Analyzing Application & Network Attacks Flashcards

1
Q

(Cross-site scripting)

Non-persistent (reflected) XSS attack

A

Web site allows scripts to run in user input
– Search box is a common source
• Attacker emails a link that takes advantage of this
vulnerability
– Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim’s browser
– As if it came from the server
• Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge
– Very sneaky

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

(Cross-site scripting)

Persistent (stored) XSS attack

A

Is a script the persists on a website

Attacker posts a message to a social network
Includes the malicious payload

  • It’s now “persistent” - Everyone gets the payload
  • No specific target - All viewers to the page

• For social networking, this can spread quickly
Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

(Cross-site scripting)

Protecting against XSS

A

• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
• Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
• Validate input
– Don’t allow users to add their own scripts to an
input field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Privilege escalation

A

Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design flaw
• Higher-level access means more capabilities
– This commonly is the highest-level access

• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator

• Horizontal privilege escalation
– User A can access user B resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Mitigating privilege escalation

A

Patch quickly
– Fix the vulnerability
• Updated anti-virus/anti-malware software

• Data Execution Prevention
– Only data in executable areas can run
• Address space layout randomization
– Prevent a buffer overrun at a known
memory address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Injection Attacks

A

Code injection

SQL injection

XML injection and LDAP injection

DLL injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

DLL injection

A

• Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
• Inject a DLL and have an application run a program
– Runs as part of the target process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

XML injection and LDAP injection

A

XML - Extensible Markup Language
–AKA Soap injection

Are attacks that target XML data stores by injecting
malicious XML and XPath code into a user
Controllable input-

Occurs when user Input is inserted unsafely

XML metacharacters can be used to modify
-Performs unauthorized task

• LDAP Injection - Lightweight Directory Access Protocol
Is often used in web applications over the internet or a corporate intranet
-The web application takes the input from the client in order to process it further, so the attacker exploits data not being properly sanitized or going directly to a back end database
• LDAP injection
– Modify LDAP requests to manipulate application results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Code injection

A
Code injection
– Adding your own information into a data stream
• Enabled because of bad programming
– The application should properly handle
input and output
• So many different data types
– HTML, SQL, XML, LDAP, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

(Coding Attacks)

NULL Pointer dereference

A

Programming technique that references a
portion of memory

-A null-pointer dereference occurs when a pointer with a value of NULL is used as if it actually points to a valid memory area

– What happens if that reference points to nothing?
– Application crash, debug information displayed, DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(Coding Attacks)

Directory traversal

A
Directory traversal / path traversal
– Read files from a web server that are outside of
the website’s file directory
– Users shouldn’t be able to browse
the Windows folder
• Web server software vulnerability
– Won’t stop users from browsing past the
web server root
• Web application code vulnerability
– Take advantage of badly written code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(Coding Attacks)

Buffer overflows

A

Overwriting a buffer of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
• Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
• A really useful buffer overflow is repeatable
– Which means that a system can be compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(Coding Attacks)

Integer overflow

A

Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able to manipulate
memory this way

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

(Coding Attacks)

Race Conditions

A

A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check
and the use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

(Coding Attacks)

Improper error handling

A
Errors happen
– And you should probably know about it
Messages should be just informational enough
– Avoid too much detail
– Network information, memory dump,
stack traces, database dumps
• This is an easy one to find and fix
– A development best-practice
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Improper input handling

A

Many applications accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devastating
– SQL injections, buffer overflows,
denial of service, etc.
• It takes a lot of work to find input that
can be used maliciously
– But they will find it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Replay Attacks

A

– Replay the data to appear as someone else

This is not an on-path attack
– The actual replay doesn’t require
the original workstation

• Avoid this type of replay attack with a salt
– Use a session ID with the password hash to
create a unique authentication hash each time
– A crafty hacker will take advantage of this

• Need access to the raw network data
– Network tap, ARP poisoning, malware on the victim computer

• The gathered information may help the attacker
Useful information is transmitted over the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

API attacks

A

API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
– Exposing sensitive data, DoS, intercepted
communication, privileged access

Used to enable communication between
applications and end-users ranging from
your car telling you where the nearest
fuel station is to your phone fetching
weather and sports updates 

API’s
are used and no matter what devices are connected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

SSL stripping / HTTP downgrade

A

(Secure Socket Layer) (Transport Layer Security)

Combines an on-path attack with a downgrade attack

• Attacker must sit in the middle of the conversation
– Must modify data between the victim and web server
– Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.

