Zombie 2.0: A web-application attack model

We analyzed the problems underlying the attack and penetration in the web application scenario. We produce effective solutions to the payload engineering problem in the web-application scenario which allow the attacker/penetration tester to analyze the scenario and build his exploits abstracting the burdensome details in executing an attack.

Traditionally, while modeling attack-scenarios, agents are considered the payload of choice. They provide a way to abstract the complexity of exploitation /post-exploitation tasks (like pivoting, privilege escalation) in a homogeneous way. Seemingly in order to achieve this, a client-server model is needed. Which implies the installation of an agent into the compromised component.
This model applies mainly to scenarios that permit the agent's instantiation, by means of machine-code-execution vulnerabilities. In a world rapidly evolving towards RIA (Rich Internet Applications), a wide range of new attack vectors (XSS, SQL-Injection are some examples) are left out of the picture.

In this work we use the attacker's viewpoint to present a series of attack scenarios where the traditional agent deployment method is not available. We show how to adapt this model to new types of vulnerabilities not dependent on machine-code-execution vectors. As a result, though conceptually the agent is still thought to reside in the compromised component, it runs from the attackers machine.

Our work provides the conceptual and practical background to abstract and isolate agent functionality in two basic components and shows that these may reside either in the attacker's or the attackee's system.