CCT APP Written - Deck C Flashcards

1
Q

What DB type is MongoDB

A

Document Oriented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What language are the documents in MongoDB stored

A

BSON (Binary JSON)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the reserved primary key is MongoDB

A

_id

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does a JSON NoSQL Injection look like

A

{“username”: { “$regex”: “.*”} }

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an In-Band NoSQL Injection

A

When the attacker can use the same channel of communication to exploit a NoSQL Injection and receive the result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Blind NoSQL Injection

A

Where the attacker does not receive the results from the NoSQL Injection but they infer the results based on how the server responds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two sub-types of Blind NoSQL Injection

A

Boolean and Time-Based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Boolean based NoSQL Injection

A

Where the attacker forces the server to evaluate a query and return one result or the other if it is true or false

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Time-based NoSQL Injection

A

Where the attacker makes the server wait for a specific amount of time before responding, usually indicating if the query is true or false

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the format we use if the query is using URL encoded or x-www-form-urlencoded

A

Instead of JSON we use param[$regex]=val

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some of the common NoSQL query operators

A

ne (not equal). Regex. Gt/Gte/Lt/Lte (Greater/Less than(equal to))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a simple auth bypass using NoSQL injection

A

username[$regex]=.&password[$regex]=.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Example of an NoSQL injection if we know the username

A

username=admin@mail.com&password[$ne]=invalid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the character we can use for $lt and $lte and why

A

We can use the tilde (~) as it is the largest ASCII character

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can we perform Blind Data Extraction using NoSQL

A

username[$ne]=^.* will be true. username[$ne]=^z.* will be false. username[$ne]=^A.* will be true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is SSJI

A

SSJI occurs when a $where query is used on the backend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does SSJI stand for

A

Server Side JavaScript Injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can we exploit SSJI in NoSQL injection

A

Query: $where: ‘this.username === “<username>". We can make the username " || sleep(5000) || ""=="</username>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How can we check if the first char of the username is A using SSJI in NoSQL injection

A

Query: $where: ‘this.username === “<username>". We can make the username " || this.username.match('^A.*') || ""=="</username>

20
Q

How can we prevent NoSQL Injection

A

Sanitising user inputs. Use a white-list of acceptable values and avoud using JS expressions as much as possible

21
Q

What is a CRLF stand for

A

Carriage Return Line Feed

22
Q

What is a CR

A

A Carriage Return moves the cursor to the beginning of the line

23
Q

What is a LF

A

A Line Feed moves the cursor down to the next line

24
Q

What is the symbols for a CR

A

\r and %0d

25
Q

What is the symbols for a LF

A

\n %0a

26
Q

What does a CRLF together denote

A

The beginning of a new line

27
Q

What is a Log Injection

A

A Log Injection is when we can tamper with the logs using a CRLF to mask and forge log requests/entries

28
Q

How does a Log Injection work

A

If the log entry is “Malicious Entry: <IP>: '1'='1. We can then do the same and use a CRLF to make a new line to make it look like the malicious request came from a different source</IP>

29
Q

What is HTTP Response Splitting

A

When we can use CRLF characters to create new arbitrary headers by breaking out of a header

30
Q

What is SMTP Header Injection

A

When we can inject CRLF characters into a mail format and for example append ourselves as a To: Cc: or Bcc:

31
Q

Where might we be able to exploit an SMTP injection

A

On a contact form

32
Q

What is Request Smuggling

A

It is an attack that exploits a discrepancy/mismatch between the intermediate server and the backend server in the way they process a request

33
Q

What is Request Smuggling also known as

A

A Desync Attack

34
Q

What kind of stream are HTTP request

A

TCP Streams

35
Q

How does a Request Smuggling attack work

A

A Request Smuggling attack works that the intermediate server such as a WAF reverse proxy might use Content Length to split HTTP requests up from the TCP Stream whilst the back-end server might use Transfer-Encoding meaning we can smuggle data into other requests

36
Q

What are the three types of Request Smuggling

A

CL.TE / TE.TE / TE.CL

37
Q

What is CL.TE

A

When the reverse proxy does not support chunked encoding so it uses content length but the web server once the request is forwarded onwards uses transfer encoding (chunked)

38
Q

How can we exploit CL.TE

A

We can specify use content-length to get the request forwarded from the reverse proxy but make the request in the format of chunked encoding so it is processed as chunked to the webserver

39
Q

What is TE.TE

A

The scenario where both the reverse proxy and web server support chunked encoding. We have the exploit it in a way where one of the two accept it and the other one does not

40
Q

How can we exploit TE.TE

A

Since both servers use TE we have to make one decline it. We can do this by manipulating the Transfer Encoding header

41
Q

How can we manipulate the Transfer Encoding header in a TE.TE Request Smuggling attack

A

Substring Match (testchunked). Space in header name (Transfer-Encoding : chunked). Change the space to a Hex 09 or 0b from a 20 (real space)). Add a leading space before the header ( Transfer-Encoding: chunked)

42
Q

What is reporting line to use during the intro

A

This report presents a snapshot in time during the aforementioned testing period and Acme Consulting cannot attest to the state of any client owner information assets outside of this testing window

43
Q

What are the key parts of writing up a finding

A

Risk classification. Affected components list. Description of risk posed to CIA. Potential Impact to Information Systems and Data in terms of CIA. Cause of issue. Which type of attacker would exploit the issue. Difficulty and likelihood of exploit. Recommendations

44
Q

T. Findings Headings

A

Consequence/Likelihood. Definition. Location. Details. Impact. Identification. Recommendations

45
Q

T. Findings Headings (ACRONYM)

A

CDL-DIIR

46
Q

HTB Findings Headings

A

Description. Impact. Affected Applications. Remediation. Reproduce Steps