• Victim does not see any significant problem
– Except the browser page isn’t encrypted
– Strips the “S” away from HTTPS, which stands for secure

• This is a client and server problem
– Works on SSL and TLS

20
Q

SSL and TLS

A

• SSL (Secure Sockets Layer) 2.0 - Deprecated in 2011
• SSL 3.0
– Vulnerable to the POODLE attack
– Deprecated in June 2015
• Transport Layer Security (TLS) 1.0
– Upgrade to SSL 3.0, and a name change
from SSL to TLS
– Can downgrade to SSL 3.0
• TLS 1.1
– Deprecated in January 2020 by modern browsers
• TLS 1.2 and TLS 1.3 - The latest standards

21
Q

Driver Manipulation exampled

A

Shimming

Refactoring

22
Q

Shimming

A
Filling in the space between two objects
– A middleman
• Windows includes it’s own shim
– Backwards compatibility with previous
Windows versions
– Application Compatibility Shim Cache
• Malware authors write their own shims
– Get around security (like UAC)
• January 2015 Microsoft vulnerability
– Elevates privilege
23
Q

Refactoring

A

Metamorphic malware
– A different program each time it’s downloaded
• Make it appear different each time
– Add NOP instructions
– Loops, pointless code strings
• Can intelligently redesign itself
– Reorder functions
– Modify the application flow
– Reorder code and insert unused data types
• Difficult to match with signature-based detection
– Use a layered approach

24
Q

Driver

A

The interaction between the hardware and your
operating system
– They are often trusted
– Great opportunity for security issues
• May 2016 - HP Audio Drivers
– Conexant audio chips
– Driver installation includes audio control software
– Debugging feature enables a keylogger
• Hardware interactions contain sensitive information
– Video, keyboard, mouse

25
Q

Evil twin

A

An unauthorized wireless access point

  • May be added by an employee or an attacker
  • Potential backdoor

Very easy to plug in a wireless AP
-or enable wireless sharing in your OS

Schedule a periodic survey

  • Walk around your building/ campus
  • Use third-paty tool/ Wifi Pineapple
26
Q

Rogue access point

A

• A less-secure entry point to the network

27
Q

Wireless disassociation

A

– A significant wireless
denial of service (DoS) attack

Wireless disassociation or wireless de-authentication attack is a denial of service attack that is specifically
causing devices that are on the wireless network to suddenly not be able to communicate at all to the access point.

28
Q

Wireless jamming

A

• Many different types
– Constant, random bits / Constant, legitimate frames
• Data sent at random times
– Random data and legitimate frames
• Reactive jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Difficult to be effective from a distance
• Time to go fox hunting
– You’ll need the right equipment to hunt down the jam – Directional antenna, attenuator

29
Q

Weak keys

A

Larger keys are generally more difficult to brute force – The weak IV in RC4 resulted in the WEP security issues

30
Q

WPA3

A

• Wi-Fi Protected Access 3 (WPA3) - Introduced in 2018

31
Q

Bluejacking

A

Sending of unsolicited messages to another device via Bluetooth
– No mobile carrier required!
• Typical functional distance is about 10 meters
– More or less, depending on antenna and interference
• Bluejack with an address book object
– Instead of contact name, write a message – “You are Bluejacked!”
– “You are Bluejacked! Add to contacts?”
• Third-party software may also be used – Blooover, Bluesniff

32
Q

Bluesnarfing

A

Access a Bluetooth-enabled device and transfer data – Contact list, calendar, email, pictures, video, etc.
• First major security weakness in Bluetooth – Marcel Holtmann in September 2003 and – Adam Laurie in November 2003
– This weakness was patched
• Serious security issue
– If you know the file, you can download it without
authentication

33
Q

RFID (Radio-frequency identification)

A
It’s everywhere
– Access badges
– Inventory/Assembly line tracking – Pet/Animal identification
– Anything that needs to be tracked
• Radar technology
– Radio energy transmitted to the tag
– RF powers the tag, ID is transmitted back – Bidirectional communication
– Some tag formats can be active/powered
34
Q

