Exploitation 2

Question 1

Clickjacking

Answer 1

• A clickjacking attack is where a user can be tricked into clicking on something without even realising they did it.
• Commonly used with hidden iframes (embedding another invisible site into the page).
• The X-Frame-Options header should be sent in the HTTP response for every page to mitigate clickjacking.
  Three values:
  1. DENY: This option will prevent the page from ever being loaded into an iframe.

2. SAMEORIGIN: This option will allow the page to be loaded in an iframe, but only if the page that is loading it is on the same domain.
3. ALLOW-FROM domain.com: This option will allow the page to be loaded in an iframe, but only for the specified domain. In this case, domain.com.

Question 2

Cross Site Request Forgery (CSRF)

Answer 2

• An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
• CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

Simple e.g. forcing someone into clicking this link and sending you money (if they’re authenticated) ‘terriblebank.fake/transfer.php?to=bob&amount=50’

• There are two steps to mitigating a CSRF attack:
  1. Make sure every HTTP request submitting a form or any other kind of input comes from ‘same origin’.

2. Use a CSRF token, which is required by every form or input on the site.

Question 3

Directory Traversal

Answer 3

• A directory traversal vulnerability exists where a file is loaded based on a filename provided by the user.
• A user is able to use ‘..’ in order to reference files outside of the normal path.
• This vulnerability can be used to read sensitive data in the web application, or even in some cases on the operating system running the server.
• The best way to mitigate directory traversal is not to use user input when making file system calls. Of course, that may not be possible, so an alternative is to use an index.

Question 4

Vulnerability Scanners

Answer 4

• When it comes to testing web applications, one of the most common tools to use is a vulnerability scanner.
• Scanners work by crawling all the pages on a site and making an index of them, then going to each site and attempting multiple web application attacks against every form of user input on the site.
• If it sees behaviour that makes it think the attack worked, then it lists the flaw. Once the whole application is scanned, you get a report.

What to watch our for when using one:
1. Make sure you know what the scanner is about to do.

2. Make sure you’ve configured your scanner to log into the site if that is what is required.
3. Make sure you tell your scanner what to avoid!
4. Watch out for captcha
5. Read the scanner’s log files to make sure it is working in a sensible manner.
   - Scanners are noisy; they will produce a LOT of logs. To an extent, it’s part of the normal background noise of the internet, but it’s also an indication someone is about to attack. Pay attention to your logging and monitoring, and when you do notice a scanner running make sure to stay on a higher level of alertness.