Chapter 51 Β· Story

Application Attacks

Five formal security advisories from the Application Security Intelligence Unit β€” covering injection attacks, buffer overflows, privilege escalation, CSRF, and directory traversal. Each report follows the format used by real security operations teams.

CONTROLLED β€” INTERNAL DISTRIBUTION
ADVISORY ID:APPSEC-2024-001 CATEGORY:Injection Attacks β€” SQL Injection / Code Injection SEVERITY:CRITICAL AFFECTED SYSTEMS:Web applications and APIs that incorporate user input into database queries or executable code without proper sanitization

Advisory: Injection Attack Vulnerabilities in Web Applications

Executive Summary

Injection attacks represent the most persistent and widespread class of application vulnerability. They occur when an application passes unsanitized user-supplied input to an interpreter β€” a database engine, an HTML renderer, an LDAP directory, or any other backend processor β€” allowing the attacker to inject commands that the interpreter executes as legitimate instructions. This advisory covers the injection attack class broadly and SQL injection specifically, as it remains the dominant variant and the one most commonly tested on the Security+ examination.

Technical Analysis

A web application that constructs a database query by concatenating user input creates an exploitable condition. Consider a login form that builds the following query:

SELECT * FROM users WHERE username = '[input]' AND password = '[input]'

Under normal use, a user supplies their username and password. The application substitutes these values into the query string and sends it to the database. The database returns the matching user record and authentication succeeds.

An attacker supplying the following as the username field:

admin' --

causes the application to construct:

SELECT * FROM users WHERE username = 'admin' --' AND password = '...'

The double-dash (--) is the SQL comment operator. Everything after it is ignored. The password check is commented out. The query returns the admin user record and authentication succeeds β€” no password required. More advanced injections can enumerate the entire database schema, extract all rows from all tables, modify records, or in some database configurations execute operating system commands.

SQL is the most common injectable data type, but injection vulnerabilities exist across all interpreter types: HTML injection can deface pages or redirect users; LDAP injection can bypass directory authentication; XML injection can manipulate document structure or execute server-side includes.

Indicators of Compromise

IndicatorLocationSignificance
' OR '1'='1Web server access logs, form input valuesClassic SQL injection authentication bypass attempt
admin' --Authentication logs, access logsSQL comment-based authentication bypass
UNION SELECTApplication logs, WAF logsAttempt to enumerate columns and extract data via UNION-based injection
Unusual database error messages in HTTP responsesHTTP response bodiesVerbose error output reveals database schema to attacker; indicates unhandled exception from injected syntax
Abnormal query volumes from single IP or user accountDatabase query logsAutomated injection scanning tools generate high query rates

Recommended Mitigations

  • Parameterized queries (prepared statements): The primary and most effective defense. The query structure is defined with placeholders; user data is supplied separately as bound parameters. The database engine treats all bound parameters as literal data values, never as executable SQL. No matter what the user supplies, it cannot alter the query's structure.
  • Input validation: Validate that user input conforms to expected type, length, and format before passing it to any interpreter. Reject or escape input that fails validation. Treat as secondary defense β€” not a substitute for parameterized queries.
  • Least privilege database accounts: The application's database user should have only the permissions required for its function. A web application that only reads data should not have DELETE or DROP TABLE privileges. Limits the damage even if injection succeeds.
  • Web Application Firewall (WAF): Detects and blocks common injection patterns in HTTP requests. Useful as an additional layer, not a primary defense β€” sophisticated injection attacks can evade WAF rules.
CONTROLLED β€” TECHNICAL DISTRIBUTION
ADVISORY ID:APPSEC-2024-002 CATEGORY:Memory Safety β€” Buffer Overflow Vulnerability SEVERITY:CRITICAL AFFECTED SYSTEMS:Applications written in C, C++, or other languages without automatic memory bounds checking; particularly legacy and embedded systems

Advisory: Buffer Overflow Vulnerabilities β€” Discovery, Exploitation, and Mitigation

Executive Summary

Buffer overflow vulnerabilities arise when a program writes more data to a memory buffer than the buffer is sized to hold. The excess data overwrites adjacent memory regions, potentially corrupting program state or enabling the attacker to redirect execution flow. A successfully exploitable buffer overflow grants arbitrary code execution β€” the same capability class as the SMBv1 vulnerability used by WannaCry. This advisory covers the mechanics of buffer overflows, the conditions that make them exploitable, and the OS-level mitigations that reduce exploitability even when the underlying vulnerability exists.

Technical Analysis

Memory in a running application is organized into regions. A buffer is a contiguous block of memory allocated to hold a variable β€” for example, 64 bytes reserved for a username input field. Adjacent to that buffer in memory are other variables, saved register values, and return addresses used by the program's execution flow.