RFID Attacks

A

• Data capture
– View communication – Replay attack
• Spoof the reader - Write your own data to the tag
• Denial of service - Signal jamming
• Decrypt communication
Wireless jamming
• Many different types
– Constant, random bits / Constant, legitimate frames
• Data sent at random times
– Random data and legitimate frames
• Reactive jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Difficult to be effective from a distance
• Time to go fox hunting
– You’ll need the right equipment to hunt down the jam – Directional antenna, attenuator
Near field communication (NFC)
• Two-way wireless communication
– Builds on RFID, which is mostly one-way
• Payment systems
– Many options available
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, identity “card”
– Short range with encryption support
NFC Security Concern
• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming – Denial of service
• Relay / Replay attack – On-path attack
• Loss of RFC device control – Stolen/lost phone
Initialization Vectors (IV)
• A type of nonce
– Used for randomizing an encryption scheme – The more random the better
• Used in encryption ciphers, WEP, and some SSL implementations
Salt
• A nonce most commonly associated with password randomization
– Make the password hash unpredictable
• Password storage should always be salted – Each user gets a different salt
• If the password database is breached, you can’t correlate any passwords
– Even users with the same password have different
hashes stored
– Many default keys are on Google

35
Q

Near field communication (NFC)

A
Two-way wireless communication
– Builds on RFID, which is mostly one-way
• Payment systems
– Many options available
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, identity “card”
– Short range with encryption support
36
Q

NFC Security Concern

A
• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming – Denial of service
• Relay / Replay attack – On-path attack
• Loss of RFC device control – Stolen/lost phone
37
Q

Man in The Middle Attack

A

A system with the ability to view the communication between two (or more) hosts (frames, packets) injects itself in the path between the host systems

Can be good (Proxy, ALG, Translators) or it can be dangerous (Proxy ARP, DHCP Spoofing)

38
Q

Types of Layer 2 Attacks

A

ARP Poisoning

MAC Flooding

MMAC Cloning

39
Q

ARP Poisoning

A

Address Resolution Protocol

  • A form of man in the middle attack that exploits ARP
  • ARP Maps the IP address to the MAC address
  • When a hacker redirects your traffic to his device and then passes it on to a router, server, switch or other intended devices.
  • Malicious host injects false frames in order to corrupt (poison) the ARP cache buffers on endpoints, switches, servers, firewalls, and routers
  • Exploit kits have several scripts, modules, and tools to compromise the ARP protocol
  • Only works in IPv4 networks - not IPv6
40
Q

MAC flooding

A

The MAC table is only so big
• Attacker starts sending traffic with different source
MAC addresses
– Force out the legitimate MAC addresses
• The table fills up
– Switch begins flooding traffic to all interfaces
• This effectively turns the switch into a hub
– All traffic is transmitted to all interfaces
– No interruption in traffic flows
• Attacker can easily capture all network traffic!
• Flooding can be restricted in the switch’s port
security settings

41
Q

MAC cloning / MAC spoofing

A

An attacker changes their MAC address to match
the MAC address of an existing device
– A clone / a spoof
• Circumvent filters
– Wireless or wired MAC filters
– Identify a valid MAC address and copy it
• Create a DoS
– Disrupt communication to the legitimate MAC
• Easily manipulated through software
– Usually a device driver option

42
Q

Distributed Denial of Service (DDoS)

A

• Launch an army of computers to bring down a service
– Use all the bandwidth or resources - traffic spike
• This is why the attackers have botnets
– Thousands or millions of computers at your command
– At its peak, Zeus botnet infected over 3.6 million PCs
– Coordinated attack
• Asymmetric threat
– The attacker may have fewer resources than the victim

43
Q

DDoS amplification

A

Turn your small attack into a big attackthe attacker performs two malicious tasks.

First, the attacker spoofs the IP address of the DNS resolver and replaces it with the victim’s IP address.

This will cause all DNS replies from the DNS servers
to be sent to the victim’s servers.

Second, the attacker finds an Internet domain that
is registered with many DNS records.

During the attack, the attacker sends DNS queries that request the entire list of DNS records for that domain.

This results in large replies from the DNS servers.

Using very few computers, the attacker send a high rate of short DNS queries

44
Q

Malicious Code

A

This is the generic term from which malware is derived

-A virus is an unwanted and unsolicited malicious program or piece of code that can damage an electronic system

45
Q

Malicious Script

A

Script viruses are written using script languages

This type of virus either infects other scripts or forms a part of multicomponent viruses

It affects only those applications for which it has been written