Deck C Flashcards
When does an SQL injection occur
When a user-input is used in an SQL query without proper sanitisation or filtering of the input
What are the types of SQL Injections
In-band. Blind Out-of-band
What are characters to use for testing of SQLi Discovery
” # ; )
What are the 3 types of queries for MySQL fingerprint testing
SELECT @@version. SELECT POW(1.1). SELECT SLEEP(5)
What is the expected output of SELECT @@version if MySQL
It will output the current MySQL version
What is the expected output of SELECT @@version if NOT MySQL
In MSSQL it returns MSSQL version. Error with other DBMS
What is the expected output of SELECT POW(1.1) if MySQL
1
What is the expected output of SELECT POW(1.1) if NOT MySQL
Error with other DBMS
What is the expected output of SELECT SLEEP(5) if MySQL
Delays page response by 5 seconds and returns 0
What is the expected output of SELECT SLEEP(5) if NOT MySQL
Will not delay response with other DBMS
If the web server is running Apache or Nginx what is likely the SQL server
MySQL
If the web server is running IIS what is likely the SQL server
MSSQL
What are the three types of XSS
Stored. Reflected and DOM-Based
What is a Stored XSS
The most critical type of XSS which occurs when user input is stored on the back-end database and displayed upon retrieval
What is a Reflected XSS
When a user input is displayed on the page after being processed by the backend server but without being stored
What is a DOM based XSS
When a user input is directly shown in the browser and is completely processed on the client side without reaching the backend
When can XSS be performed in Headers
When their values are displayed on the page
What 3 ports does MSSQL run on
TCP 1433 and UDP 1434. Hidden mode: TCP 2433
Query to verify MSSQL version
SELECT @@version
Oracle RDBMS port
TCP Port 1521
Query to verify Oracle RDBMS version
SELECT * FROM v$version;
MySQL Port
Port 3306
Query to verify MySQL version
SELECT VERSION()
MySQL Error
“You have an error in your SQL syntax”
PostgreSQL Port
TCP Port 5432
PostgreSQL Error
“PGERROR” or includes PostgreSQL in error text
Query to verify PostgreSQL version
SELECT version()
MongoDB port
TCP Port 27017
Query to verify MongoDB version
db.version()
Redis Port
TCP Port 6379
What is Spear Phishing
Instead of casting a wide net attackers research their victims and craft personalised messages increasing likelihood of success
What is Whaling
A subtype of Spear Phishing but targeting high profile individuals within an organisation such as C-Suite
What is Vishing
Voice Phishing involves using phone calls or voice messages to deceive victims into revealing sensitive information
What is Virtualisation
Virtualisation refers to creating a virtual version of a resource. It allows for multiple OS or applications to run on a single physical system whilst keeping them isolated from one another
VMWare ESXI Port
Port 902
HyperV DCE/RPC Port
135
Docker Port
Port 2375 and 2376
IBM DB2 Port
50000
What is the DB that contains schema info in MSSQL
INFORMATION_SCHEMA
What is the DB that contains schema info in MySQL
INFORMATION_SCHEMATA
In Blind SQLi what query can we use to extract length of a field
LEN(fieldName)
In Blind SQLi what query can we use to extract name of field letter by letter
ASCII(SUBSTRING(fieldName,1,1))
How to sleep in PGSQL
SELECT 1 FROM PG_SLEEP(10)
How to sleep in MSSQL
WAITFOR DELAY ‘0:0:5’
How to sleep in MySQL
SELECT SLEEP(5)
How to enable xp_cmdshell
EXEC sp_configure ‘xp_cmdshell’. 1; RECONFIGURE;
What does CSRF stand for
Cross Site Request Forgery
What is CSRF
Where an attacker tricks a victim into submitting unwanted requests through a link
Example of Insecure Headers
Missing CSP, Missing X-Frame-Options, Missing HSTS
What does CSP stand for
Content Security Policy
What does HSTS stand for
Header Strict-Transport-Security
What does CSP do and what is risks of missing CSP
Helps mitigate XSS by defining which resources can be loaded by browser, missing CSP means malicious scripts could be injected and executed in user’s browsers
What is HSTS and risks of missing HSTS
HSTS ensures that the website is only accessed from HTTPS and not HTTP, missing HSTS increases the risk of HTTPS downgrade attacks where the attacker forces the user to connect via HTTP allowing them to intercept data
