1.3 Potential Indicators - Associated with Application Attacks

Question 1

Privilege escalation

Answer 1

• Important to patch quickly
• Anti virus/ malware should be aware of these vulnerabilities
• OS may have safeguards in place to prevent Privilege Escalation (ex: Data Execution Prevention)

Question 2

Data Execution Prevention

Answer 2

• Only data in executable areas can run

- Ex: data in the data section can’t run

Question 3

Address Space Layout Randomization

Answer 3

• Prevention tactic for privilege escalation
• Randomizes where information is stored in memory so if a hacker finds a way to take advance of a memory address on one system, they couldn’t duplicate it on another OS
• Prevent a buffer overrun at a known memory address

Question 4

Horizontal level access

Answer 4

• Another type of privilege escalation

Question 5

CVE 2020-1530

Answer 5

• Windows Remote Access of Elevation of Privilege vulnerability
• August 20, 2020 (affected Server 2008, 2012, 2016, 2019 and Windows 7, 8.1, 10)
• Specific to remote access on Windows, it affected many different OS going back many years
• The attacker would only need to run one program and they would have elevated access

Question 6

Cross-site scripting

Answer 6

• XSS (Not CSS)
• Originally associated with a browswer vulnerability that allowed information from one site could be shared with another
• These days now this can mean information from one site shared with an attacker
• One of the most common web application development errors
• Takes advantage of the trust a user has for a site
• Very common vulnerability
• Malware also uses JavaScript with a vulnerable website to gather information from your computer

Question 7

Non-persistent (reflected) XSS attack

Answer 7

• Found on a website that allows someone to run scripts on input boxes (ex: search field)
• Attacker needs the victim to click a specific type of link (this will start the reflected XSS). Targeted attack.
• Whatever the output / payload from the event is sent to attacker
• Often it’s session ids/ user credentials
• Very sneaky

Question 8

Persistent (stored) XSS attack

Answer 8

• Stored permanently on server and anyone visiting that page would be running script
• Often will see on sits that have a forum / messages and the XSS attack is embedded on post
• everyone who reads post will be infected
• anyone can run the script
• can spread very quickly when combined with social media sharing / liking

Question 9

Reflected vs stored XSS attack

Answer 9

• Reflected (non-persistent), targeted, user must click a specific link
• Stored XSS, can spread quickly b/c non targeted and anyone who visits a site is attacked

Question 10

Protecting yourself against XSS

Answer 10

• Never blindly click a link in your email inbox.
• Consider disabling JavaScript (or more realistically, get more control of your JavaScript through an extension)
• Keeping browswer up to date since many vulnerabilities are through the browser
• developers should validate all input fields

Question 11

Injection attacks

Answer 11

• When an attacker puts their own code into a data stream
• Often enabled b/c of bad programming b/c you shouldn’t be able to do this (application should properly handle input / output)
• Many different types of code you can inject: Html, SQL, XML, LDAP

Question 12

SQL Injection

Answer 12

• Very common type of injection
• If you can circumvent the front end you can gain access to the DB
• By slightly modifying inputs you can query or update a db from the front end (ex: ‘Or 1 =1’)

Question 13

XML Injection

Answer 13

• Extensible Markup Language
• Commonly used to transfer data b/n two different types of devices
• XML injections sends malformed XML off to another device
• a set of rules for data transfer and storage
• a good application would validate XML

Question 14

LDAP Injection

Answer 14

• LDAP (Lightweight Directory Access Protocol) server
• Commonly used to store information about authentication, like user name / password
• If you can inject data and gather information about authentication you can get a lot of sensitive info
• Created by telephone companies, now used by almost everyone

Question 15

DLL Injection

Answer 15

• Dynamic Link Library
• A windows library containing code and data
• A way to inject code into application and have code execute for us
• Ex: Process B (attacker) and Process A (victim). Process B will attach to first process and allocate memory for this DLL library and then copy DLL into Process A. Process A will execute as a new thread, running as Process A (which might have additional rights/ capabilities)

Question 16

Buffer Overflow Attack

Answer 16

• When one section of memory can overwrite a different section of memory.

