15.1 Introduction to Web Vulnerabilities and Hardening

Question 1

The cyber kill chain is an __________ designed to identify and prevent cyber intrusions.

Answer 1

The cyber kill chain is an “intelligence-driven defense framework” designed to identify and prevent cyber intrusions.

Question 2

The _______ chain has been adapted to apply more directly to web server infrastructure. It includes the following stages: (5)

Answer 2

The hybrid kill chain, a derivative of Lockheed Martin’s cyber kill chain.

**Reconnaissance**: Information gathering stage against the target.

**Weaponization**: Preparation of offensive operations against specific targets using information gathered during reconnaissance.

**Delivery**: Launch of the operation. Attacks carried out based on Red Team offensive strategies.

**Exploitation**: Actively compromises adversary’s apps, servers, or network, and avert physical, logical, or administrative controls.

**Exfiltration**: Ultimate goal. The exfiltration of private, sensitive data that the target considers to be critically sensitive.

Question 3

The ________ is widely considered to represent the most prevalent security risks facing web applications today.

Answer 3

The **OWASP Top 10** is widely considered to represent the most prevalent security risks facing web applications today.

Question 4

True or False:

The OWASP Top 10 is a platform for standardizing awareness of threats in web application development security.

Answer 4

True

Question 5

What is the purpose of the OWASP Top 10?

Answer 5

OWASP TOP 10 was created to educate a wide audience of professionals about the consequences of web application security weaknesses.

The Top 10 offers resources and best practices to software engineers, managers, designers, and organizations about how to protect against threats. Also a community.

Question 6

What is OWASP’s number one threat?

Answer 6

Code injection, such as SQL, LDAP, OS, and NOSQL.

Question 7

How is OWASP Top 10 developed?

Answer 7

Over 500 individuals from various organizations who work on applications and API are surveyed. OWASP prioritizes the top ten threats based on prevalence data as well as exploitability, detectability and impact.

Question 8

What is the OWASP Cheat Sheet Series and what is it used for?

Answer 8

The OWASP Cheat Sheet Series (OCSS) is designed by application security professionals to provide a collection of significant information in regards to specific application security topics.

Question 9

What are the current OWASP top 10 threats?

Answer 9

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Controls
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

Question 10

What does URL stand for?

Answer 10

The **Uniform Resource Locator (URL)**, also referred to as the Uniform Resource Identifer (URI), is the standardized naming convention for addressing documents that are accessible over the internet, intranets (closed network within a single organization), and extranets (closed network shared across groups or organizations).

Question 11

The _______ indicates the protocol or application to use with the request, such as:

Answer 11

**Protocol**

• HTTP Hypertext Transfer Protocol: Used for transferring webpages.
• FTP File Transfer Protocol: Used for file transfer requests (upload and download).
• SPDY Speedy: Google’s version of HTTP, designed to speed up web content loading.

Question 12

The _______ identifies a specific web server for the request of web resources.

Answer 12

The **Host Name** identifies a specific web server for the request of web resources.

• Domain Name: example.com, google.com, facebook.com, etc.
• Sub-Domain: Typically used for specific sub-sites within a larger domain. The most common subdomain is www, which stands for World Wide Web. Some domains use this as an indication of publicly accessible resources and content.

Question 13

The _______ request indicates which web application will be used to provide resources to the client.

Answer 13

The **Path** request indicates which web application will be used to provide resources to the client.

This is a directory, similar to a file or folder on your computer.

Question 14

What does .asp stand for and what is it?

Answer 14

(Active Server Page)

Active Server Pages, commonly referred to as ASP, is Microsoft’s solution to server-side scripting.

With Active Server Pages, the server gets a chance to alter the file before sending it to the user. So, for every request for a file with a .ASP extension, the server runs the file through a DLL called ASP.DLL, which parses the ASP commands.

If your web site is run on a UNIX box, you can still use Active Server Pages, but you need to use a third party tool to translate the ASP before it is sent to the client.