When an application accepts input without bounds checking β€” verifying that the input length does not exceed the buffer size β€” an attacker can supply 200 bytes to a 64-byte buffer. The first 64 bytes fill the buffer normally. The remaining 136 bytes overflow into adjacent memory, potentially overwriting the return address that the program's stack uses to determine where execution continues after a function call.

A craftable buffer overflow allows the attacker to overwrite that return address with an address of their choosing β€” typically pointing to attacker-controlled shellcode that was included in the overflow payload. When the function returns, execution jumps to the attacker's code.

This is not a simple exploit to construct. The attacker must determine the exact offset at which the return address sits in memory, the layout of surrounding variables, and the address to redirect execution to β€” all of which vary by application, OS version, and build. Crashes are common during development. A reliable, repeatable buffer overflow exploit β€” one that consistently achieves code execution without crashing the target β€” is a significant technical achievement and represents a powerful capability.

OS-Level Mitigations

MitigationMechanismWhat It Prevents
Data Execution Prevention (DEP)Marks memory regions as either executable (code) or non-executable (data). The CPU refuses to execute code in non-executable regions.Prevents shellcode injected into a data buffer from executing β€” even if the overflow redirects execution to attacker-controlled data, the CPU rejects execution of that data as code.
Address Space Layout Randomization (ASLR)Randomizes the base addresses of the stack, heap, and loaded libraries each time the application runs. Memory locations change on every execution.Prevents the attacker from hardcoding the target address to redirect execution to. An address that worked in testing will not be valid on the next run. Forces the attacker to guess or leak addresses dynamically.
Stack CanariesPlaces a known "canary" value before the return address on the stack. Before the function returns, the program checks whether the canary value has changed.Detects stack overwrites β€” if a buffer overflow has modified the canary, the program terminates before executing the corrupted return address.
Bounds Checking (developer)Application-level validation that input length does not exceed buffer size before writing to the buffer.Prevents the overflow from occurring in the first place β€” the root-cause fix.

Key Assessment Findings

  • Buffer overflow vulnerabilities that only crash the application are nuisances; those with reliable code execution capability are critical-severity issues requiring immediate remediation.
  • DEP and ASLR are defense-in-depth controls β€” they make exploitation significantly harder but are not guarantees. Advanced techniques (return-oriented programming, ASLR information leaks) can circumvent them. Patching the underlying vulnerability remains the primary remediation.
  • Many modern programming languages (Java, Python, Go, Rust) perform automatic bounds checking and are not susceptible to classic stack-based buffer overflows. Legacy C/C++ codebases remain the primary risk surface.
CONTROLLED β€” INTERNAL DISTRIBUTION
ADVISORY ID:APPSEC-2024-003 CATEGORY:Privilege Escalation β€” Vertical and Horizontal SEVERITY:CRITICAL CASE STUDY CVE:CVE-2023-29336 β€” Win32k Elevation of Privilege Vulnerability (May 2023) AFFECTED SYSTEMS:Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016; Windows 10

Incident Analysis: Privilege Escalation Attacks β€” Vertical, Horizontal, and CVE-2023-29336

Incident Background

Privilege escalation is the process by which an attacker who has gained limited access to a system β€” typically as a low-privilege user β€” exploits a vulnerability, bug, or design flaw to obtain permissions beyond what their account was originally granted. It is a critical phase of most multi-stage attacks: initial access rarely provides the access level needed to accomplish the attacker's objectives. Privilege escalation bridges the gap between a foothold and full system control.

Privilege escalation was disclosed at the highest severity level (CVE-2023-29336, CVSS 7.8) in May 2023, affecting the Win32k kernel driver across multiple supported and end-of-life Windows versions. This advisory uses that CVE as a case study while covering the broader escalation attack class.

Attack Classification

TypeDirection of MovementExampleImpact
Vertical EscalationUpward β€” from lower to higher privilege levelStandard user account gains SYSTEM or Administrator privileges via CVE-2023-29336Full system control; ability to install software, modify system settings, access all files, disable security tools
Horizontal EscalationLateral β€” same privilege level, different accountUser A accesses User B's files, email, or session data without elevated privilegesUnauthorized access to another user's data and resources; often used for targeted data theft or impersonation

Case Study: CVE-2023-29336 β€” Win32k Elevation of Privilege

On May 9, 2023, Microsoft disclosed CVE-2023-29336 affecting the Win32k kernel driver β€” a core Windows component handling the graphical subsystem. The vulnerability allowed a locally authenticated attacker with standard user privileges to exploit a flaw in the driver to elevate to SYSTEM-level privileges.

