1.3 Potential Indicators - Associated with Application Attacks Flashcards

Threats, Attacks, and Vulnerabilities: Analyze potential indicators associated with application attacks

1
Q

Privilege escalation

A
  • Important to patch quickly
  • Anti virus/ malware should be aware of these vulnerabilities
  • OS may have safeguards in place to prevent Privilege Escalation (ex: Data Execution Prevention)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Execution Prevention

A
  • Only data in executable areas can run
  • Ex: data in the data section can’t run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Address Space Layout Randomization

A
  • Prevention tactic for privilege escalation
  • Randomizes where information is stored in memory so if a hacker finds a way to take advance of a memory address on one system, they couldn’t duplicate it on another OS
  • Prevent a buffer overrun at a known memory address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Horizontal level access

A
  • Another type of privilege escalation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CVE 2020-1530

A
  • Windows Remote Access of Elevation of Privilege vulnerability
  • August 20, 2020 (affected Server 2008, 2012, 2016, 2019 and Windows 7, 8.1, 10)
  • Specific to remote access on Windows, it affected many different OS going back many years
  • The attacker would only need to run one program and they would have elevated access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cross-site scripting

A
  • XSS (Not CSS)
  • Originally associated with a browswer vulnerability that allowed information from one site could be shared with another
  • These days now this can mean information from one site shared with an attacker
  • One of the most common web application development errors
  • Takes advantage of the trust a user has for a site
  • Very common vulnerability
  • Malware also uses JavaScript with a vulnerable website to gather information from your computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Non-persistent (reflected) XSS attack

A
  • Found on a website that allows someone to run scripts on input boxes (ex: search field)
  • Attacker needs the victim to click a specific type of link (this will start the reflected XSS). Targeted attack.
  • Whatever the output / payload from the event is sent to attacker
  • Often it’s session ids/ user credentials
  • Very sneaky
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Persistent (stored) XSS attack

A
  • Stored permanently on server and anyone visiting that page would be running script
  • Often will see on sits that have a forum / messages and the XSS attack is embedded on post
  • everyone who reads post will be infected
  • anyone can run the script
  • can spread very quickly when combined with social media sharing / liking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Reflected vs stored XSS attack

A
  • Reflected (non-persistent), targeted, user must click a specific link
  • Stored XSS, can spread quickly b/c non targeted and anyone who visits a site is attacked
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Protecting yourself against XSS

A
  • Never blindly click a link in your email inbox.
  • Consider disabling JavaScript (or more realistically, get more control of your JavaScript through an extension)
  • Keeping browswer up to date since many vulnerabilities are through the browser
  • developers should validate all input fields
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Injection attacks

A
  • When an attacker puts their own code into a data stream
  • Often enabled b/c of bad programming b/c you shouldn’t be able to do this (application should properly handle input / output)
  • Many different types of code you can inject: Html, SQL, XML, LDAP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SQL Injection

A
  • Very common type of injection
  • If you can circumvent the front end you can gain access to the DB
  • By slightly modifying inputs you can query or update a db from the front end (ex: ‘Or 1 =1’)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

XML Injection

A
  • Extensible Markup Language
  • Commonly used to transfer data b/n two different types of devices
  • XML injections sends malformed XML off to another device
  • a set of rules for data transfer and storage
  • a good application would validate XML
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

LDAP Injection

A
  • LDAP (Lightweight Directory Access Protocol) server
  • Commonly used to store information about authentication, like user name / password
  • If you can inject data and gather information about authentication you can get a lot of sensitive info
  • Created by telephone companies, now used by almost everyone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

DLL Injection

A
  • Dynamic Link Library
  • A windows library containing code and data
  • A way to inject code into application and have code execute for us
  • Ex: Process B (attacker) and Process A (victim). Process B will attach to first process and allocate memory for this DLL library and then copy DLL into Process A. Process A will execute as a new thread, running as Process A (which might have additional rights/ capabilities)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Buffer Overflow Attack

A
  • When one section of memory can overwrite a different section of memory.
17
Q