Question 15

________ are specifically formatted data that interact with back-end servers such as email and web databases.

Answer 15

**Parameters** are specifically formatted data that interact with back-end servers such as email and web databases.

Question 16

Explain the different parts of a URL parameter?

http:// www.example.com /add.asp?item#3478&price=299

Answer 16

Each parameter is made up of a few different parts:

• The question mark (?) indicates the beginning of a list of parameters.
• Each individual parameter has a name and a value, separated by a hash (#).
• The name of this parameter is item# and the value is 3478.
• A URL can have multiple parameters. These will be separated by an ampersand symbol (&). For example: ?item# 3478&price=299

Question 17

A URL is composed of many parts. Define each part of a URL:

Answer 17

• Protocol: http. Identifies the protocol or application to use with the HTTP request.
• Host Name: example.com. Targets a specific web server for the request of web resources.
• Path: add.asp?. Identifies which of the host’s web applications will be used to provide resources to the client.
• Parameters: ItemID=123&Price=999. Specifically formatted data that interacts with back-end databases, email, and web servers, for example.

Question 18

How can a URL (also know as a URI) be used as a weapon against web servers?

Answer 18

A URL can be manipulated by attackers to infiltrate these various parts of the web server architecture.

Question 19

Web vulnerabilities exist because SDLC faces what challenges: (6)

Answer 19

• Implementation costs are high.
• Lack of support from management.
• Lack of standardization.
• No quality management.
• Reactive security posture (“If it ain’t broke, don’t fix it” mentality).
• Reliance on a false sense of security that web application firewalls provide absolute protection.

Question 20

What are the 5 primary stages of web server infrastructure?

Answer 20

**Stage 1: Client**: A user who interacts with a web server using HTTP or FTP through either a web browser or file transfer software.

- **Stage 2: Firewall:** A perimeter defense used to protect the web server sitting behind it.

- **Stage 3: Web Server**: A program such as Apache, Nginx, or IIS that responds to a client’s requests for web resources.

- **Stage 4: Web Application:** The software that runs on a remote server, such as Facebook, Twitter, or Amazon.

- **Stage 5: Database**: Typically the innermost part of the web architecture, storing data such as customer names, addresses, account numbers, and credit card info.

Question 21

What is input sanitation?

Answer 21

The process of cleaning and scrubbing user input to prevent it from exploiting security holes. This is ensured by, when necessary, changing the value input by the user.

Question 22

What is the input validation process?

Answer 22

**Input validation**: The testing of input supplied by a user or application, designed to prevent malformed data from entering a data information system. This is done by verifying user input meets specific criteria.

Question 23

What is the SDLC process?

Answer 23

**Secure Software Deployment Cycles (SDLC)**: A software development methodology that ensures secure programming at every stage of the software development process.

Question 24

What are the three most popular web servers in use today?

Answer 24

1. Apache
2. Nginx
3. IIS

Question 25

Name three ways a compromised web server can be used to perform an attack.

Answer 25

1. A defaced webpage can contain malicious content and links to inappropriate and offensive sites, which can damage a company’s reputation.
2. A compromised web server can be used to download malicious software (viruses, Trojans, botnets) to anyone visiting the webpage.
3. Compromised data can be used to commit fraudulent activities, leading to loss of business or lawsuits.

Question 26

The typical web application server setup is composed of five basic components. Name and define each component.

Answer 26

1. The client: A user who interacts with a web server using HTTP or FTP through either a web browser or file transfer software.
2. A firewall: A perimeter defense used to protect a web server placed behind it.
3. A web server: A program such as Apache, Nginx, or IIS that responds to a client’s requests for web resources.
4. Web applications: The software that runs on a remote server, such as Facebook, Twitter, Amazon.
5. Databases: Typically the inner most part of the web architecture where data is stored, such as customer names, addresses, account numbers, and credit card info.

Question 27

______ is an open-source web server alternative that runs on Unix, Linux, and Windows.

Answer 27

**Apache** is an open-source web server alternative that runs on Unix, Linux, and Windows.

Question 28

Explain Internet Information Server (IIS)

Answer 28

**Internet Information Server (IIS)** is a general-purpose web server from Microsoft that runs on Windows systems and serves HTML pages and files to web clients.

IIS has a long list of well-known published vulnerabilities. Note the Common Vulnerabilities and Exposure ID as well.

Question 29

Explain Cross-site scripting (XSS)

Answer 29

Allows remote attackers to alter a URL with a malicious script that will redirect a message or request.

Question 30

What is directory traversal

Answer 30

Allows remote attackers to view source code and determine the existence of arbitrary files via a hex-encoded %c0%ae%c0%ae string, which is the Unicode representation for “..” (dot dot).

Question 31

What is Nginx?