SYSTEM privileges are the highest privilege level available in the Windows operating system β€” above Administrator. A process running as SYSTEM has unrestricted access to all resources, can modify any file, terminate any process, and disable security software. An attacker who escalates to SYSTEM on a Windows machine has effectively achieved complete control of that machine.

The attack pattern: an attacker first gains a low-privilege foothold (via phishing, a credential spray, or initial malware delivery), then executes a local exploit targeting CVE-2023-29336 to escalate from user-level to SYSTEM. Once at SYSTEM, they have the access needed to install persistent malware, extract credentials, and move laterally to other systems.

The vulnerability was already being actively exploited in the wild at the time of disclosure. The patch was available as part of the May 2023 Patch Tuesday release. Systems running affected Windows versions without this patch remained exploitable.

Recommended Mitigations

  • Patch immediately: Privilege escalation vulnerabilities are among the highest-priority patches. The window between disclosure and active exploitation is often days, not weeks. CVE-2023-29336 was exploited in the wild at time of disclosure.
  • Updated anti-malware with current signatures: Known privilege escalation exploits have signatures; updated endpoint protection can detect and block their execution.
  • Data Execution Prevention (DEP): Prevents code injected into non-executable memory regions from running; blocks some exploitation paths for memory-corruption-based escalation.
  • Address Space Layout Randomization (ASLR): Randomizes memory addresses at each execution, making it significantly harder for exploits to target specific kernel addresses; effective against predictable memory address assumptions in escalation exploits.
  • Principle of least privilege: Limit user accounts to the minimum required permissions. An attacker who escalates from user to admin on a standard user account has less initial access than one starting from a service account with broad rights.
CONTROLLED β€” DEVELOPER DISTRIBUTION
ADVISORY ID:APPSEC-2024-004 CATEGORY:Web Application β€” Cross-Site Request Forgery (CSRF / XSRF) SEVERITY:HIGH ALIASES:Session riding; one-click attack; XSRF; "Sea Surf" AFFECTED SYSTEMS:Web applications that rely solely on session cookies for authorization without implementing anti-CSRF token validation

Threat Assessment: Cross-Site Request Forgery β€” Exploiting the Browser's Trusted Relationship

Background: How Cross-Site Requests Work

Understanding CSRF requires first understanding that cross-site resource loading is a normal, expected browser behavior. When a user visits a website, their browser executes the page's HTML, which may instruct it to load images, scripts, videos, and other resources from entirely different servers. A page at professormesser.com may simultaneously load a video from YouTube, an image from Instagram, and a font from a CDN. All of this loads into one screen, and the user sees a unified experience. None of these secondary requests require the user to authenticate to YouTube or Instagram.

Web applications also consist of two distinct execution environments: client-side code (HTML and JavaScript running inside the user's browser, responsible for rendering the page) and server-side code (PHP, Node.js, Python, etc., running on the web server, responsible for processing requests, executing logic, and accessing databases). Server-side operations β€” transferring funds, posting content, changing settings β€” occur entirely on the server without any browser involvement in the actual execution.

CSRF exploits the combination of these two facts: cross-site requests happen automatically, and the server trusts requests that arrive with the user's valid session cookie β€” regardless of which page triggered the request.

Attack Mechanism

When a user logs into a web application, the server issues a session cookie. The browser automatically includes this cookie with every subsequent request to that domain β€” even requests triggered by code on a different page. The server sees a request with a valid session cookie and considers it authenticated.

An attacker who knows the structure of a request the banking application accepts (such as a funds transfer API endpoint) can craft a page or link that causes a victim's browser to send that request:

<img src="https://bank.example.com/transfer?to=attacker&amount=1000" style="display:none">

If the victim is currently logged into bank.example.com and visits a page containing this tag (or clicks a link containing the transfer request), their browser sends the funds transfer request to the bank. The request arrives with the victim's valid session cookie. The bank's server processes it as a legitimate authenticated request. The transfer executes. The victim sees nothing β€” the image tag loads silently in the background.

The attack can also be delivered via email hyperlinks, forum posts, or any mechanism that causes the victim's browser to make an HTTP request to the target application while the victim holds a valid session.

