1.3 Given a scenario, analyze potential indicators associated with application attacks. Flashcards
Privilege escalation
Occurs when user obtains greater permissions or access
Cross-site scripting (XSS/CSS)
An attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.
Persistent XSS
Stays on web server for future visitors
Reflective XSS
Occur when a malicious script is reflected off of a web application to the victim’s browser
Direct object model (DOM) XSS
Happens when a threat actor modifies the document object model (DOM) environment in the victim’s browser.
Performs all malicious actions w/o communicating w/ a web server
Protection methods (server-side)
Maintaining patched web server
Using WAFs
Operating host-based intrusion detection system (HIDS)
Auditing
Performing server-side input validation for length, malicious content, and escaping/filtering metacharacters
Protection methods (client-side)
System patching
AV
Avoid non-mainstream websites
Injections
Any exploitation allowing an attacker to submit code to target system to modify operations
Structured Query Language (SQL) Injection (SQLi)
Uses unexpected input to alter/compromise a web app
Protection methods:
Input sanitization
Dynamic-link library (DLL)
Collection of code designed to be loaded and used as needed by a process
Performs common functions and widely used
Dynamic-link library (DLL) injection
Manipulating a process’s memory to load additional code, performing operations not intended
Performed by replacing a valid DLL file w/ modified one OR manipulating an active process into using a malicious DLL
Protection methods to Dynamic-link library (DLL) injection:
Hard code DLL calls into an app rather than allowing OS to select DLLs
Lightweight Directory Access Protocol (LDAP) injection
Vulnerability in which queries are constructed from untrusted input without prior validation or sanitization
Protection methods:
Input sanitization
Lightweight Directory Access Protocol (LDAP) is a common software protocol designed to enable anyone on a network to find resources such as other individuals, files, and devices.
Extensible Markup Language (XML) injection
a type of attack that targets web applications that generate XML content.
Pointer/object dereference
An operation that allows you to access the value stored at the memory address pointed to by a pointer
Directory traversal
Attack enabling movement into other portions of filesystem hosted by web server’s host OS
Commonly achieved by manipulating the URL
Buffer overflows
Memory exploitation taking advantage of software lack of input length validation
This results in extra data “overflowing” assigned memory buffer and overwriting memory in adjacent locations
Protection methods to buffer overflow
Input validation checks in code
Data execution prevention (DEP)
-Blocks execution of code stored in areas of memory designated as data-only areas
Address space layout randomization (ASLR)
-Ensures various elements of OS are loaded into randomly assigned memory at bootup
No-eXecute (NX) bit
-Bit used to segregate memory into an area to store code and another to store data
Race conditions
Attack based on predictability of task execution or timing of execution
Protection methods to race condition
Locking resources to be used, and unlocking them in reverse order
Time of check/time of use (TOCTTOU or TOC/TOU)
Attacker racing with legitimate process to replace the object before it is used
Error handling
May allow for leaking of essential information to attackers or enable attacker to force a system into an insecure state
Fail-secure system
Reverting to a second, closed, protective state in event of failure, rather than open and insecure state where info can be disclosed/modified
Protection methods to Error handling
Only give essential information to administrators, giving generic messages to unauthorized users
Improper input handling
When app is designed to simply accept whatever data is submitted w/o validation/sanitization.
Input validation
Checking input received before it’s allowed to be processed
Replay attack
Attacker capturing network traffic, replaying captured traffic in attempt to gain unauthorized access
Mostly related to legacy systems/services
Most modern authentication systems use packet sequencing, time stamps, challenge-response, and ephemeral session encryption
Session replay
Recording a victim’s activities, then replaying that session for troubleshooting
Integer overflow
When a mathematical operation attempts to create a numeric value too large to be contained or represented by allocated storage/memory structure
Request forgeries
Exploitations making malicious requests of a service, masquerading as legit or from a legit source
Server-side request forgery (SSRF)
Where a vulnerable server is coerced into functioning as a proxy, exploiting trust relationships between servers and clients
Cross-site request forgery (XSRF) aka Client-side request forgery (CSRF)
Similar to XSS, but focused on the visiting user’s web browser more than the website being visited
Purpose is to trick the user or user’s browser into performing actions not intended or unauthorized
Application programming interface (API) attacks
Malicious usage of software through its API
API is how software communicates with other software for info exchange
Includes injection attacks, XSS, CSRF, SSRF, buffer overflows, race conditions, replay attacks, request forgery, etc.
Resource exhaustion
A system or system user uses up all the available resources that the system has, leading it to be completely drained.
Memory leak
Occurs when program fails to release memory or continues to consume more memory
Secure Sockets Layer (SSL) stripping
On-path attack preventing negotiation of strong encryption between client and server
SSL is outdated, this term still is used for TLS stripping
Driver manipulation
When a malicious actor crafts system or device driver behaving differently based on certain conditions
Can be implemented by original vendor or third party, whether legit or attacker
Shimming
Means of injecting alternate or compensation code into a system to alter operations w/o changing original code
Shim
Small software library able to intercept API calls and modifies content passed on to target
Can effect driver manipulation
Refactoring
Restricting or reorganizing software code w/o changing externally perceived behavior or produced results
Focus on improving software’s nonfunctional elements
Pass the hash
a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network
