This kind of attack is not given as much attention because the programmer doesn’t understand the mindset of attacker, how exactly they will break the system. An information disclosure attack is considered a very deadly attack because an attacker can either use information to exploit the vulnerability directly or use it against your application to exploit another loophole. It poses the following threats:
Disclose application files Inspect contents and path of a file Disclose information about a process and its allies Information retrieval through monitoring Inspect Metadata of an Assembly
COM and ActiveX attacks
ActiveX controls are activated on the computer when the user browses a website and installs particular applications on the client machine such as a media player. They are considered as a way to extend the functionality in the browser to accomplish actions that the browser can’t accomplish through HTML alone. Hence, it is recommended to test COM components and ActiveX controls so that other website can’t utilize these controls in a malicious manner. Hackers have employed a couple of interesting tactics to exploit ActiveX controls. Here, one trick is discussed to examine ActiveX controls at the time of testing:
Bypass Browser Security Setting Server Redirection Namespace and Behavior Exception Handlers Return Values
Managed code vulnerability
It is mandatory to include managed code assembly into testing because they are always susceptible and could have some serious vulnerability in the form of SQL injection, buffer overflow, and XSS. Despite being the latest version of .NET framework, many applications today are written using unmanaged code that runs directly on the system, which poses a huge threat because now the system has limited security protection from what happens when the application executes. An attacker usually looks for these vulnerabilities related to managed code assembly in order to penetrate an application:
Look for unsafe block for buffer overflow attack Looks for PermitOnly and Deny to Sandbox code Examine broad Asserts Look for partially trusted caller Examine Poor Exception handling
HTML script injection attacks
HTML is not only rendering codes on web pages but also assisting hackers in exploiting that code. Attackers can plant a malicious script in a way that a programmer normally couldn’t. HTML scripting attacks happens through cross site scripting (client side) or persisted XSS (script injection). An XSS attack enables the hackers to perform the following operation to access sensitive data and other information which are normally prohibited to exposure:
Object Model Access Cookies Access Zone Elevation User Data Access
Spoofing Attack
Targeting the application covertly on behalf of a third person and keeping safe one’s own identity comes under a spoofing attack. As a result, spoofing can cause a decision made by the user to be based on fake information. Hackers fool programs into trusting incorrect information to present information to a user through a program GUI in a misleading deceptive way. Social engineering attack plays a significant role in executing a spoofing attack, which is also an ability to gain private information by misleading the target. Here, the following attacks are considered as spoofing:
Caller ID Spoofing URL Redirection Mail Spoofing Reformatting using control characters IP Address spoofing
Format string attack
In C/C++ or C# language, format specifiers such %d, %f and %s determine the output on the console through printf methods. So the goal with format string testing is to try to inject malicious input into the format specifiers of certain method calls.
XML injection attack
XML is a universal data format that understands and is shared by almost all platforms. Applications use XML files as input to send data across the wire through an XML parser. The application then accesses the parsed version of the data. In case of not being parsed properly, the application won’t be able to access the input. Hence, the input is parsed first before sending, but that input might find security issues in the application consuming the XML. Here is a partial list of attacks that can happeb due to having a vulnerability in the XML data source file:
Directory traversal Buffer overflow Format String HTML scripting GUI spoofing
DOS attack
The objective of DOS (Denial of Services) or DDOS (distributed DOS) is to prevent a system or user from accessing resources. It redirects a huge amount of traffic toward the server, which eventually results in resources down or out of service.
Canonicalization attacks
An attacker can supply data in the form of a different-2 encoding scheme, characters, and delimiters in an attempt to cause the data to be interpreted incorrectly and to drive an application to make certain decisions based on those values in a Canonicalization Attack.
Buffer-Overflow Attack
Buffer overflow is caused when input is larger than space allocated for it, and is outside the allocated location and not handled by program memory. This eventually leads to a program crash. Buffer overflow typically results in enabling hackers to run whatever code they want to take control of the target computer. Overflow occurs when the program receives more data than it expects. There are many different kinds of attacks:
Integer Overflow Stack Overflow Format String Attack Heap Overrun
Code disassembling
Hackers and penetration testers typically manipulate .NET managed assemblies through disassembling, in which an entire source code behind a DLL or EXE is retrieved in its original state. Malicious hackers can easily retain or reverse engineer the security restriction by examining the original source code. Code disassembling could be very beneficial in terms of identifying inherent bugs into application.
Weak permissions
Permissions limit who can access certain resources and what can be done to them in application security. If the website or application software isn’t protected or managed by a proper permission sets of ACL, they are susceptible to attack. Securable objects are assets on a computer that a user can use. These objects can be used either directly or indirectly. Here, the example of securable objects which must be protected are:
Directories, Registry and Files Network Share Process, Windows Services, and Threads Active Directory components COM objects
SQL injection attack
SQL injection attack permits a malicious hacker to execute commands in your website which is connected to a database. The attacker aim is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. However, the attacker might be able to perform such a covert operation over a website which has given high privileges or adequate safeguards to the source code, to manipulate the database. SQL vulnerabilities are extremely beneficial for hackers, regardless of the importance of the data in the database. Here, the following attacks lead to SQL injection and could be advantageous to an attacker.
Executing commands on the machine running the database Tampering with data Run SQL commands with elevated rights Disclose sensitive information
Summary
This article has narrated the common penetration cases scenario in .NET framework applications. We have discussed prominent vulnerabilities which are exploited by Scripting, Spoofing, Reverse Engineering, Format String, Buffer Overflow, Managed Code and Canonicalization attacks, as well as presented corresponding attack tools. We also gained an understanding of what kind of damage could happen while being exploited by these attacks. Hence, this article will be helpful for pen testing professionals to measure the security protection level in an application.
