3.4 Attacks & exploits: Application vulnerabilities Flashcards
What is Server-Side Request Forgery (SSRF)?
▪ A type of attack that takes advantage of the trust relationship between the server and the other resources it can access
▪ Occurs when a web app fetches a remote resource without validating the URL
How to prevent from a Server-Side Request Forgery (SSRF) (3)?
● Segment remote resource access functionality into separate networks
● Enforce a deny by default firewall or ACL policy
● Ensure web apps sanitize and validate any client-supplied input data
Race Conditions: what is it and explain how it technically occurs?
▪ Occurs when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, which then failed to execute in the order and timing intended by the developer
▪ Occurs when a computer tries to race itself in the processing of certain data
▪ Found where multiple threads attempt to write to a variable or object at the same memory location
▪ Race conditions often happen outside the normally logged processes in a system
Race Conditions: what is Dereferencing?
Occurs when the code attempts to remove the relationship between a pointer and the thing it points to
Race Conditions: what is TOCTOU?
Occurs when there is a change between when an app checks a resource and when the app uses the resource
Race Conditions: what is Mutually Exclusive Flag (Mutex)?
Acts as a gatekeeper to a section of code so that only one thread can be processed at a time
Race Conditions: what is Deadlock?
Occurs when a lock cannot be removed from the resource
Race Conditions: how to prevent from mutexes and locks?
Properly design and test any locks or mutexes
Buffer Overflows: what is it?
▪ Occurs when a process stores data outside the memory range allocated by the developer
▪ Over 85% of data breaches were caused by a buffer overflow
Buffer Overflows: what is a Buffer?
A temporary storage area that a program uses to store data
Buffer Overflows: what is a stack?
Reserved area of memory where the program saves the return address when a function call instruction is received
Buffer Overflows: what “Smashing the Stack” means?
Occurs when an attacker fills up the buffer with NOP instructions
Buffer Overflows: what is Non-Operation (NOP) Instruction?
Tells the system to do nothing and simply go to the next instruction
Buffer Overflows: how to prevent from overflows attacks (4)?
▪ Maintain a good patch management program
▪ Always use secure coding practices: Boundary checking & Input validation
▪ Use Address Space Layout Randomization (ASLR): Prevents an attacker’s ability to guess where the return pointer for a non-malicious program has been set to call back to
▪ Use Data Execution Protection (DEP): Blocks applications that attempt to run from protected memory locations so executable code stored in the user data location will be marked as non-executable
Buffer Overflows: what is an Integer Overflow and what are its consequences?
▪ Occurs when a computed result from an operation is too large to fit into its assigned variable type for storage
▪ Integer overflows and buffer overflows can lead to arbitrary code execution, and in turn, privilege escalations
Authentication and References: what is Broken Authentication in OWASP?
Insecure authentication mechanisms that can allow an attacker to gain entry
Authentication and References: how to prevent from Broken Authentication attacks (7)?
▪ Utilize multi-factor authentication
▪ Never use default credentials
▪ Verify passwords are strong and not found on published password exploitation lists
▪ Use limits or delays to slow failed login attempts and brute force attempts
▪ Use server-side session management and long and randomized session identifiers
▪ Never pass a session identifier as a URL parameter
▪ Implement session timeouts and expiring session identifications
Authentication and References: what is Insecure Direct Object Reference?
Used to manipulate URLs to gain access to a resource without requiring proper authentication
Authentication and References: how to prevent from Insecure Direct Object Reference (2)?
● Always use secure coding practices
● Always implement proper access control techniques to verify a user’s authorization
Improper Headers: what HTTP Response Headers are used for and from what attacks are they helping to protect (6)?
Used to control how web servers operate to increase security during operations. It protects against:
● Cross site request forgery
● Cross site scripting
● Downgrade attack
● Cookie hijacking
● User impersonation
● Clickjacking
Improper Headers: what is HTTP Strict Transport Security (HSTS) for when it is set in HTTP Response Headers?
Allows a web server to notify web browsers to only request using HTTPS and not HTTP
Improper Headers: what is HTTP Public Key Pinning (HPKP) for when it is set in HTTP Response Headers?
Allows HTTPS websites to resist impersonation by attackers using mis-issued or fraudulent certificates
Improper Headers: what is X-Frame-Options for when it is set in HTTP Response Headers?
Prevents clickjacking from occurring
Improper Headers: what is X-XSS-Protection for when it is set in HTTP Response Headers?
Enables cross site scripting filter in the web browser
Improper Headers: what is X-Content-Type-Options for when it is set in HTTP Response Headers?
Prevents the browser from interpreting files as something other than what they are
Improper Headers: what is Content-Security-Policy (CSP) for when it is set in HTTP Response Headers?
Impacts how web browsers render pages
Improper Headers: what is X-Permitted-Cross-Domain-Policies for when it is set in HTTP Response Headers?