What are X-Frame-Options and what are risks of Missing X-Frame-Options
X-Frame-Options prevent clickjacking by disallowing the website to be embedded in an iframe, Missing X-Frame-Options means an attacker can embed the website in a malicious frame leading to clickjacking attacks
What are risks of CSRF
Unauthorised actions being performed, data manipulation, account takeover
What is XML Injection / XXE
When an attacker manipulates input in XML format, causing the web application to process unintended data or behaviour
What are anti-CSRF, anti-XSS headers
SameSite Cookie, CSRF Tokens, CSP Header
What are the risks of XML Injection / XXE
Data leakage, RCE, DoS
How can we test/exploit an XXE
We can try including malicious XML entities such that they read the contents of file:///etc/passwd and then print out the contents of it
What is a CSRF token
A unique and unpredictable value that is included in forms or headers for each request, these tokens must match a token stored in the user’s session
What is a SameSite cookie
It controls when cookies are sent in cross-origin requests, Strict: cookies only sent in requests that originate from the same site
What does CSP do
Restricts scripts, styles and other resources from being loaded or executed if they are not explicitly allowed, can prevent reflected and stored XSS by blocking malicious scripts
What is Session Fixation
The attacker generates/creates a valid session and sends a victim a link using that cookie, which when the victim logs in, the attacker will have access to the account using the cookie
What is a MIME-Type and what can it be exploited for
Determines the file type through its general format and byte structure and can be exploited for passing malicious files as allowed files (e.g: php scripts as a .jpg)
What can be an example of Session Fixation
An attacker logs into an account, copies the session token, logs out to invalidate it, sends a crafted URL to a victim who will login and attacker will have possession of a valid session ID
Name 3 laws relating to Cyber in Australia
Privacy Act 1988, Cybercrime Act 2001 and Security of Critical Infrastructure Act 2018
What is the Cybercrime Act 2001
- Criminalises hacking and unauthorised access to data
- Addresses fraud involving computers and data manipulation
What is the Privacy Act 1988
It regulates the handling of personal information about individuals, requires organisations to notify individuals and the Australian Information Commissioner about data breaches that are likely to result in serious harm
What is the Security of Critical Infrastructure Act 2018
The SOCI Act identifies critical infrastructure assets and imposes obligations on owners and operators to protect their assets
What are the top 3 international Cyber laws/standards
GDPR, PCI DSS and ISO 27001
What does GDPR stand for
General Data Protection Regulation
What does GDPR do
- Enhances individuals control over their personal data
- Requires timely reporting of data breaches
- Imposes fines for non-compliance
What does PCI DSS stand for
Payment Card Industry Data Security Standard
What does PCI DSS do
- Mandates encryption of cardholder data
- Requires restricted access to sensitive information
What does ISO 27001 do?
- Emphasises the identification and management of information security risks
- Encourages ongoing enhancement of security measures
What is the name of the scheme in the Privacy Act 1988 regarding notifying stakeholders
NDB scheme
What is the NDB scheme
Mandates the reporting of data breaches that are likely to result in serious harm
What TLS configuration does the PCI DSS find non-compliant
TLS 1.0
What are some questions that can be asked during scoping
- A brief description of the service?
- How many endpoints and functions are there?
- Does the service have a login mechanism in order to access authenticated content?
What is an open line in the Technical Summary
This section is targeted towards Project Managers or IT Managers wishing to delegate remediation tasks to various parties. It is a summary of all vulnerabilities with related risk ratings and business impacts designed to help prioritise resourcing for remediation.
