06 Web-Based Hacking—Servers and Applications Flashcards
- In Nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A. The http-methods script usage syntax is nmap –script http-methods <target>, where <target> is the IP of the system you’re after. Per Nmap’s support pages (https://nmap.org/nsedoc/scripts/http-methods.html), this script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.” You can also use additional parameters, such as url-path, to further hone your results.</target></target>
- PUT This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (for example, an .asp file that executes commands by invoking cmd.exe) or by simply using the victim’s server as a file repository.
- DELETE This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a website or to mount a DoS attack.
- CONNECT This method could allow a client to use the web server as a proxy.
- TRACE This method simply echoes back to the client whatever string has been sent to the server, and it’s used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as cross-site tracing.
- Bob is notified of what appears to be a denial-of-service attack against a system in his environment. On investigation, Bob discovers the target system is receiving overwhelming numbers of DNS responses for an IP resolution. Which of the following is the most likely attack?
A. DNS amplification
B. DNS server hijacking
C. SSRF
D. Metasploit NOPS module
A. A DNS amplification attack is exactly what it sounds like: an attacker takes advantage of recursive DNS to flood a target with DNS responses. Basically, the bad guy sets up a botnet and, when ready to go, has the zombie systems send DNS resolution requests as if they came from the target. DNS does what it’s supposed to do, and the target is flooded with DNS responses.
- A web application developer wants to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers. Per OWASP (https://www.owasp.org/index.php/Fuzzing), “Fuzz testing or fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” In other words, fuzzing sends tons of weird inputs into fields to see what the application will do.
- Which of the following uses HTML entities properly to represent
?
A. <script>
B. (script)
C. &script&
D. "script"
A. Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign (<) and the greater-than sign (>) surround the word script. Respectively, the appropriate HTML entities are < and > (the lt and gt should give this away).
- An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
C. There are few guarantees in life, but here’s one: you will definitely be asked about cross-site request forgery (CSRF) on your exam. A CSRF attack is exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are coming from the victim’s own browser. Usually this involves phishing, or maybe an advertisement, but the principle is always the same. CSRF attacks can be prevented by configuring random challenge tokens, which allow the server to verify user requests.
As an aside, a similar attack is known as session fixation. The attacker logs into a legitimate site, pulls a session ID, and then sends an e-mail with a link containing the fixed session ID. When the user clicks it and logs in to the same legitimate site, the hacker then logs in and runs with the user’s credentials.
- Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
D. Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems. In other words, it’s a way for a program running in one kind of operating system (let’s say Windows Server 2019 or 2020) to communicate with a program on another (such as Linux). It uses HTTP and XML to exchange information and specifies how to encode HTTP headers and XML files so that applications can talk to each other. One great advantage to this is also a great detriment, security-wise: because HTTP is generally allowed through most firewalls, applications using SOAP can generally communicate at will throughout networks.
SOAP injection attacks allow you to inject malicious query strings (much like SQL injection, as a matter of fact) that might give you the means to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP and SMTP, and messages are typically one-way in nature.
- A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. The basics of this attack revolve around website design (or web application design on that site), dynamic content, and invalidated input data. Usually when a web form pops up, the user inputs something, and then some script dynamically changes the appearance or behavior of the website based on what has been entered. XSS occurs when the bad guys take advantage of that scripting (Java, for instance) and have it perform something other than the intended response. For example, suppose instead of entering what you’re supposed to enter in a form field, you enter an actual script. The server then does what it’s supposed to—it processes the code sent from an authorized user. The best defense against this is proper design and good input validation before the app ever sees production in the first place.
- Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
C. Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications. The idea is to define how two applications can interact so that one can perform a piece of work for the other (or, better said, on behalf of the other). Each interaction is independent of any other and is self-contained. SOA programmers make extensive use of XML to carry all this out, and that leaves the application vulnerable to crafty XML tampering. If an attacker can somehow pass an XML message with a large payload, or any of a number of other bad content, they can perform an XML denial-of-service attack on an SOA application. This isn’t to imply it’s the only type of DoS available or that SOA is uniquely vulnerable (for instance, the only thing a specifically crafted XML attack can affect). It’s just a question, so don’t read too much into it.
