1.3 Given a scenario, analyze potential indicators associated with application attacks.

Question 1

Privilege escalation

Answer 1

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Question 2

Cross-site scripting

Answer 2

Cross-site scripting, commonly referred to as XSS, occurs when hackers execute malicious JavaScript within a victim’s browser.

Unlike Remote Code Execution (RCE) attacks, the code is run within a user’s browser. Upon initial injection, the site typically isn’t fully controlled by the attacker. Instead, the bad actor attaches their malicious code on top of a legitimate website, essentially tricking browsers into executing their malware whenever the site is loaded.

Question 3

Injections- Structured query language (SQL)

Answer 3

An SQL injection is a type of cyber attack in which a hacker uses a piece of SQL (Structured Query Language) code to manipulate a database and gain access to potentially valuable information.

Question 4

Injections- Dynamic-link library (DLL)

Answer 4

A dynamic link library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.

Question 5

Injections- Lightweight Directory Access Protocol (LDAP)

Answer 5

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy.

Question 6

Injections- Extensible Markup Language (XML)

Answer 6

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application.

Question 7

Pointer/object dereference

Answer 7

A programming technique that references a portion of memory, some timmes programs do not clean up, space can be used to hide

Question 8

Directory traversal

Answer 8

Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory. An Access Control List is used in the authorization process.

Question 9

Buffer overflows

Answer 9

Coding errors are typically the cause of buffer overflow. Common application development mistakes that can lead to buffer overflow include failing to allocate large enough buffers and neglecting to check for overflow problems.

Question 10

Stack overflow attack

Answer 10

This is the most common type of buffer overflow attack and involves overflowing a buffer on the call stack. Heap overflow attack - This type of attack targets data in the open memory pool known as the heap.

Question 11

Race conditions

Answer 11

What Is a Race Condition Vulnerability? A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously.

Question 12

Time of check/time of use

Answer 12

In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Question 13

Error handling

Answer 13

Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed.

Question 14

Improper input handling

Answer 14

When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.

Question 15

Replay attack

Answer 15

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution.

Question 16

Session replays

Answer 16

Session Replay Attacks are network-based security hacks that delay, replay, or repeat the valid transmission of data between a genuine user and a site. Hackers are able to perform these attacks by following an easy three step process.

Question 17

Integer overflow

Answer 17

An integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold. The C standard defines this situation as undefined behavior (meaning that anything might happen).
Image result for Integer overflow attack
An integer overflow can cause the value to wrap and become negative, which violates the program’s assumption and may lead to unexpected behavior (for example, 8-bit integer addition of 127 + 1 results in −128, a two’s complement of 128).

Question 18

Request forgeries - Cross-site

Answer 18

Cross-Site Request Forgery, often abbreviated as CSRF, is a possible attack that can occur when a malicious website, blog, email message, instant message, or web application causes a user’s web browser to perform an undesired action on a trusted site at which the user is currently authenticated.

Question 19

Request forgeries- Server-side

Answer 19

Server-side request forgery (SSRF) is an attack that allows attackers to send malicious requests to other systems via a vulnerable web server. Listed in the OWASP Top 10 as a major application security risk, SSRF vulnerabilities can lead to information exposure and open the way for far more dangerous attacks.

Question 20

Application programming

interface (API) attacks

Answer 20

An API attack is hostile usage, or attempted hostile usage, of an API. Below are some of the many ways that attackers can abuse an API endpoint.

Question 21

Resource exhaustion

Answer 21

Resource exhaustion attacks are computer security exploits that crash, hang, or otherwise interfere with the targeted program or system. They are a form of denial-of-service attack but are different from distributed denial-of-service attacks, which involve overwhelming a network host such as a web server with requests from many locations.

Question 22

Memory leak

Answer 22

A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed. The consequences of such an issue depend on the application itself.

If you have a memory leak and get to the point of almost running out of memory, the normal procedure is to reboot the machine in order to clear out the memory. You can use RAMMap to clear areas of memory negating the need to reboot the machine.

Question 23

Secure Sockets Layer (SSL) stripping

Answer 23

SSL stripping is a technique by which a website is downgraded from https to http. In other words, the attack is used to circumvent the security which is enforced by SSL certificates on https sites. This is also known as SSL downgrading.

Question 24

• Driver manipulation

Answer 24

Operating systems use drivers to interact with hardware devices or software components. For example, when you print a page using Microsoft Word, Word accesses the appropriate print driver via the Windows operating system.

Question 25

Shimming

Answer 25

A driver shim is additional code that can be run instead of the original driver. When an application attempts to call an older driver, the operating system intercepts the call and redirects it to run the shim code instead.

Question 26

Refactoring

Answer 26

Refactoring code is the process of rewriting the internal processing of the code, without changing its external behavior. … If the attackers can fool the operating system into using a manipulated driver, they can cause it to run malicious code contained within the manipulated driver

Question 27

Pass the hash

Answer 27

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.