Answer 31

**Nginx** is an open-source, less popular, alternative to Apache that runs on Linux. Web vulnerabilities are less prevalent than on IIS or Apache.

Question 32

What are the three of the most critical Apache vulnerabilities?

Answer 32

1. **OpenMeetings SQL Injection Vulnerability**: Allows for modification of the structure of existing queries, resulting in the exfiltration of queries made by the back-end application.
2. **Apache Ranger Security Bypass Vulnerability**: Any characters after a wildcard symbol * are ignored, resulting in unintended behavior.
3. **Apache HTTP Server Authentication Bypass Vulnerability**: Use of the string ap_get_basic_auth_pw() by third-party modules to bypass authentication requirements.

Question 33

What are three Nginx vulnerabilities?

Answer 33

1. **Nginx SPDY Heap Buffer Overflow**: Allows remote attackers to craft requests that execute arbitrary code.
2. **Nginx Root Privilege Escalation Vulnerability**: Allows local users to gain root privileges.
3. **Remote Integer Overflow Vulnerability**: Sensitive data can be leaked with crafted requests that exploit a range filter module in certain Nginx versions.

Question 34

What is content spoofing?

Answer 34

Tricks a user into believing that certain website is legitimate. For example, a fake login page that steals your credentials after you submit them.

Question 35

What is drive-by download?

Answer 35

Triggers downloads upon visiting a webpage without the users knowledge.

Question 36

What is web cache poisoning?

Answer 36

An attack that replaces legitimate cached web pages with malicious content.

Question 37

What is clickjacking?

Answer 37

Tricks users into clicking misleading graphics that trigger an exploit. For example: A button that reads “Download” in large text.

Question 38

What are 5 client-side attacks?

Answer 38

1. **Cross-site scripting (XSS)**: Allows attackers to inject malicious code into a website in order to intercept user sessions, vandalize websites, steal data, and control a user’s browser.
2. **Clickjacking**: Tricks users into clicking misleading graphics that trigger an exploit. For example: A button that reads “Download” in large text.
3. **Content spoofing**: Tricks a user into believing that a website is legitimate. For example, a fake login page that steals your credentials after you submit them.
4. **Drive-by download**: Triggers downloads without the user’s knowledge when a webpage is visited.
5. **Phishing**: A form of social engineering that manipulates a user into providing personal confidential information, such as user credentials and bank account information.

Question 39

True or False:

A client-side attack occurs when a user’s computer downloads malicious content from the web. Quite often, firewalls fail to prevent client-side attacks which occur behind the firewall and from within the local network.

Answer 39

True

Question 40

Explain website defacement:

Answer 40

An attack against a website that alters the appearance and information contained on a website or webpage.

Question 41

Explain HTTP response splitting (CRLF injection)

Answer 41

A type of web server vulnerability where the server does not properly sanitize input values, such as character returns (CRs) and line feeds (LFs).

Question 42

Explain parameter or URL tampering

Answer 42

An attack that manipulates parameters passed to a web server in a URL.

Question 43

What are 5 server-side attacks:

Answer 43

1. Website defacement
2. HTTP response splitting (CRLF injection)
3. Web cache poisoning
4. Parameter or URL tampering
5. Path or directory traversal (dot-dot-slash attack)

Question 44

What is a path or directory traversal (dot-dot-slash attack)?

Answer 44

An attack that navigates into senstive files and directories by using dot-dot-slash (../) (as if navigating through directories in a terminal) in the URL.

Question 45

Name that Attack

An organization’s homepage is altered with an image of a skull and crossbones and a message that says “Animal Murderers!” Organizations that experience these types of attacks are usually seen as incompetent in the public eye, resulting in reputation damage.

Answer 45

Website defacement, often used by politically-motivated hacktivists.

Question 46

Name that Attack

An attacker controls another HTTP response after the first response, in order to mount attacks.

Answer 46

HTTP response splitting (CRLF)

Question 47

Name that Attack

A legitimately cached web page sends a user to a malicious website.

Answer 47

Web cache poisoning

Question 48

Name that Attack:

A URL was changed:

Before: http://example.com/add.asp?ItemID=123&Price=999
After: http://example.com/add.asp?ItemID=123&Price=001

Answer 48

Parameter tampering

Question 49

Name that Attack

A URL was changed to http://some_site.com.br/../../../../etc/shadow.

