Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Penetration Testing > 12/9/2022 - THM Auth Bypass, Logic Flaw, Cookies, IDOR > Flashcards

12/9/2022 - THM Auth Bypass, Logic Flaw, Cookies, IDOR Flashcards

1
Q

What is Directory Traversal attack?

A

Using web app user inputs to traverse web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Types of File Inclusion

A

Remote FI
Local FI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What PHP functions does Local FI leverage?

A

Include
Require
include_once
require_once

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is IDOR

A

Insecure Direct Object Reference:
Access control vulnerability that is supplied by user to access resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Example(s) of IDOR

A

Viewing online (profiles, orders, policy, etc..) by switching user_id

Create two accounts on the same website and swap IDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can IDORs be Obfuscated?

What two key areas are they usually found in?

A

Base64 Encoding (Obfuscation)
Hashed IDs (Obfuscation)

AJAX requests
Cookies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are mitigation techniques against Directory Traversal Attacks

A

Keep systems patched

Turn off PHP errors to prevent revealing sensitive system info

WAFs

Disable PHP features that cause file inclusion (ie allow_url_fopen, allow_url_include)

Input Validation

Implement whitelisting and blacklisting of filenames and locations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Penetration Testing (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions