Important Flashcards

(59 cards)

1
Q

CSRF Prevention

A

To prevent CSRF attacks, web applications need to build mechanisms to distinguish a legitimate request by a trusted user from a forged request crafted by an attacker but sent by the trusted user.

Token Based Mitigation:
- some frameworks like .NET have built-in protections that add a token to vulnerable CSRF resources.
- Synchronizer token pattern: csrf tokens should be generated server-side. They can be generated once per-user session for requests. The value is stored in the session and used for each request until the session expires. The server needs to verify the token in the request to the one found in the user session
- the token should be transmitted as part of the response and then transmitted back to the server as part of a hidden field on a form submission or as a AJAX header/part of JSON payload
- more secure to put it in a custom header (automatically same origin policy applies)

Double Submit Cookie:
- this is stateless unlike token-based mitigations
- server doesn’t need to generate the value, the client could
- the value will be sent as a cookie and as something else (request header)
- the attacker cannot access the cookie
- so the attacker cannot send the value as something else to verify itself (like in a request header) - this step needs to happen

Signed Double Submit Cookie:
- server has a secret key
- tokens are hashed/encrypted
- A simpler alternative to an encrypted CSRF cookie is to use HMAC (Hash-based Message Authentication Code) to hash the random value with a secret key known only by the server and place this value in a cookie.
- attacker cannot submit their own CSRF cookie

Custom request headers:
- no token
- In this pattern, the client appends a custom header to requests that require CSRF protection. The header can be any arbitrary key-value pair, as long as it does not conflict with existing headers.
- When handling the request, the API checks for the existence of this header. If the header does not exist, the backend rejects the request as potential forgery.
- this relies on SOP (that only JS can add the header and only from within its origin). By default, browsers do not allow JavaScript to make cross origin requests with custom headers. Only JavaScript that you serve from your origin can add these headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CSRF defense in depth protections

A

SameSite Cookie Attribute:
- helps browser decide whether to send cookies along with cross-site requests.
- lax, strict, none

Verify origin with standard headers
- check if source origin matches target origin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Client Side CSRF

A

the attacker tricks the client-side javascript code to send a forged HTTP request to the vulnerable target by manipulating the program’s input parameters
- Client-side CSRF originates when the JavaScript program uses attacker-controlled inputs, such as the URL, for the generation of asynchronous HTTP requests.
- it can bypass some CSRF mitigations like tokens
- circumvents same-site cookie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

bypassing CSRF mitigations

A

Some applications correctly validate the token when it is present but skip the validation if the token is omitted.

Some applications do not validate that the token belongs to the same session as the user who is making the request. Instead, the application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool.
In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then feed that token to the victim user in their CSRF attack.

Bypassing same-site:
Open redirection -As far as browsers are concerned, these client-side redirects aren’t really redirects at all; the resulting request is just treated as an ordinary, standalone request. Most importantly, this is a same-site request and, as such, will include all cookies related to the site, regardless of any restrictions that are in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens when you enter a URL into the browser and hit enter?

A
  1. URL parsing - protocol, domain, path, query parameters
  2. DNS Lookup - check cache. Make a request to DNS server to find ip associated with the domain
  3. TCP Handshake
  4. TLS Handshake
  5. HTTP Request
  6. Server Processing
  7. HTTP Response
  8. Page rendering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you analyze a suspicious email attachment?

A
  1. Open on a virtual machine like virtual box with no network access.
  2. Take a snapshot of the virtual machine before and after
    - see processes launched, ports, etc

The easiest way would be to foward the mail to an online scanning service. Or download (do not run) and upload to virus/malware scanner.

Look at the file type

Inspect the email. Sender. Typos. etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you attack a VPN?

A

Weak ciphers that can be broken. Browser activity could be leaked if DNS requests are being handled by the ISP. These are unencrypted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you find vulnerable software running on people’s work machines?

A

Endpoint management system running that will detect vulnerable software. See what processes are running. SentinelOne.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You visit a team website and get a 404, but everyone else on your team can access it. what is wrong?

A

Maybe you’re in the wrong role. Okta. Don’t have the right permissions.

Delete your cache.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A CEO of a well known company is sitting across from you at a coffee shop. how do you hack his email?

A

Is a public wifi being used. It’s safe as long as the websites you’re using are using HTTPS. Otherwise, someone else connected to the wifi can sniff your traffic content.

Look over his shoulder for passwords. Figure out what his email address is. Phish him. Send him to a site without HTTPS or to my own malicious site.

Wifi pineapple to mimic a network and have the CEO connect to the wifi pineapple.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your manager wants you to bring you laptop to Defcon, how do you secure it from getting hacked?

A

Turn off wifi. Encrypt the machine. Make sure it’s updated/patched. Host based firewall. Turn off bluetooth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If you were an attacker who compromised a CA and stole the private key, how would you use it?

A

Can issue fraudulent certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How would you attack the OAuth workflow?

A

Implementation mistakes.

Take advantage of the redirect_uri for Open Redirects. the client application implements some whitelist of their genuine callback URLs when registering with the OAuth service to mitigate this attack. Could end up sending the access token to an attacker controlled url. CSRF like attack to trick the user into initiating the OAuth flow, but sending the token back to the malicious user.

Need to add the state parameter - needs to be an unguessable value. Otherwise vulnerable to CSRF. Because It potentially means that they can initiate an OAuth flow themselves before tricking a user’s browser into completing it, similar to a traditional CSRF attack.

Pre account takeover. Try to register an account with another user’s email. Then we they try to create an account using social network, then that will get linked to the pre existing account. Perhaps they can still login into the account using the pw they set.

OAuth authentication vulnerabilities arise partly because the OAuth specification is relatively vague and flexible by design. Lack of built-in security features
the first request of the flow will always be a request to the /authorization endpoint containing a number of query parameters that are used specifically for OAuth. In particular, keep an eye out for the client_id, redirect_uri, and response_type parameters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the SSL handshake. How do certificates get provisioned?

A

They get provisioned by a CA. You send a request to a CA such as Verisign.

An applicant generates a key pair (public and private) and a CSR (certificate signing request). A CSR is an encoded file that includes the public key and other info such as domain name, org, email). This is usually generated on the server that the certificate will be installed.

The private key is never sent to the CA.

The applicant sends the CSR to the CA. CA independently validates the info. If validated, then signs the cert with an issuing private key and sends it to the applicant.

Third parties can validate the cert by confirming the CA’s signature with the CA’s public key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You see a high volume of traffic to 169.254.169.254, what do you suspect?

A

This ip is used for instance metadata. Maybe they’re trying to see what kind of a server it is/where its hosted and try to gather more data about the server. Perhaps the server has been compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

API Security

A

Use HTTPS
JWT
Input Validation
Error handling
SSO - you don’t have to manage user pw storage yourself
API Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

XSS Prevention

A
  • [ ] XSS Framework built in protections
    • [ ] React
    • [ ] Angular
    • [ ] But still need to use these frameworks safely
    • [ ] Cookie attributes - samesite, httponly
    • [ ] CSP
    • [ ] Web application firewalls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a JSONP?

A

JSONP stands for JSON with padding. It is a method for sending JSON data without having to worry about cross domain issues (because of SOP). This was before the adoption of CORS.

JSONP enables sharing of data bypassing same-origin policy, which disallows running JavaScript code to read media DOM elements or XMLHttpRequest data fetched from outside the page’s originating site. The originating site is indicated by a combination of URI scheme, hostname, and port number.

JSONP uses the

 tag.

A server can send a function call (wrapped around JSON) returning JSON in a response. The client uses a script tag and the server url as the src to load this data by handling the function.
This “wrapped payload” is then interpreted by the browser. In this way, a function that is already defined in the JavaScript environment can manipulate the JSON data.

JSONP is vulnerable to the data source replacing the innocuous function call with malicious code, which is why it has been superseded by cross-origin resource sharing in modern applications.

You’re allowing a remote server to inject any content into your website. They could inject malicious javascript and because the script is bypassing SOP, it could lead to CSRF, fetching JS from another site, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Give examples of secure libraries encoding, sanitization

A

DOMPurify - recommended by OWASP for HTML sanitization
Use safe HTML attributes unlike innerHTML use innerText
Don’t pipe values into eval()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are some security network scanners?

A

NMAP
Wireshark
Burp

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a race condition and how do you prevent them?

A

A race condition attack takes advantage of a system that needs to execute tasks in a specific sequence.

For example:
2 users try to use an Amazon gift card at the exact time. If multiple workers pick up this task, how do we know not to process the card twice?

We can use mutexes/locks on the db item. Resource is only accessible by one thread at a time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is seccomp?

A

Seccomp is a linux kernel security feature.

It restricts the system calls that can be made. The kernel will terminate/kill/log the process if any other system calls are attempted to be made.

Useful for containers/kubernetes. Can load a seccomp profile preconfigured with allowed/disallowed system calls.

seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are some security hardening flags?

A
  • Stack protector/canary - Adds runtime checks to detect buffer overflows and stack smashing
  • PIC/PIE - for ASLR
  • Wformat - Adds compile time checks to detect issues relating to format string arguments in common library functions such as printf, scanf, strftime, etc.
  • fortify_source - Adds compile and run time checks to detect buffer overflows in memory and string functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are some buffer overflow preventions?

A
  • use a memory safe language
  • use safe functions with bounds checking
  • check bounds
  • ASLR (security hardening flags)
  • Stack canary
  • DEP (data execution prevention) - mark certain parts of memory as non-executable
  • static code analysis
  • fuzzing
25
What is a format string attack and how do you prevent it?
This could potentially leak sensitive values. When an attacker can control the format string in printf, scanf, or another function in that family. The function will walk up the stack and look for the argument specified by the format string. This is because variables are placed on the stack. So when printf sees the format string, it will look on the stack for the first variable after the format string. But this could actually be return addresses, function pointers, etc. printf is expecting the format string and arguments. If the arguments are not passed, then it'll still just walk up the stack and print the values there. Can also write to the stack. Could have arbitrary code execution. Usually C is affected, but python is also vulnerable if format() is misconfigured. To fix this, you need to include the format string specifier and not leave it up to user input, so that it doesn't specify interpret user supplied format specifier. Make the format string a constant.
26
What's the process for rotating a secret?
in aws: - [ ] Create new secret version - [ ] Change credentials in the db/service - [ ] Test the new secret version - [ ] Finish the rotation
27
What is DOM-Based XSS?
All happens in the browser. The server is not hit for this attack to work. All happens in the DOM. No request to the server is made. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript. The most common source for DOM XSS is the URL, which is typically accessed with the window.location object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. To test for DOM XSS in an HTML sink, place a random alphanumeric string into the source (such as location.search), then use developer tools to inspect the HTML and find where your string appears. you should avoid allowing data from any untrusted source to be dynamically written to the HTML document.
28
What is reflected XSS?
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. The need for an external delivery mechanism for the attack means that the impact of reflected XSS is generally less severe than stored XSS
29
What is Kafka and how do you secure a Kafka cluster?
Apache Kafka is an internal middle layer enabling your back-end systems to share real-time data feeds with each other through Kafka topics. With a standard Kafka setup, any user or application can write any messages to any topic, as well as read data from any topics. Encryption of data in-flight using SSL / TLS Authentication using mTLS Authorization using ACLs
30
What is Blind XSS?
Blind XSS is a type of stored XSS n which the data exit point is not accessible to the attacker, for example due to a lack of privileges. The attack input could be executed in a completely different application. For instance, you upload an attack via a chat bot and then the attack executes when an admin views the chat in an internal dashboard. To test for blind XSS you need to check if there was an out-of-bound interaction. i.e. have a request be made to a server you host and so when someone has the attack executed, you will see a request. Harder to detect because the input is not reflected immediately. It could be months before the attack is triggered.
31
How do you test for blind XSS?
You inject payloads into the web application. GET/POST requests, headers, etc. Have the payload gather information and send it to a server for analysis.
32
What does HMAC achieve and how does it work?
HMAC is a message encryption method that uses a cryptographic key in conjunction with a hash function. A secret key is provided that should be specific to only the server and client. It is used for authentication and for message integrity. HMAC = hashFunc(secret key + message) The client creates a unique hash by hashing the request data with the private key and sending it as part of the request. The server receives the request and regenerates its own unique HMAC. It then compares the two HMACs. If they are equal, the client is trusted and considered legitimate, and the request is executed. Difference with digital signature is that HMAC uses symmetric key and digital signatures use asymmetric keys. HMAC not used for non-repudiation unlike digital signature.
