1.3 Flashcards
Given a scenario, analyze potential indicators associated with application attacks.
Privilege Escalation
Gain higher level access to a system, exploits a vulnerability to get more capabilities. These are high-priority vulnerability patches.
Horizontal Privilege Escalation
Dose not move up into higher access, instead gets access to another user’s resources.
Mitigating Privilege Escalation
Patch quickly, antivirus and anti-malware can block known vulnerabilities. Data execution prevention only allows data in executable areas to run. Address space layout randomization prevents a buffer overrun at known memory addresses.
Cross Site Scripting
Cross Site Scripting (XSS) originally was associated with a browser vulnerability where information form one site would be shared with another. It is one of the most common web application dev errors and can take advantage of the trust a user has for a site.
Non Persistent (Reflected) XXS Attack
Websites allows scripts to be run in user inputs (search boxes). Attackers emails a link that takes advantage of this vulnerability. Script embedded in URL executes in the victim’s browser.
Persistent (stored) XXS Attack
Attacker posts a message to a social network, with no specified target as all viewers on the page are victims.
Protect against XSS
Never click untrusted links, disable JavaScript (difficult in today’s web), keep your browser up to date, and developers should validate their input data.
Code Injection
Attacker adding their code into a data stream, usually a vulnerability caused by bad programing.
SQL Injection
A code injection attack targeting SQL - the most common relational database management system.
XML Injection
Extensible Markup Language a set rules for data transfer. A code injection attack modifies the XML requests.
LDAP Injection
A code injection attack that modifies LDAP requests to manipulate application results.
DLL Injection
A code injection attack that utilizes the Dynamic-Link Library by injecting it to have an application run a program.
Buffer Overflows
Attackers take advantage of poor programing by overwriting a buffer of memory by spilling over into other memory areas. This is a difficult exploit; it takes time to make it do what you want without crashing the application.
Replay Attack
Attackers will take advantage of information transferred over network by accessing to the raw network data. (Network tap, ARP poisoning, Malware). The gathered information may be used by the attacker to replay the data across the network to appear as someone else.
Pass the Hash
A type of replay attack where the attacker gains access to the hash, and they replay the hash back to the server to pretend to be the original workstation.
You can avoid the attack by salting the hash or encrypting the information sent over the server.
Browser Cookies
Cookies can store information that could be used for replay attacks - personalization, session management.
Session IDs are often stored in the cookies, and attackers can use that to pose as someone else without needing a username or password.
Prevent Session Highjacking
Encrypting end-to-end communication, use protocols like HTTPS over HTTP.
Encrypting end-to-somewhere with options like a personal VPN, while being in the clear for part of the journey, it will have some encryption
Cross-site Requests
Cross site requests are common and legitimate, one web page may gather information for several other websites. Most of these are unauthenticated requests.
Cross-Site request forgery
One-click attack or sessions riding (XSRF, CSRF), it will take advantage of the trust a web app has for the user. Significant web application development oversights will allow for these, to prevent a cryptographic token can be used.
Server-side Request Forgery (SSRF)
Attacker finds a vulnerable web application, they send a request to the web server, and the server performs the request on behalf of the attacker. This attack occurs because of bad programming, the server should always validate the input and output from the user. These are rare but critical vulnerability.
Zero Day Attack
A unknown vulnerability that can be exploited.
Shimming
Windows Includes its own shim that allows backwards compatibility with previous Windows version. Malware authors write their own shims to get around security.
Refactoring
Attackers can refactor (or change the appearance of the code) to make the malware look different and let it go undetected by anti-malware software.
SSL Stripping/HTTP Downgrade
Combines an on-path attack with a downgrade attack, they will sit in the middle of the conversation to strip away the security measures on the conversation. Victim does not see any significant problem except for the browser page which isn’t encrypted. This is a client/server problem, everything needs to be up to date.
SSL & TLS
- SSL 2.0 - ended 2011
- SSL 3.0 - ended 2015
- TLS 1.0 - upgraded SSL, can be downgraded to SSL 3.0 (less secure)
- TLS 1.1 - ended 2020
- TLS 1.2 & TLS 1.3 - Latest TLS standards
Race Condition
A programing issue that occurs when multiple things are running at the same time, can be vulnerable if the programmer didn’t plan for it.
TOCTOU
Time of check to time of use attack - an attack that takes advantage of a race condition.
Memory Vulnerabilities
Memory leak, unused memory is not properly released, and it begins to grow in size. Eventually it will use all memory and the system will crash.
Null Pointer Dereference
Programming techinique that refrences a portion of memory, attackers will have the refrence point to nothing
Integer Overflow
Large number into a smaller sized space, you shouldn’t be able to manipulate memory this way. Programming oversite
Directory Transversal
Read files from a web server that are outside of the website’s file directory.
Improper Error Handling
Errors should show just enough information and avoid any sensitive data.
Improper Input Handling
Many applications accept user input, and all input should be considered malicious. Always check and validate the user input.
API Attack
Attackers look for vulnerabilities in the application programming interface.