Question 17

Cross-site requests

Answer 17

• See when visiting websites
• Browser loads text from server of site, maybe a few others.
• HTML on professormessor directs requests from your browswer
• when you’re gathering info from other sites, you dont have to log in, it’s simply provided
• it’s the trust ability in the browswer that allows this
• Some code is running on client side and some is server site
• Client side usually html / javascript
• server often html and php ( data transfer)

Question 18

Cross site request forgery

Answer 18

• AKA one click attack or session riding or XSRF or CSRF (sea surf)
• Take advantage of inherent trust a site has for your browswer
• Ex: Go to facebook and it goes to your page
• Attacker could send requests on your behalf
• This is the forgery portion (vs a simple cross site request which could be legitimate)
• Prevention: anti-forgery techniques (ex: cryptographic token to prevent information being forged)
• EX: Can be embedded in a link (and hope that they’re logged into the bank site)

Question 19

SSRF

Answer 19

• Server Side Request Forgery
• Requires the attacker finding an application susceptible to this type of attack
• web server will perform request on behalf of attacker
• Occurs b/c application is vulnerable. Never trust user input, server should validate the input and the responses
• These are rare but can be critical vulnerabilities
• Normally prevented by a WAF (Web application Firewall)
• Ex: Capital One attack

Question 20

Traditional anti-virus

Answer 20

• Very good at identifying known attacks
• Checks the signature and blocks anything that matches
• Attackers are also looking for new types of attacks (ex: Driver attacks)

Question 21

Zero-day attack

Answer 21

• New attack with no known signatures

Question 22

Driver attack

Answer 22

• Drivers are conduit b/n hardware and software
• keyboards, mouse, video all have drivers, many potential attack points
• Ex: May 2016 an audio chip driver had audio software that contained a debugging feature which enabled a keylogger

Question 23

Shimming

Answer 23

• Filling the space between two objects
• Shims in OS (Ex: Windows included it’s own shim that makes it backwards compatible, choosing an older version of windows)
• Malware can be put in shimmed area (can get around things like User Account Control) that are normally present. They can use this to elevate priveledge
• A middle man

Question 24

Refactoring

Answer 24

• Aka Metamorphic malware
• When system is downloading malware, it’s downloading a unique version of malware that won’t match any anti-virus
• Ex: Could add a NoP (No operating system) or add loops or pointless code strings to make the executable look unique. The executable can then reorder functions, modify application flow, reorder code and insert unused data types
• To stop this type of malware: need a layered approach to identify anything else that might have been refactored

Question 25

SSL Stripping

Answer 25

• HTPP downgrade - attacker manipulates the data flow
• Premise: Attackers know most communication b/n your computer and a server is encrypted (often HTTPS)
• Attacker can sit on the path of communication and modify the path so it can see all the data
• Ex: Proxy Server, ARP spoofing, rogue wi-fi hotspot
• From victim’s machine, nothing looks unusual, except browswer page which would normally be encrypted isn’t (it’s HTTP instead of HTTPS)
• Resolve issue: Only resolved - Must upgrade software of both the client and server workstation

Question 26

SSL - > TSL

Answer 26

• SSL (Secure socket layer) released 1995, deprecated 2011
• SSL3 had known vulnerabilities
• TSL (transport layer security) released 1999 (upgrade 3.0), but has a downgrade function that allowed it to communicate with 3.0 so not a great version
  (These dates shouldn’t be on the exam)
• in 2020 TLS 2 and 3 are common version

Question 27

SSL stripping

Answer 27

• Website visitor -> Attacker -> web server
• Attacker has an on path attack, re-writes URLS Http/ Https
• modifies communication
  -EX:
  website visitor -> (http) -> attacker -> (http) -> webserver
  attacker web server (now has a secure communication path with the server
  attacker

Question 28

Race Condition

Answer 28

• Programming conundrum when multiple issues are occurring simultaneously and you weren’t expecting it
• Attackers can take advantage with a TOCTOU attack

Question 29

TOCTOU attack

Answer 29

• Checking for things to occur on the system and making changes knowing that there might be other changes happening simultaneously
• Attackers can exploit in a race condition