Sends a cross-domain policy file to the web client and specifies if the browser has permission to handle data across domains
Improper Headers: what is Referrer-Policy for when it is set in HTTP Response Headers?
Governs which referrer information should be included with requests made
Improper Headers: what is Expect-CT for when it is set in HTTP Response Headers?
Indicates browsers to evaluate connections to the host emitting the header for Certificate Transparency compliance
Improper Headers: what is Feature-Policy for when it is set in HTTP Response Headers?
Allows developers to selectively enable and disable use of various browser features and APIs
Code Signing: what is it?
Digitally signing executables and scripts to confirm the software author and guarantee code has not been altered. Code signing just validates that the code is ready for distribution
Vulnerable Components: list the vulnerable component in web applications (9):
o Client-Side Processing
o Server-Side Processing
o JavaScript Object Notation/Representational State Transfer (JSON REST)
o SOAP and XML
o Browser Extension
o Hypertext Markup Language (HTML5)
o Asynchronous JavaScript and XML (AJAX)
o Machine Code
o Bytecode
Vulnerable Components: what is Client-Side Processing vulnerable component in web applications?
Puts the load on the end user’s machine instead of the server
Vulnerable Components: what is Server-Side Processing vulnerable component in web applications?
Considered to be more secure and trustworthy for most use cases
Vulnerable Components: explain JavaScript Object Notation/Representational State Transfer (JSON REST) vulnerable component in web applications?
▪ Representational State Transfer (REST): A client/server model for interacting with content on remote systems over HTTP
▪ JavaScript Object Notation (JSON): A text-based message format used with RESTful web service
▪ REST and JSON: Mobile devices
▪ SOAP and XML: Security/transactional services
Vulnerable Components: explain SOAP and XML vulnerable component in web applications?
Simple Object Access Protocol (SOAP):
● Used for exchanging structural information for web services
● Conduct inspection and sanitization of inputs and outputs to the application
Vulnerable Components: explain Browser Extension vulnerable component in web applications?
▪ Provides expanded functionality or features to a web browser
▪ Flash, ActiveX, JavaScript: Remove Adobe Flash installations on your network’s clients
▪ COM: Communication
▪ DCOM: Distribution
▪ Only install extensions from trusted vendors
Vulnerable Components: explain Hypertext Markup Language (HTML5) vulnerable component in web applications and what it is vulnerable to (10)?
A powerful web application programing language that enables feature-rich applications. It is vulnerable to:
● Cross-domain messaging
● Cross-origin resource sharing
● Web sockets
● Server sent events
● Local, offline, and web storage
● Client-side databases
● Geolocation requests
● Web workers
● Tabnabbing
● Sandbox frames
Vulnerable Components: explain Asynchronous JavaScript and XML (AJAX) vulnerable component in web applications?
▪ A grouping of related technologies used on the client side to create asynchronous web applications
▪ Same-origin policy
▪ AJAX is considered more secure than some other methods
Vulnerable Components: explain Machine Code vulnerable component in web applications?
▪ Basic instructions written in machine language that can be directly executed by the CPU
▪ Specific to a type of processor and can only be run on the processor where it was compiled
Vulnerable Components: explain Bytecode vulnerable component in web applications?
An intermediate form of code produced by a compiler that can be translated into machine code
Software Composition: what is Software Composition Analysis and why is it related to security?
A process by which software can be analyzed for open-source component.
A vulnerability in a third-party dependency becomes a vulnerability in your application
Software Composition: what frameworks can you use to build your software (8)?
▪ Apache Struts
▪ Microsoft .NET
▪ Ruby on Rails
▪ Ramaze
▪ Hibernate
▪ Django
▪ Twisted
▪ web.py
Software Composition: what is Poor Exception Handling vulnerability in a software?
Occurs when a program is not written to anticipate problems or errors
Software Composition: what is Security Misconfiguration vulnerability in a software?
Any issue related to poorly implemented or documented security controls
Software Composition: what is Weak Cryptography Implementation vulnerability in a software?
▪ Occurs when an out-of-date algorithm or cipher is being used in a modern system
▪ Utilize a well-known and documented encryption standard
Software Composition: what is Information Disclosure vulnerability in a software?
The act of stealing information from an application or during the communication process between two applications
Software Composition: what is End of Support/End of Life Issues vulnerability in a software?
▪ End of Life: No longer sold
▪ End of Support: No longer updated
Software Composition: what is Code Injection Issues vulnerability in a software?
▪ An exploitation technique that runs malicious code with identification of a legitimate process
▪ Ensure applications provide input and output validation
Software Composition: what is Regression Issues Issues vulnerability in a software?
Occur when a source code is changed which may have introduced a new vulnerability or have broken some existing functionality
Software Composition: what is Regression Testing Issues vulnerability in a software?
Validates any software change does not produce any unintended consequences
