Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Info about attack trees

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


adegod at gmail

May 25, 2012, 1:58 AM

Post #1 of 11 (628 views)
Permalink
Info about attack trees

Hello everybody, I'm new to this maling-list and to security in general.
I'm here to learn and I'm starting with a question :)

I'm looking for some informations about attack trees usage in web application analysis.

For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications.
I need a lot of use cases from which to start learning common attacks which can help building a proper tree.

>From where can I start?

I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated.


-------------------
Federico.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at pingsweep

May 25, 2012, 6:46 AM

Post #2 of 11 (586 views)
Permalink
Re: Info about attack trees [In reply to]

You can create an XSS with a SQLi

If you can output on the page, you can inject HTML/JS with that variable


On 25/05/2012 09:58, Federico De Meo wrote:
> Hello everybody, I'm new to this maling-list and to security in general.
> I'm here to learn and I'm starting with a question :)
>
> I'm looking for some informations about attack trees usage in web application analysis.
>
> For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications.
> I need a lot of use cases from which to start learning common attacks which can help building a proper tree.
>
> >From where can I start?
>
> I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated.
>
>
> -------------------
> Federico.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


urlancomp at gmail

May 25, 2012, 9:44 AM

Post #3 of 11 (606 views)
Permalink
Re: Info about attack trees [In reply to]

Federico,

Check this out: http://cwe.mitre.org/top25/

2012/5/25 Federico De Meo <adegod [at] gmail>

> Hello everybody, I'm new to this maling-list and to security in general.
> I'm here to learn and I'm starting with a question :)
>
> I'm looking for some informations about attack trees usage in web
> application analysis.
>
> For my master thesis I decided to study the usage of this formalism in
> order to reppresent attacks to a web applications.
> I need a lot of use cases from which to start learning common attacks
> which can help building a proper tree.
>
> >From where can I start?
>
> I've already read the OWASP top 10 vulnerabilities an I'm familiar with
> XSS, SQLi, ecc. however I've no clue on how to combine them together in
> order to perform the steps needed to attack a system. I'm looking for some
> examples and maybe to some famous attacks from which I can understand which
> steps are performed and how commons vulnerabilities can being combined
> together. Any help is really appreciated.
>
>
> -------------------
> Federico.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
Cordialmente,

Urlan Salgado de Barros
CompTIA Security+ Certified
MSc. in Applied Informatics
Bachelor on Computer Science


thor at hammerofgod

May 25, 2012, 10:12 AM

Post #4 of 11 (606 views)
Permalink
Re: Info about attack trees [In reply to]

Here's the best info on attack trees:
http://3.bp.blogspot.com/-P_enGjuZU0I/TxFdFfD1A5I/AAAAAAAABKs/DTzpNDG4THc/s1600/ent_isengard_small.jpg
[Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig]

Timothy "Thor" Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>


From: full-disclosure-bounces [at] lists [mailto:full-disclosure-bounces [at] lists] On Behalf Of Urlan
Sent: Friday, May 25, 2012 9:45 AM
To: Federico De Meo
Cc: full-disclosure [at] lists
Subject: Re: [Full-disclosure] Info about attack trees

Federico,

Check this out: http://cwe.mitre.org/top25/
2012/5/25 Federico De Meo <adegod [at] gmail<mailto:adegod [at] gmail>>
Hello everybody, I'm new to this maling-list and to security in general.
I'm here to learn and I'm starting with a question :)

I'm looking for some informations about attack trees usage in web application analysis.

For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications.
I need a lot of use cases from which to start learning common attacks which can help building a proper tree.

>From where can I start?

I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated.


-------------------
Federico.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
Cordialmente,
Urlan Salgado de Barros
CompTIA Security+ Certified
MSc. in Applied Informatics
Bachelor on Computer Science
Attachments: image001.png (1.02 KB)


themadichib0d at gmail

May 26, 2012, 1:32 PM

Post #5 of 11 (594 views)
Permalink
Re: Info about attack trees [In reply to]

If you havnt guessed from the replies, there are no such thing as an attack
tree. Sure things maybe methodical, but I don't think of things as being
like a tree.

The classical method is something along the lines of preform recon,
enumerate, attack, presist/extract data. You react based upon the
information you gather, the more information you have, the clearer it is on
to what the next step ought to be.