Answer 49

Path or directory traversal

Question 50

Name that Attack

You find a URL that contains the following code: %co%af %e0%80%a.

Answer 50

Unicode

Question 51

_____, also known as ______ and _______, index sites to help search engines find content.

Answer 51

Web crawlers, also known as spiders and spiderbots, index sites to help search engines find content.

Question 52

Name seven pieces of information that an attacker could easily find on the internet that would be useful to them.

Answer 52

1. IP address scheme
2. domain information
3. port state (open/closed/filtered)
4. email addresses,
5. operating system banner,
6. employee names,
7. phone numbers.

Question 53

What is waf00f?

Answer 53

Wafw00f is an open source command-line WAF utility focused on web-based attacks that occur at the application

Question 54

Explain:

wafw00f www.example.com –a –v

Answer 54

An aggressive scan of example.com.

-a: Option for aggressive scan

v: Verbose option, echoes the query responses to the standard output (monitor).

-vv: Used to increase the verbosity of the scan’s output.

Question 55

What is WAF?

Answer 55

Web application firewalls (WAFs)

**Web application firewalls (WAFs)** are designed to defend against different types of HTTP attacks and various query types such as SQLi and XSS.

Question 56

What layer of the OSI model do WAFs operate on?

Answer 56

Layer 7: Application

Question 57

Name three ways a WAF can be implemented.

Answer 57

1. Network-based
2. Host-based
3. Cloud-based

Question 58

A WAF helps protect web applications by filtering and monitoring what?

Answer 58

HTTP traffic between web applications and the internet

Question 59

True or False:

A WAF based on the **negative security model** (blacklisting) protects against known attacks, and a WAF based on the **positive security model** (whitelisting) allows preapproved traffic.

Answer 59

True

Question 60

What are the three WAF deployment strategies?

Answer 60

1. **Network-Based WAF**
2. **Host-Based WAF**
3. **Cloud-Based WAF**

Question 61

What are the advantages and disadvantages to Network-Based WAF?

Answer 61

• Typically low-latency hardware that is installed locally on-premises with a dedicated appliance.
• Capable of large-scale deployment and configuration management.
• Drawback is high-cost. These have initial expenses to set up, and ongoing operational costs.

Question 62

What are the advantages and disadvantages to host-based WAF

Answer 62

• Software-based and dependent on local server resources.
• More difficult to manage and require more staff resources.
• Lower cost.

Question 63

What are the advantages and disadvantages to cloud-based WAF?

Answer 63

• Low cost, subscription based, turnkey product that requires minimal resources.
• Protects applications across a variety of hosting locations that protect against application layer attacks.
• Cloud service providers use the most current threat intelligence to help identify and block new application security threats.

Question 64

What are the three ways WAF filters traffic?

Answer 64

1. **Allow lists** only accepts traffic from sources that are known and trusted.

• Less resource-intensive than deny lists.
• May block benign traffic unintentionally.

2. **Deny lists** uses preset signatures to block malicious web traffic.

• Useful for public websites and web applications that receive lots of traffic from unknown IP addresses.
• Resource-intensive due to packet filtering based on a set of specific characteristics as opposed to IP addresses.

3. **Hybrid** uses a combination of both allow and deny lists.

Question 65

Explain Cross-site Scripting?

Answer 65

Cross-site scripting (XSS) attacks occurs when an attacker takes advantage of a web vulnerability by injecting malicious code into a web browser. The code is stored on the back-end server, typically in the form of a script, and targets subsequent visitors to that webpage.

Question 66

XSS

An end user’s browser can’t detect such attacks because of the default trust relationship it has with the source.

Answer 66

True

Question 67

What are three XSS mitigation strategies?

Answer 67

1. Data Output Encoding: Encodes user-controlled data before its output in an HTTP response. This prevents it from being misinterpreted as active content.
2. Data Input Filters: Filters data at the point where user input is received, based on expected or valid input criteria.
3. Content Security Policy (CSP): Detects and mitigates specific types of attacks, including XSS and other injection attacks. (Not all browsers support CSP.)

Question 68

What are three web server hardening mitigation strategies?

Answer 68

1. Input validation: The primary defense mechanism. The same rules apply as discussed in the parameter tampering exercise.
2. Ensure that all files and folders on the local server have proper access controls in place through system hardening.
3. Web developers should avoid storing private sensitive information in the web root directory.