Attack Flow β€” Bank Transfer Scenario

StepActorAction
1AttackerIdentifies the bank's fund transfer API endpoint and constructs a malicious link or page that will trigger it
2AttackerSends the malicious link to the victim via email, social media, or an embedded link on an attacker-controlled website
3VictimWhile logged into their bank account, clicks the link; their browser automatically includes the bank's session cookie in the request
4Bank ServerReceives a funds transfer request with a valid session cookie; validates the session; executes the transfer to the attacker's account
5VictimHas no awareness the transfer occurred; may not discover it until reviewing their account statement

Recommended Mitigations

  • Anti-CSRF cryptographic tokens: The primary defense. The server generates a unique, unpredictable token for each user session (or each form). This token is embedded in every form and must be submitted with every state-changing request. The server validates the token on receipt; requests without a valid token are rejected. An attacker constructing a forged request cannot include a valid token because they cannot read the victim's session page to extract it (same-origin policy prevents cross-origin script access).
  • SameSite cookie attribute: Instructs the browser not to include the session cookie in cross-site requests. Setting SameSite=Strict or SameSite=Lax on session cookies directly breaks CSRF by ensuring cookies are only sent for same-origin requests.
  • Re-authentication for sensitive actions: Require password entry (or other factor) before executing high-impact actions like fund transfers or password changes; even with a valid session, the re-authentication step cannot be forged by a CSRF attack.
CONTROLLED β€” INFRASTRUCTURE DISTRIBUTION
ADVISORY ID:APPSEC-2024-005 CATEGORY:Web Server β€” Directory Traversal / Path Traversal SEVERITY:HIGH ALIASES:Path traversal; dot-dot-slash attack AFFECTED SYSTEMS:Web servers with misconfigured root directory restrictions; web applications with path construction vulnerabilities

Vulnerability Advisory: Directory Traversal β€” Escaping the Web Root

Vulnerability Description

A directory traversal vulnerability allows an attacker to read (and in some cases write) files on a web server that are outside the web application's intended directory scope. Web servers are normally configured with a "web root" directory β€” a specific folder from which the server serves files. Under correct operation, users can only access files within this directory hierarchy. A directory traversal vulnerability breaks this containment, allowing navigation to any part of the server's filesystem that the web server process has permission to read.

This may arise from web server misconfiguration, a vulnerability in the web server software itself, or poorly written application code that constructs file paths from user-supplied input without sanitization.

Technical Mechanism: The ../ Sequence

In all major operating systems, ../ (dot-dot-slash) is the filesystem shorthand for "move up one directory level." A sequence of multiple ../ values navigates progressively up the directory tree from the current location.

A vulnerable web application that serves files based on a URL parameter like:

https://example.com/show.asp?file=report.pdf

may be constructing a server path as:

C:\wwwroot\files\[user-supplied filename]

An attacker supplying:

https://example.com/show.asp?file=../../windows/system.ini

causes the application to construct the path:

C:\wwwroot\files\..\..\windows\system.ini β†’ C:\windows\system.ini

Each ../ moves one directory level up. With enough traversal steps, the attacker can reach any part of the filesystem accessible to the web server process.

This exact pattern appears in web server logs as one of the clearest indicators of a traversal attempt. A real log entry from such an attack:

GET /show.asp?file=../../windows/system.ini HTTP/1.1

Files Accessible via Successful Traversal

Target FileContents of Interest
/etc/passwd (Linux)User account names and UID/GID values; can reveal valid usernames for further attack
/etc/shadow (Linux)Hashed passwords β€” if readable, enables offline password cracking
C:\windows\system.iniSystem configuration; confirms traversal success; reveals OS information
Application configuration filesDatabase connection strings including credentials; API keys; encryption keys
Application source codeReveals additional vulnerabilities in application logic
Web server configuration filesVirtual host definitions; SSL certificate paths; access control rules

Indicators in Web Server Logs

  • Presence of ../ or ..\ in URL paths or query parameters β€” the clearest traversal indicator
  • URL-encoded traversal sequences: %2e%2e%2f (../), %2e%2e/, ..%2f β€” attackers encode to bypass naive filters
  • Requests for known system files (system.ini, passwd, win.ini, boot.ini) appearing in URL parameters
  • Rapid sequential requests with incremental ../ counts (attacker probing how many levels to the filesystem root)

Recommended Mitigations

  • Input validation and canonicalization: Resolve all file paths to their canonical (absolute) form before use, then verify the resulting path begins with the expected web root directory. Reject any path that resolves outside the permitted directory tree.
  • Avoid user-controlled file paths: Do not construct file system paths directly from user input. Use indirect file references (mapping user-supplied tokens to actual filenames server-side) rather than allowing users to specify path components.
  • Least privilege for web server process: Run the web server process under an account with minimal filesystem permissions β€” read-only access to the web root only. Even a successful traversal cannot read files the web server account has no permission to access.
  • Keep web server software patched: Some traversal vulnerabilities are in the web server software itself; patching closes these without requiring application changes.