13C - Application Attack Indicators Flashcards
What is an application attack?
An application attack targets a vulnerability in OS or application software.
What is an application vulnerability?
An application vulnerability is a design flaw that can cause the application security system to be circumvented or that will cause the application to crash.
What is the main purpose of most application attacks?
To allow the threat actor to run their own code on the system.
What is arbitrary code execution?
The execution of code chosen by an attacker.
What is remote code execution?
When code is transmitted from one machine to another to be executed.
What are the main privileges required for an application or process?
To read and write data and execute functions.
What happens if a software exploit works?
The attacker may be able to execute arbitrary code with the same privilege level as the exploited process.
What is vertical privilege escalation?
Accessing functionality or data that should not be available, running code with higher SYSTEM privileges.
What is horizontal privilege escalation?
Accessing functionality or data intended for another user.
What provides the simplest indicator of an application attack?
Privilege escalation.
What can process logging provide evidence of?
Privilege escalation attempts.
What is a buffer in the context of application memory?
An area of memory that an application reserves to store some value.
What is a buffer overflow vulnerability?
When an attacker passes data that fills the buffer and overwrites data at its start.
What is a common type of buffer overflow?
Stack overflow.
What does the stack in memory include?
A return address, which is the location of the program that called the subroutine.
What can an attacker do with a buffer overflow related to the return address?
Change the return address to run arbitrary code on the system.
What mechanisms do operating systems use to mitigate risks from buffer overflow?
- Address Space Layout Randomization (ASLR)
- Data Execution Prevention (DEP)
What is a Cross Site Request Forgery (CSRF) attack ?
A cross-site request forgery (CSRF) can exploit applications that use cookies to authenticate users and track sessions. To work, the threat actor must convince the victim to start a session with the target site.
If the target site assumes that the browser is authenticated because there is a valid session cookie and doesn’t complete any additional authorization process on the attacker’s input, it will accept the request as genuine. This is also referred to as a confused deputy attack.
What is an XEE (XML External Entity) attack?
An XML External Entity (XXE) attack embeds a request for a local resource.
What is a canonicalization attack?
An attack method where input characters are encoded in such a way as to evade vulnerable input validation measures. Examples of encoding schemes include HTML entities and character set percent encoding.
An attacker might be able to exploit vulnerabilities in the canonicalization process to perform code injection or facilitate directory traversal.
A limited input validation routine would prevent the use of the string ../ and refuse the request. If the attacker submitted the URL using the encoded version of the characters, they might be able to circumvent the validation routine.
