Deck B

Question 1

What DB type is MongoDB

Answer 1

Document Oriented

Question 2

What language are the documents in MongoDB stored

Answer 2

BSON (Binary JSON)

Question 3

What is the reserved primary key is MongoDB

Answer 3

_id

Question 4

What does a JSON NoSQL Injection look like

Answer 4

{“username”: { “$regex”: “.*”} }

Question 5

What is an In-Band NoSQL Injection

Answer 5

When the attacker can use the same channel of communication to exploit a NoSQL Injection and receive the result

Question 6

What is a Blind NoSQL Injection

Answer 6

Where the attacker does not receive the results from the NoSQL Injection but they infer the results based on how the server responds

Question 7

What are the two sub-types of Blind NoSQL Injection

Answer 7

Boolean and Time-Based

Question 8

What is a Boolean based NoSQL Injection

Answer 8

Where the attacker forces the server to evaluate a query and return one result or the other if it is true or false

Question 9

What is a Time-based NoSQL Injection

Answer 9

Where the attacker makes the server wait for a specific amount of time before responding, usually indicating if the query is true or false

Question 10

What is the format we use if the query is using URL encoded or x-www-form-urlencoded

Answer 10

Instead of JSON we use param[$regex]=val

Question 11

What are some of the common NoSQL query operators

Answer 11

ne (not equal). Regex. Gt/Gte/Lt/Lte (Greater/Less than(equal to))

Question 12

What is a simple auth bypass using NoSQL injection

Answer 12

username[$regex]=.&password[$regex]=.

Question 13

Example of an NoSQL injection if we know the username

Answer 13

username=admin@mail.com&password[$ne]=invalid

Question 14

What is the character we can use for $lt and $lte and why

Answer 14

We can use the tilde (~) as it is the largest ASCII character

Question 15

How can we perform Blind Data Extraction using NoSQL

Answer 15

username[$ne]=^.* will be true. username[$ne]=^z.* will be false. username[$ne]=^A.* will be true.

Question 16

What is SSJI

Answer 16

SSJI occurs when a $where query is used on the backend

Question 17

What does SSJI stand for

Answer 17

Server Side JavaScript Injection

Question 18

How can we exploit SSJI in NoSQL injection

Answer 18

Query: $where: ‘this.username === “”. We can make the username “ || sleep(5000) || “”==”

Question 19

How can we check if the first char of the username is A using SSJI in NoSQL injection

Answer 19

Query: $where: ‘this.username === “”. We can make the username “ || this.username.match(‘^A.*’) || “”==”

Question 20

How can we prevent NoSQL Injection

Answer 20

Sanitising user inputs. Use a white-list of acceptable values and avoud using JS expressions as much as possible

Question 21

What is a CRLF stand for

Answer 21

Carriage Return Line Feed

Question 22

What is a CR

Answer 22

A Carriage Return moves the cursor to the beginning of the line

Question 23

What is a LF

Answer 23

A Line Feed moves the cursor down to the next line

Question 24

What is the symbols for a CR

Answer 24

\r and %0d

Question 25

What is the symbols for a LF

Answer 25

\n %0a

Question 26

What does a CRLF together denote

Answer 26

The beginning of a new line

Question 27

What is a Log Injection

Answer 27

A Log Injection is when we can tamper with the logs using a CRLF to mask and forge log requests/entries

Question 28

How does a Log Injection work

Answer 28

If the log entry is “Malicious Entry: : ‘1’=’1. We can then do the same and use a CRLF to make a new line to make it look like the malicious request came from a different source

Question 29

What is HTTP Response Splitting

Answer 29

When we can use CRLF characters to create new arbitrary headers by breaking out of a header

Question 30

What is SMTP Header Injection

Answer 30

When we can inject CRLF characters into a mail format and for example append ourselves as a To: Cc: or Bcc:

Question 31

Where might we be able to exploit an SMTP injection

Answer 31

On a contact form

Question 32

What is Request Smuggling

Answer 32

It is an attack that exploits a discrepancy/mismatch between the intermediate server and the backend server in the way they process a request

Question 33

What is Request Smuggling also known as

Answer 33

A Desync Attack

Question 34

What kind of stream are HTTP request

Answer 34

TCP Streams

Question 35

How does a Request Smuggling attack work

Answer 35

A Request Smuggling attack works that the intermediate server such as a WAF reverse proxy might use Content Length to split HTTP requests up from the TCP Stream whilst the back-end server might use Transfer-Encoding meaning we can smuggle data into other requests

Question 36

What are the three types of Request Smuggling

Answer 36

CL.TE / TE.TE / TE.CL

Question 37

What is CL.TE

Answer 37

When the reverse proxy does not support chunked encoding so it uses content length but the web server once the request is forwarded onwards uses transfer encoding (chunked)

Question 38

How can we exploit CL.TE

Answer 38

We can specify use content-length to get the request forwarded from the reverse proxy but make the request in the format of chunked encoding so it is processed as chunked to the webserver

Question 39

What is TE.TE

Answer 39

The scenario where both the reverse proxy and web server support chunked encoding. We have the exploit it in a way where one of the two accept it and the other one does not

Question 40

How can we exploit TE.TE

Answer 40

Since both servers use TE we have to make one decline it. We can do this by manipulating the Transfer Encoding header

Question 41

How can we manipulate the Transfer Encoding header in a TE.TE Request Smuggling attack

Answer 41

Substring Match (testchunked). Space in header name (Transfer-Encoding : chunked). Change the space to a Hex 09 or 0b from a 20 (real space)). Add a leading space before the header ( Transfer-Encoding: chunked)

Question 42

What is reporting line to use during the intro

Answer 42

This report presents a snapshot in time during the aforementioned testing period and Acme Consulting cannot attest to the state of any client owner information assets outside of this testing window

Question 43

What are the key parts of writing up a finding

Answer 43

Risk classification. Affected components list. Description of risk posed to CIA. Potential Impact to Information Systems and Data in terms of CIA. Cause of issue. Which type of attacker would exploit the issue. Difficulty and likelihood of exploit. Recommendations

Question 44

T. Findings Headings

Answer 44

Consequence/Likelihood. Definition. Location. Details. Impact. Identification. Recommendations

Question 45

T. Findings Headings (ACRONYM)

Answer 45

CDL-DIIR

Question 46

HTB Findings Headings

Answer 46

Description. Impact. Affected Applications. Recommendation. Reproduce Steps