- The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application). By inputting more data than the buffer is allocated to hold, you may be able to crash the application or machine or alter the application’s data pointers. gets() is a common source of buffer overflow vulnerabilities because it reads a line from standard input into a buffer until a terminating EOF is found. It performs no check for buffer overrun and has been largely replaced by fgets(). Also, technically speaking, there is oftentimes no length to check for—it just writes until it reaches a termination point.
- Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C. In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the httpOnly flag in cookies can be used in mitigation against some XSS attacks. Cross-site scripting occurs when an attacker interjects code into a web page form field that does not have appropriate input validation configured. The httpOnly cookie flag can stop any injected code from being accessible by a client-side script.
- You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A. This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B. Unicode is just another way to represent text, so why not use it to try to get past an IDS? Of course, in the real world, every IDS would probably be looking for weird Unicode requests anyway (it isn’t ciphered or encrypted and really does nothing more than provide a cursory obfuscation), but let’s just stick with EC-Council and the CEH exam here for now. This request appears to be attempting a grab of some passwords:
%2e%2e%2f%2e%2e%2f%2e%2f% = ../../../
$65%74%63 = etc
%2f=/
70% 61% 73% 73%77%64 = passwd
- Which MSFconsole command allows you to connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
B. Questions on Metasploit can be very generalized or—like this question—pretty darn specific. MSFconsole, opened with the msfconsole command, is a common method of interfacing with Metasploit. As put by Offensive Security, it provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF, and it’s the only supported way to access most of the features within Metasploit. Commands used in the interface are listed and discussed pretty well on Offensive Security’s site (https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/). The connect command acts like a miniature netcat clone, supporting SSL, proxies, pivoting, and file sends. By issuing the connect command with an IP address and port number, you can connect to a remote host from within MSFconsole the same as you would with netcat or telnet.
- Which character is your best option in testing for SQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
D. SQL injection is all about entering queries and commands into a form field (or URL) to elicit a response, gain information, or manipulate data. On a web page, many times entries into a form field are inserted into a SQL command. When you enter your username and information into the fields and click the button, the SQL command in the background might read something like this:
SELECT OrderID, FirstName, Lastname FROM Orders
In SQL, a single quote is used to indicate an upcoming character string. Once SQL sees that open quote, it starts parsing everything after it as string input. If there’s no close quote, an error occurs because SQL doesn’t know what to do with the submitted characters. If the web page is configured poorly, that error will return to you and let you know it’s time to start injecting SQL commands.
A, B, and C are incorrect characters to use as part of a SQL injection test. The @ symbol is used to designate a variable in SQL (you’ll need to define the variable, of course). The + sign is used to combine strings (as in Matt+Walker). A double dash indicates an upcoming comment in the line.
- An angry former employee of the organization discovers a web form vulnerable to SQL injection. Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ‘Orlando’, he is able to see all pending orders from Orlando. If he wanted to delete the Orders_Pend table altogether, which SQL injection string should he use?
A. SELECT * FROM Orders_Pend WHERE Location_City = Orlando’;DROP TABLE Orders_Pend –
B. SELECT * FROM Orders_Pend WHERE ‘Orlando’;DROP_TABLE –
C. DROP TABLE Orders_Pend WHERE ‘Orlando = 1’ –
D. WHERE Location_City = Orlando’1 = 1’: DROP_TABLE –
A. SQL queries usually read pretty straightforward, although they can get complicated rather quickly. In this case, you’re telling the database, “Can you check the table Orders_Pend and see whether there’s a city called Orlando? Oh, by the way, since you’re executing any command I send anyway, just go ahead and drop the table called Orders_Pend while you’re at it.” The only thing missing from SQL queries is a thank-you at the end. As an aside, you can easily restrict which SQL verbs any user can make use of (through DDL and DMAL statements), and you should. Allowing all users to drop tables and the like is akin to making your standard user a domain administrator; it’s a rather dumb idea!
- Efforts to gain information from a target website have produced the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e08’
[Microsoft] {OBDC SQL Server Driver}
Which of the following best describes the error message?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malware injection.
C. Once again, you will get a few “gimme” questions on the exam. The error message clearly displays a SQL error, telling us there’s an underlying SQL database to contend with and it’s most likely not configured correctly (or we wouldn’t be getting an error message like this—through a web interface and telling us exactly what’s there—in the first place).