Cross-site requests

A
  • See when visiting websites
  • Browser loads text from server of site, maybe a few others.
  • HTML on professormessor directs requests from your browswer
  • when you’re gathering info from other sites, you dont have to log in, it’s simply provided
  • it’s the trust ability in the browswer that allows this
  • Some code is running on client side and some is server site
  • Client side usually html / javascript
  • server often html and php ( data transfer)
18
Q

Cross site request forgery

A
  • AKA one click attack or session riding or XSRF or CSRF (sea surf)
  • Take advantage of inherent trust a site has for your browswer
  • Ex: Go to facebook and it goes to your page
  • Attacker could send requests on your behalf
  • This is the forgery portion (vs a simple cross site request which could be legitimate)
  • Prevention: anti-forgery techniques (ex: cryptographic token to prevent information being forged)
  • EX: Can be embedded in a link (and hope that they’re logged into the bank site)
19
Q

SSRF

A
  • Server Side Request Forgery
  • Requires the attacker finding an application susceptible to this type of attack
  • web server will perform request on behalf of attacker
  • Occurs b/c application is vulnerable. Never trust user input, server should validate the input and the responses
  • These are rare but can be critical vulnerabilities
  • Normally prevented by a WAF (Web application Firewall)
  • Ex: Capital One attack
20
Q

Traditional anti-virus

A
  • Very good at identifying known attacks
  • Checks the signature and blocks anything that matches
  • Attackers are also looking for new types of attacks (ex: Driver attacks)
21
Q

Zero-day attack

A
  • New attack with no known signatures
22
Q

Driver attack

A
  • Drivers are conduit b/n hardware and software
  • keyboards, mouse, video all have drivers, many potential attack points
  • Ex: May 2016 an audio chip driver had audio software that contained a debugging feature which enabled a keylogger
23
Q

Shimming

A
  • Filling the space between two objects
  • Shims in OS (Ex: Windows included it’s own shim that makes it backwards compatible, choosing an older version of windows)
  • Malware can be put in shimmed area (can get around things like User Account Control) that are normally present. They can use this to elevate priveledge
  • A middle man
24
Q

Refactoring

A
  • Aka Metamorphic malware
  • When system is downloading malware, it’s downloading a unique version of malware that won’t match any anti-virus
  • Ex: Could add a NoP (No operating system) or add loops or pointless code strings to make the executable look unique. The executable can then reorder functions, modify application flow, reorder code and insert unused data types
  • To stop this type of malware: need a layered approach to identify anything else that might have been refactored
25
Q

SSL Stripping

A
  • HTPP downgrade - attacker manipulates the data flow
  • Premise: Attackers know most communication b/n your computer and a server is encrypted (often HTTPS)
  • Attacker can sit on the path of communication and modify the path so it can see all the data
  • Ex: Proxy Server, ARP spoofing, rogue wi-fi hotspot
  • From victim’s machine, nothing looks unusual, except browswer page which would normally be encrypted isn’t (it’s HTTP instead of HTTPS)
  • Resolve issue: Only resolved - Must upgrade software of both the client and server workstation
26
Q

SSL - > TSL

A
  • SSL (Secure socket layer) released 1995, deprecated 2011
  • SSL3 had known vulnerabilities
  • TSL (transport layer security) released 1999 (upgrade 3.0), but has a downgrade function that allowed it to communicate with 3.0 so not a great version
    (These dates shouldn’t be on the exam)
  • in 2020 TLS 2 and 3 are common version
27
Q

SSL stripping

A
  • Website visitor -> Attacker -> web server
  • Attacker has an on path attack, re-writes URLS Http/ Https
  • modifies communication
    -EX:
    website visitor -> (http) -> attacker -> (http) -> webserver
    attacker web server (now has a secure communication path with the server
    attacker
28
Q

Race Condition

A
  • Programming conundrum when multiple issues are occurring simultaneously and you weren’t expecting it
  • Attackers can take advantage with a TOCTOU attack
29
Q

TOCTOU attack

A
  • Checking for things to occur on the system and making changes knowing that there might be other changes happening simultaneously
  • Attackers can exploit in a race condition