No offense, but I don't think it'd be a good idea to make a master thesis
about the textbook methodology of a field you are not familiar with,
especially since you seem to be diving into it with multiple misconceptions
and assumptions.
On May 25, 2012 5:51 AM, "Federico De Meo" <adegod [at] gmail> wrote:

> Hello everybody, I'm new to this maling-list and to security in general.
> I'm here to learn and I'm starting with a question :)
>
> I'm looking for some informations about attack trees usage in web
> application analysis.
>
> For my master thesis I decided to study the usage of this formalism in
> order to reppresent attacks to a web applications.
> I need a lot of use cases from which to start learning common attacks
> which can help building a proper tree.
>
> >From where can I start?
>
> I've already read the OWASP top 10 vulnerabilities an I'm familiar with
> XSS, SQLi, ecc. however I've no clue on how to combine them together in
> order to perform the steps needed to attack a system. I'm looking for some
> examples and maybe to some famous attacks from which I can understand which
> steps are performed and how commons vulnerabilities can being combined
> together. Any help is really appreciated.
>
>
> -------------------
> Federico.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


coderman at gmail

May 26, 2012, 1:50 PM

Post #6 of 11 (591 views)
Permalink
Re: Info about attack trees [In reply to]

On Sat, May 26, 2012 at 1:32 PM, Gage Bystrom <themadichib0d [at] gmail> wrote:
> If you havnt guessed from the replies, there are no such thing as an attack
> tree...
> The classical method is something along the lines of preform recon,
> enumerate, attack, presist/extract data. You react based upon the
> information you gather, the more information you have, the clearer it is on
> to what the next step ought to be.

this concept is more useful in fully automated exploit +
post-exploitation systems, where you have an arsenal of exploits of
varying stealth, reliability, applicability. the result of exploit
preference, exploit chaining, and contingency paths based on real-time
feedback results in a tree like structure following the path of least
resistance to total compromise.

you need to prepare this tree ahead of time as a human in the loop
will only slow down the process and increase the risk of counter
measures frustrating further attack.

a pedant would call them exploit graphs ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


slash.pd at gmail

May 28, 2012, 7:20 AM

Post #7 of 11 (578 views)
Permalink
Re: Info about attack trees [In reply to]


Eh ?? Seems that Schneier was blowing smoke up in the air with his
thoughts on attack trees !!

Anyhoot, here's another good old linky Military Operations Research V10,
N2, 2005,
<http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf>
http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf

/pd
On Fri, May 25, 2012 at 9:46 AM, Daniel Hadfield <dan [at] pingsweep>wrote:

> You can create an XSS with a SQLi
>
> If you can output on the page, you can inject HTML/JS with that variable
>
>
> On 25/05/2012 09:58, Federico De Meo wrote:
> > Hello everybody, I'm new to this maling-list and to security in general.
> > I'm here to learn and I'm starting with a question :)
> >
> > I'm looking for some informations about attack trees usage in web
> application analysis.
> >
> > For my master thesis I decided to study the usage of this formalism in
> order to reppresent attacks to a web applications.
> > I need a lot of use cases from which to start learning common attacks
> which can help building a proper tree.
> >
> > >From where can I start?
> >
> > I've already read the OWASP top 10 vulnerabilities an I'm familiar with
> XSS, SQLi, ecc. however I've no clue on how to combine them together in
> order to perform the steps needed to attack a system. I'm looking for some
> examples and maybe to some famous attacks from which I can understand which
> steps are performed and how commons vulnerabilities can being combined
> together. Any help is really appreciated.
> >
> >
> > -------------------
> > Federico.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


themadichib0d at gmail

May 28, 2012, 10:27 AM

Post #8 of 11 (575 views)
Permalink
Re: Info about attack trees [In reply to]

Never read any of his pieces on attack trees. That being said, and
having read over it, I believe it to be infeasible to make an attack
tree against any modern system, even with only the scope of web
applications. There are simply a vast majority of possible start
points, and what leafs that may exist all depend on what information
you gather. As in, while building an attack tree you might have to add
leaves as you attack the application. Such a final attack tree would
be amazingly complex.

If OP wants to go for that then that's his choice, but to be frank I
believe there are more productive uses of someone's time.