33
How do you prevent path traversal?
The most effective way to prevent path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. Otherwise, validate input properly. Whitelist After validating the supplied input, append the input to the base directory and use a platform filesystem API to canonicalize the path. Verify that the canonicalized path starts with the expected base directory.
34
What is IDOR?
Insecure direct object references (IDORs) are a subcategory of access control vulnerabilities. IDORs occur if an application uses user-supplied input to access objects directly and an attacker can modify the input to obtain unauthorized access.
35
How do you prevent file upload vulnerabilities?
Check the file extension against a whitelist of permitted extensions rather than a blacklist of prohibited ones. It's much easier to guess which extensions you might want to allow than it is to guess which ones an attacker might try to upload. Make sure the filename doesn't contain any substrings that may be interpreted as a directory or a traversal sequence (../). Rename uploaded files to avoid collisions that may cause existing files to be overwritten. Do not upload files to the server's permanent filesystem until they have been fully validated. As much as possible, use an established framework for preprocessing file uploads rather than attempting to write your own validation mechanisms.
36
What is an XXE vulnerability?
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application. - exploit XXE to retrieve files - where an external entity is defined containing the contents of a file, and returned in the application's response. - exploit XXe to perform SSRF attacks - where an external entity is defined based on a URL to a back-end system. - blind XXE exfilitrate data out of band Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file. Edit a data value in the XML that is returned in the application's response, to make use of the defined external entity.
37
How do you prevent XXE attacks?
You disable the dangerous XML features that are included in XML parsing libraries. Disable resolution of external entities and XInclude. This is usually done via configuration options.
38
CSRF prevention
- [ ] Every request to the target server will include the cookie - [ ] Each time the server renders a page that includes sensitive actions, a unique CSRF token is passed to the user. - [ ] CSRF tokens can also be combined with other types of protective coding, including ensuring that session cookies are set with the SameSite cookie attribute. This attribute allows developers to instruct browsers to manage whether cookies are sent along with requests from third-party domains. - stateful - [ ] Generate once per user session or per request - [ ] Client sends it back as part of hidden form field, custom header, JSON payload - [ ] Double submit cookie - stateless - [ ] the site should generate a (ideally cryptographically strong) random value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request includes this random value as a hidden form value, or in the request header. - [ ] In a nutshell, an attacker is unable to access the cookie value during a cross-site request. This prevents them from including a matching value in the hidden form value or as a request parameter/header. - [ ] Can also hash the CSRF cookie, so that an attacker cannot modify it - [ ] Custom request header - [ ] This defense relies on the browser's same-origin policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. - [ ] By default, browsers do not allow JavaScript to make cross origin requests with custom headers. - [ ] Verify the origin with standard headers - [ ] Frameworks with built-in synchronizer tokens - [ ] For example, .NET has built-in protection that adds a token to CSRF vulnerable resources. - [ ] Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques! - [ ] Client side CSRF - attacker controlled input used to craft request from client’s browser - [ ] Bypasses same-site cookie attribute and CSRF tokens - [ ] Use input validation
39
What is CORS?
CORS is a relaxation of the same origin policy. So if a request comes from the same origin then, the client can access the response. If it's going to a different origin, it cannot access the response under SOP. It can also define whether authenticated access is permitted using headers. the Access-Control-Allow-Credentials: true This means that cross-origin requests can include cookies. This could be dangerous because authenticated responses with sensitive data can be accessed. Access-Control-Allow-Methods - specify what methods to allow Access-Control-Allow-Headers - specify what headers to allow Access-Control-Allow-Origin - specify what origins to allow
40
What is a CORS preflight request?
OPTION request The browser sends the preflight request before the actual request message. The server must respond to the preflight request with information about the cross-origin requests the server’s willing to accept from the client URL. he preflight response sometimes includes an additional Access-Control-Max-Age header. This metric specifies the duration (in seconds) for the browser to cache preflight results in the browser.
41
What is clickjacking and how do you prevent it?
A malicious user builds a website and includes another site in an iframe. The attacker adds a transparent div on top of the iframe. The user is tricked into trying to click on what the site they see in the iframe, but actually clicks on something malicious like a malicious link. To prevent: Header that the server can specify. HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a ,