1.3 Given a scenario, analyze potential indicators associated with application attacks.

Question 1

Privilege escalation

Answer 1

Occurs when user obtains greater permissions or access

Question 2

Cross-site scripting (XSS/CSS)

Answer 2

An attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.

Question 3

Persistent XSS

Answer 3

Stays on web server for future visitors

Question 4

Reflective XSS

Answer 4

Occur when a malicious script is reflected off of a web application to the victim’s browser

Question 5

Direct object model (DOM) XSS

Answer 5

Happens when a threat actor modifies the document object model (DOM) environment in the victim’s browser.

Performs all malicious actions w/o communicating w/ a web server

Question 6

Protection methods (server-side)

Answer 6

Maintaining patched web server

Using WAFs

Operating host-based intrusion detection system (HIDS)

Auditing

Performing server-side input validation for length, malicious content, and escaping/filtering metacharacters

Question 7

Protection methods (client-side)

Answer 7

System patching

AV

Avoid non-mainstream websites

Question 8

Injections

Answer 8

Any exploitation allowing an attacker to submit code to target system to modify operations

Question 9

Structured Query Language (SQL) Injection (SQLi)

Answer 9

Uses unexpected input to alter/compromise a web app

Protection methods:
Input sanitization

Question 10

Dynamic-link library (DLL)

Answer 10

Collection of code designed to be loaded and used as needed by a process

Performs common functions and widely used

Question 11

Dynamic-link library (DLL) injection

Answer 11

Manipulating a process’s memory to load additional code, performing operations not intended

Performed by replacing a valid DLL file w/ modified one OR manipulating an active process into using a malicious DLL

Question 12

Protection methods to Dynamic-link library (DLL) injection:

Answer 12

Hard code DLL calls into an app rather than allowing OS to select DLLs

Question 13

Lightweight Directory Access Protocol (LDAP) injection

Answer 13

Vulnerability in which queries are constructed from untrusted input without prior validation or sanitization

Protection methods:
Input sanitization

Lightweight Directory Access Protocol (LDAP) is a common software protocol designed to enable anyone on a network to find resources such as other individuals, files, and devices.

Question 14

Extensible Markup Language (XML) injection

Answer 14

a type of attack that targets web applications that generate XML content.

Question 15

Pointer/object dereference

Answer 15

An operation that allows you to access the value stored at the memory address pointed to by a pointer

Question 16

Directory traversal

Answer 16

Attack enabling movement into other portions of filesystem hosted by web server’s host OS

Commonly achieved by manipulating the URL

Question 17

Buffer overflows

Answer 17

Memory exploitation taking advantage of software lack of input length validation

This results in extra data “overflowing” assigned memory buffer and overwriting memory in adjacent locations

Question 18

Protection methods to buffer overflow

Answer 18

Input validation checks in code

Data execution prevention (DEP)
-Blocks execution of code stored in areas of memory designated as data-only areas

Address space layout randomization (ASLR)
-Ensures various elements of OS are loaded into randomly assigned memory at bootup

No-eXecute (NX) bit
-Bit used to segregate memory into an area to store code and another to store data

Question 19

Race conditions

Answer 19

Attack based on predictability of task execution or timing of execution

Question 20

Protection methods to race condition

Answer 20

Locking resources to be used, and unlocking them in reverse order

Question 21

Time of check/time of use (TOCTTOU or TOC/TOU)

Answer 21

Attacker racing with legitimate process to replace the object before it is used

Question 22

Error handling

Answer 22

May allow for leaking of essential information to attackers or enable attacker to force a system into an insecure state

Question 23

Fail-secure system

Answer 23

Reverting to a second, closed, protective state in event of failure, rather than open and insecure state where info can be disclosed/modified

Question 24

Protection methods to Error handling

Answer 24

Only give essential information to administrators, giving generic messages to unauthorized users

Question 25

Improper input handling

Answer 25

When app is designed to simply accept whatever data is submitted w/o validation/sanitization.

Question 26

Input validation

Answer 26

Checking input received before it’s allowed to be processed

Question 27

Replay attack

Answer 27

Attacker capturing network traffic, replaying captured traffic in attempt to gain unauthorized access

Mostly related to legacy systems/services

Most modern authentication systems use packet sequencing, time stamps, challenge-response, and ephemeral session encryption

Question 28

Session replay

Answer 28

Recording a victim’s activities, then replaying that session for troubleshooting

Question 29

Integer overflow

Answer 29

When a mathematical operation attempts to create a numeric value too large to be contained or represented by allocated storage/memory structure

Question 30

Request forgeries

Answer 30

Exploitations making malicious requests of a service, masquerading as legit or from a legit source

Question 31

Server-side request forgery (SSRF)

Answer 31

Where a vulnerable server is coerced into functioning as a proxy, exploiting trust relationships between servers and clients

Question 32

Cross-site request forgery (XSRF) aka Client-side request forgery (CSRF)

Answer 32

Similar to XSS, but focused on the visiting user’s web browser more than the website being visited

Purpose is to trick the user or user’s browser into performing actions not intended or unauthorized

Question 33

Application programming interface (API) attacks

Answer 33

Malicious usage of software through its API

API is how software communicates with other software for info exchange

Includes injection attacks, XSS, CSRF, SSRF, buffer overflows, race conditions, replay attacks, request forgery, etc.

Question 34

Resource exhaustion

Answer 34

A system or system user uses up all the available resources that the system has, leading it to be completely drained.

Question 35

Memory leak

Answer 35

Occurs when program fails to release memory or continues to consume more memory

Question 36

Secure Sockets Layer (SSL) stripping

Answer 36

On-path attack preventing negotiation of strong encryption between client and server

SSL is outdated, this term still is used for TLS stripping

Question 37

Driver manipulation

Answer 37

When a malicious actor crafts system or device driver behaving differently based on certain conditions

Can be implemented by original vendor or third party, whether legit or attacker

Question 38

Shimming

Answer 38

Means of injecting alternate or compensation code into a system to alter operations w/o changing original code

Question 39

Shim

Answer 39

Small software library able to intercept API calls and modifies content passed on to target

Can effect driver manipulation

Question 40

Refactoring

Answer 40

Restricting or reorganizing software code w/o changing externally perceived behavior or produced results
Focus on improving software’s nonfunctional elements

Question 41

Pass the hash

Answer 41

a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network