Final Flashcards
Problems that lead to command injection flaws
Failure to properly separate commands and data
Possibly True SQL Statements
’ or 1=1 – a
Malicious input to drop table ‘users’
’ ; DROP TABLE Users –
Input Validation
PHP Magic Quotes
Example of Parameterized Query
Prepared Statements
Best practice of SQL injection prevention
parameterized queries
Bind variable
? serves as placeholder within SQL
With prepared statements, parameters are bound when?
At runtime
URI
Uniform Resource Identifier
XSS term
buzz word for specific type of Command Injection vulnerability
XSS do what
exploit the trust a user’s browser has for a web server
XSS typically ends in
malicious script run on victim’s host
XSS involves
3 actors:
- attacker
- victim
- server
Why are XSS possible?
Hard to differentiate data from code
Javascript has access to
User’s information such as cookies
Types of XSS Vuln.
- Non-persistent / reflected
- Persistent / stored
- DOM-based / Local
Non-persistent / Reflected XSS
browser data (in url) used by server-side scripts to generate malicious webpage sent back to user
Persistent / Stored XSS
Malicious script provided to web app is stored on server and is used to continue rendering pages
DOM-Based / Local
Malicious script is generated through local client-side DOM processing
Example of non-persitant XSS attack
Eve convinces Alice to click on a URL that makes Bob’s server send Alice a malicious script
Example of Persistant XSS attack
Eve posts message to board with embedded XSS attack script which Bob’s browser reads as code, not data
Real world persistent xss attack
Samy Worm on Myspace
DOM
Document Object Model
XSS Mitigations
- Input validation, sanitation
2. Output encoding
Output encoding
escaping output
Original purpose of sticky bit
Sped up executions by putting executables into swap memory
Write and execution bits on a directory allows
- addition of files
2. Deletion/renaming of files, subdirectories without requiring write permissions on files/directory
Weird case with w, e, bits on a directory prevented by
Sticky bit
Sticky bit
Only owner or root can delete, rename the file/directory and contents
TOCTOU
Time of check, time of use
Toctou caused by
possibility that a resource changes between time permission is checked and time it is used
Classic TOCTOU
SetUID program calls access() followed by open()
access()
checks REAL userID
open()
opens file for reading/writing
How TOCTOU works
- put soft link to owned file in /tmp
2. run vulnerable setUID repeatedly, replace innocuous link with root only file repeatedly
TOCTOU mitigations
- Temporarily disable root
- Check-use-check again
- Use atomic operation
- Use capabilities
TCP/IP Flaws
- Naive design assumptions (security not intrinsic)
- Incomplete specification (details left to implementers)
- Implementation errors (buggy, incorrect implementations)
4-Layer TCP/IP Network Model
- Link
- Network (TCP/UDP)
- Transport (IP)
- Application
UDP
unreliable connectionless communication
UDP delivery style
best-effort
TCP
reliable, connection-oriented communication
IP
connectionless, unreliable communication over the internet
ARP is a
data link layer
ARP
resolves the media access control address corresponding to a forwarding IP address
IP is a
Network layer
__ sends data in individual packets
IP
Data is guaranteed to arrive to the application in correct order
TCP
TCP 3 Way Handshake
- SYN w/ ISN
- SYN-ACK w/ own ISN
- ACK
ISN
initial sequence number
Syn
ISN + bytes of data previously sent
ACK
Sequence + bytes of data previously sent + 1
SYN Flood
Form of DdOS, floods Syn queue without completing 3rd part of three way handshake
Syn Flood Mitigations
- Syn cookies
RST Attack
Sends TCP packets transmitted with RST flag set
RST Attack mitigation
- Stateful packet filtering
Session Hijacking
Insertion of TCP packets into previously established TCP session (using a sniffer)
Session hijacking mitigation
IPv6, HTTPS
5 components of a cryptosystem
- plaintexts
- keys
- ciphertexts
- enciphering funct
- deciphering funct
What does cryptosystem achieve?
1) Confidentiality
2) Integrity
3) Authentication
4) Non-repudiation
Kerchkoffs Principle
A cryptosystem should be secure even if everything BUT the key is known
Symmetric crypto aka
Single key encryption
Example of simple crypto
Caesar cipher
In a symmetric system, key is
shared by sender and recipient
How does symmetric key work?
symmetric key is used with both the encryption and the decryption functions
Example of symmetric crypto
AES
Asymmetric Crypto aka
public key crypto
Why is public key crypto possible?
Because of intractable math problems
Example of intractable problem
factoring primes
How does symmetric key work?
Key for encryption, key for decryption
Asymmetric key examples
RSA, diffie-hellman
Digital signatures
Authenticates both origin and contents of message
Difference between encryption and hashing
Encryption uses a key
HMAC
Message Authentication Code
How does a public key message work? (sender)
- Sender acquires receivers key
- Encrypt message with key
- Hash unencrypted message (digest)
- Encrypt digest with private key
- Send encrypted message and digest to the receiver
How public key message works? (receiver)
- Decrypt encrypted message with private key
- Compute message digest of unencrypted message
- Decrypt encrypted message digest using sender’s public key
- Compare decrypted digest to computed digest
3 Security principles provided by public key crypto:
- Confidentiality
- Integrity
- Authentication
PKI
Public key infrastructure uses certs to confirm identity of parties involved
CA
Certificate Authority
RA
Registration Authority
Types of symmetrical cyphers
Stream
Block
CERT is a
Certified public key
Which hash algorithms have been cracked
MD5
Sha-1
SHA
Secure Hash Algorithm
Strength of HMAC depends on
size of secret key
Most famous key exchange
Diffie hellman
Man in the middle attack
Attack intercepts communication, impersonates each
