1.3 Given a scenario, analyze potential indicators associated with application attacks.

Question 1

Privilege escalation

Answer 1

is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Question 2

Cross-site scripting

Answer 2

attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use this attack to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Question 3

Reflected XSS

Answer 3

occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user provided data may never even leave the browser.

Question 4

Stored XSS

Answer 4

generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.

Question 5

DOM Based XSS

Answer 5

is a form of where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source could be the URL of the page or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data

Question 6

SQL injection

Answer 6

is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

Question 7

DLL Injection

Answer 7

is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL).

Question 8

LDAP injection

Answer 8

An LDAP injection attack exploits security loopholes caused by unsanitized user input data. In other words, LDAP injections create malformed queries to gain access in order to potentially change data in a directory. LDAP queries contain special characters such as asterisks, brackets, ampersands and quotes. These characters control the meaning of LDAP queries and dictate the type and number of objects returned by a query

Question 9

XML injection

Answer 9

is when user-supplied input isn’t escaped or sanitized before it is added to a web application’s XML documents; they are processed and executed.

Question 10

Pointer/object dereference

Answer 10

The program can potentially dereference a null pointer, thereby raising a NullPointerException. Null pointer errors are usually the result of one or more programmer assumptions being violated. Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.

Question 11

Directory traversal

Answer 11

is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

Question 12

Buffer overflows

Answer 12

occurs when the amount of data in the buffer exceeds its storage capacity. That extra data overflows into adjacent memory locations and corrupts or overwrites the data in those locations.

Question 13

Race conditions

Answer 13

occurs when two or more threads can access shared data and they try to change it at the same time. Because the thread scheduling algorithm can swap between threads at any time, you don’t know the order in which the threads will attempt to access the shared data. Therefore, the result of the change in data is dependent on the thread scheduling algorithm, i.e. both threads are “racing” to access/change the data.

Question 14

Error Handling

Answer 14

You should make sure that your error messages are showing just enough information so that people understand what the error might be and they might be able to report that to someone else. But you want to be sure to avoid information, such as the network you’re connected to, maybe a dump of memory or stack traces or even database dumps. If you’re showing that as part of an error message, an attacker may be able to use those details to learn more about the underlying system. Fortunately, this is a relatively easy issue to fix as long as you have control of the development process for that application.

Question 15

Improper Input Handling

Answer 15

is the term used to describe functions such as validation, sanitization, filt ering, or encoding and/or decoding of input data

Question 16

Replay attack

Answer 16

An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

Question 17

Session Hijack Attack

Answer 17

An attack in which the attacker is able to insert himself or herself between a claimant and a verifier subsequent to a successful authentication exchange between the latter two parties. The attacker is able to pose as a subscriber to the verifier or vice versa to control session data exchange. Sessions between the claimant and the RP can be similarly compromised.

Question 18

integer overflow

Answer 18

happens when an attempt is made to store a value that is too large for an integer type. The range of values that can be stored in an integer type is better represented as a circular number line that wraps around.

Question 19

Cross Site Request Forgery (CSRF)

Answer 19

is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Question 20

Server-side request forgery (SSRF)

Answer 20

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

Question 21

What is the difference between XSS and CSRF?

Answer 21

Cross-site scripting (or XSS) allows an attacker to execute arbitrary JavaScript within the browser of a victim user.

Cross-site request forgery (or CSRF) allows an attacker to induce a victim user to perform actions that they do not intend to.

The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities:

CSRF often only applies to a subset of actions that a user is able to perform. Many applications implement CSRF defenses in general but overlook one or two actions that are left exposed. Conversely, a successful XSS exploit can normally induce a user to perform any action that the user is able to perform, regardless of the functionality in which the vulnerability arises.
CSRF can be described as a "one-way" vulnerability, in that while an attacker can induce the victim to issue an HTTP request, they cannot retrieve the response from that request. Conversely, XSS is "two-way", in that the attacker's injected script can issue arbitrary requests, read the responses, and exfiltrate data to an external domain of the attacker's choosing.

Question 22

Application programming
interface (API) attacks

Answer 22

is abusive or manipulative usage or attempted usage of an API, commonly used to breach data or manipulate a commerce solution

Question 23

Resource exhaustion attack

Answer 23

are computer security exploits that crash, hang, or otherwise interfere with the targeted program or system. They are a form of denial-of-service attack but are different from distributed denial-of-service attacks, which involve overwhelming a network host such as a web server with requests from many locations

Question 24

Memory leak

Answer 24

vulnerability that often ends with the system crashing or the application failing is a memory leak. In a normal application, memory is allocated for storage or for calculations and when that memory is no longer in use it’s returned back to the system. With a memory leak, that memory is never returned back to the system and the application continues to use more and more and more memory until eventually it uses all of the available memory, and ultimately that crashes either the application or the operating system it’s running on.

Question 25

Secure Sockets Layer (SSL) stripping

Answer 25

is a technique that downgrades your connection from secure HTTPS to insecure HTTP and exposes you to eavesdropping and data manipulation.

Question 26

Application Shimming

Answer 26

There are also shims built into your operating system. Windows has one called the Windows compatibility mode. You can run an application, but have Windows run that application as if it is running in a different operating system. This allows older applications to run in newer versions of Windows. You just have to tell the newest version of Windows, what version of Windows should this application run as.
This also uses an application compatibility shim cache, to be able to cache this information that’s being transferred between the existing operating system, and the one that is being used as the previous operating system. Malware authors have found that they can take advantage of this shimmed area to be able to put malware onto a computer, and could get around some of the security features like the user account control that exists inside of Windows.

A good example of a malware author taking advantage of this was in January of 2015. Microsoft released a vulnerability statement that said that someone can take advantage of this compatibility mode, to elevate the privilege of the current user on that system

Question 27

Refactoring

Answer 27

You might see this also referenced as metamorphic malware. This means that when your system is downloading this malware, it’s downloading a unique version of that malware that will not match any of the signatures that are in your antivirus or anti-malware software. The malware author will add additional code to the malware, such as a no op instruction, that’s a no operation instruction that effectively doesn’t do anything, but it makes the malware look different.

Or they might add loops or pointless code strings, to make it so that a signature can’t match for this particular executable. This executable uses refactoring to reorder functions, modify the flow of the application itself, or to reorder the code so that it looks different than any other signature that might already be in the antivirus software. This means that if you’re trying to stop this particular kind of malware, you’re going to need other types of layered approaches to try to identify and stop anything that might have been refactored.

Question 28

Pass the Hash attack

Answer 28

is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.