On Mon, May 28, 2012 at 7:20 AM, Peter Dawson <slash.pd [at] gmail> wrote:
> ==> "there are no such thing as an attack tree."
>
> Eh ??   Seems that Schneier was blowing smoke up in the air with his
> thoughts on attack trees !!
>
> Anyhoot, here's another good old linky Military Operations Research V10, N2,
> 2005, http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf
>
> /pd
> On Fri, May 25, 2012 at 9:46 AM, Daniel Hadfield <dan [at] pingsweep>
> wrote:
>>
>> You can create an XSS with a SQLi
>>
>> If you can output on the page, you can inject HTML/JS with that variable
>>
>>
>> On 25/05/2012 09:58, Federico De Meo wrote:
>> > Hello everybody, I'm new to this maling-list and to security in general.
>> > I'm here to learn and I'm starting with a question :)
>> >
>> > I'm looking for some informations about attack trees usage in web
>> > application analysis.
>> >
>> > For my master thesis I decided to study the usage of this formalism in
>> > order to reppresent attacks to a web applications.
>> > I need a lot of use cases from which to start learning common attacks
>> > which can help building a proper tree.
>> >
>> > >From where can I start?
>> >
>> > I've already read the OWASP top 10 vulnerabilities an I'm familiar with
>> > XSS, SQLi, ecc. however I've no clue on how to combine them together in
>> > order to perform the steps needed to attack a system. I'm looking for some
>> > examples and maybe to some famous attacks from which I can understand which
>> > steps are performed and how commons vulnerabilities can being combined
>> > together. Any help is really appreciated.
>> >
>> >
>> > -------------------
>> > Federico.
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


guninski at guninski

May 28, 2012, 10:49 AM

Post #9 of 11 (578 views)
Permalink
Re: Info about attack trees [In reply to]

On Sat, May 26, 2012 at 01:50:36PM -0700, coderman wrote:
> a pedant would call them exploit graphs ;)
>


hahaha, how many buzzwords for seemingly simple stuff :)

some buzzwords you can use for profit:

division by _zero_, _integer_ overflow, attack _vector_, attack
_vector space_ [1], attack _curve_, attack _surface_, attack
_abelian surface_ [1], attack _group law_ [1] , attack _tree_,
attack _graph_, attack _constrained path on graph_ [1],
attack _turing machine_ [1], attack halting _problem_ [1].


[1] might not be in general usage as of Mon May 28 EEST 2012

spam v




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


coderman at gmail

May 28, 2012, 2:36 PM

Post #10 of 11 (580 views)
Permalink
Re: Info about attack trees [In reply to]

On Mon, May 28, 2012 at 10:49 AM, Georgi Guninski <guninski [at] guninski> wrote:
> some ...words you can use for profit:
>
> division by _zero_, _integer_ overflow, attack _vector_, attack
> _vector space_ [1], attack _curve_, attack _surface_, attack
> _abelian surface_ [1], attack _group law_ [1] , attack _tree_,
> attack _graph_, attack _constrained path on graph_ [1],
> attack _turing machine_ [1], attack halting _problem_ [1].

you've written a prospectus or two, it seems.


> ... I believe it to be infeasible to make an attack
> tree against any modern system...

the best attack trees are planted in a firmament of bayesian machine
learning, nurtured with cloud based social graph analysis, and
precipitated via distributed simulation into actionable tactics with
certainty of execution. i have generated a truly marvelous
computer-assisted proof of this, which this message is unable to
contain.

the details just how many 0days rain down from this exploit cloud
shall sadly remain obscured... for now. anyone want to seed a 7.44TB
torrent?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


defenceindepth at gmail

May 28, 2012, 9:10 PM

Post #11 of 11 (569 views)
Permalink
Re: Info about attack trees [In reply to]

I think this quote sums it up well:

"Hacking is ... not a day job or a semi-ordered list of instructions found
in a thick book." - Anthony Bunyan (Shellcoder's Handbook)

Predetermining an attack path or even representing every possible way an
entity can be attacks is just not possible. There are potentially an
infinite number of permutations one could take to compromise a system.
Formalising such a thing would not accurately represent the real world; it
would merely display a subset of possible attack vectors.

This is a good example of where someone has made something from nothing
(and would have been very difficult to have predicted/formalised):
http://xs-sniper.com/blog/2010/12/17/will-it-blend/


Regards,

Patrick Dunstan
www.defenceindepth.net

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.