InfoSec General Flashcards
Describe the OWASP Top 10 Web App vulnerabilities and mitigation(s) for each
https://owasp.org/www-project-top-ten/
-Injection (SQL, NoSQL, OS, LDAP)
—-Mitigations: Prepared statements, input whitelists
-Broken authentication
—-Mitigations: Multifactor, limits or delays on failed logins
-Sensitive data exposure
—-Mitigations: Don’t store sensitive data unnecessarily; encrypt all data at rest
-XML External Entities (XXE)
—-Mitigations: Use JSON instead of XML where possible; disable XXE and DTD
-Broken access control
—-Mitigations: Deny by default; log access control failures and monitor for repeated failures
-Security misconfiguration
—-Mitigations: Minimal features (remove unused features); automated setup of new environments
-Cross-site scripting (XSS)
—-Mitigations: CSP; escaping untrusted request data.
-Insecure deserialization
—-Mitigations: Only permit serialization of primitive data types; log deserialization exceptions and failures.
-Dependencies with known vulnerabilities
—-Mitigations: Remove unused dependencies; continuously inventory the versions of both client-side and server-side components.
-Insufficient logging/monitoring
—-Mitigations: Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context.
New items from 2021 draft:
-Insecure design
-Software/data integrity failures
-Server-side request forgery (SSRF)
https://portswigger.net/daily-swig/owasp-shakes-up-web-app-threat-categories-with-release-of-draft-top-10
Java examples of insecure deserialization:
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
What happens when you type https://google.com into the address bar and press enter?
Assumptions:
-My IP and IP/MAC addresses of gateway and first-hop DNS server are known (if not, DHCP and ARP are used)
-Nothing is cached by DNS servers
-Using TCP rather than QUIC
-DNS resolver does a recursive query
DNS resolution:
-Check browser cache
-Check system hosts file
-Check system cache
-Check remote DNS server:
–Check root (e.g., “.”) authoritative nameserver (returns IP or next name server)
–Check TLD (e.g., “com”) authoritative nameserver (returns IP or next name server)
–Check organization’s/authoritative nameserver (returns IP)
Browser opens a TCP socket (consisting of resolved IP and generally port 443 for HTTPS)
TCP three-way handshake (connection establishment):
-Client sends a SYN (with random sequence number A)
-Server sends SYN/ACK (with ack number A+1 and random sequence number B)
-Client sends ACK (with ack number B+1 and sequence number A+1)
-TCP connection is now established
TLS handshake:
-Client hello: sends supported TLS versions, cipher suites, extensions (like OCSP stapling), and a string of random bytes (client random)
-Server hello: sends chosen cipher suite, SSL certificate, and server random. Also chooses which available extensions to use.
-Authentication: Client verifies server’s SSL certificate with issuing CA
-Premaster secret: Client sends another random byte string, encrypted by server pubkey which is derived from the server certificate (only decryptable with server private key)
-Premaster decryption: Server decrypts premaster secret with private key
-Session key creation: Client and server generate session key with client/server random and premaster secret
-Client sends encrypted “finished” message
-Server sends encrypted “finished” message
-Subsequent communications are also encrypted with the session key
HTTP connection:
-Client sends a GET request to the server for the requested path
-Server responds with web data of the page (HTML/JS/CSS)
-Subsequent requests are sent for images, etc. used by the web page
TCP connection termination:
-Connection closer (either client or server) sends a FIN packet
-Receiver sends ACK followed by a FIN
-Closer sends ACK
Browser closes socket FD
Browser renders web data (likely happens simultaneously with other steps as web data is loaded)
More info: https://github.com/alex/what-happens-when
[IP Routing protocols] Name two Interior Gateway Protocols and one Exterior Gateway Protocol
Interior: OSPF, IS-IS
Exterior: BGP (outdated: EGP)
Describe the OWASP Top 10 API vulnerabilities and mitigation(s) for each
https://owasp.org/www-project-api-security/
-Broken object-level authorization
-Broken user authentication
-Excessive data exposure
-Lack of resources & rate limiting - leaves API open to DoS, brute force, mass requests, etc.
-Broken Function Level Authorization
-Mass Assignment
-Security Misconfiguration
-Injection
-Improper Assets Management
-Insufficient Logging & Monitoring
Describe the OWASP Top 10 mobile vulnerabilities and mitigation(s) for each
https://owasp.org/www-project-mobile-top-10/
-Improper Platform Usage
-Insecure Data Storage
-Insecure Communication
-Insecure Authentication
-Insufficient Cryptography
-Insecure Authorization
-Client Code Quality
-Code Tampering
-Reverse Engineering
-Extraneous Functionality
Explain DHCP (and potential attacks/mitigations)
Dynamic Host Configuration Protocol
(over UDP)
-Client sends a DISCOVER message to broadcast IP address (255.255.255.255) to find the DHCP server
-DHCP server reserves an IP address for the client and sends an OFFER message with the new IP.
-Client sends a REQUEST (still to broadcast) for the IP
-Server sends an ACK to confirm the client’s new IP address.
Other information communicated via DHCP:
-Gateway
-DNS servers
-NTP servers
Attacks:
-DHCP starvation (DoS): Flood server with requests to exhaust available IP addresses
-DHCP spoofing: Create a fake DHCP server (often used after starvation attack). Clients will then use attacker as gateway
Mitigations: DHCP snooping
Explain TCP:
-Overview
-Example protocols
-Connection establishment
-Reliable transmission
-Flow control
-Congestion control
-Connection termination
Transmission Control Protocol (TCP): Connection-oriented, provides error checks, guaranteed delivery of packets and also re-transmits packets when dropped, flow control not to overwhelm the receiver, and congestion control based on frequency of lost data. Reliable (and in-order) transmission is ensured by sequence numbers.
TCP examples: FTP, HTTP, SSH
Three-way handshake (connection establishment):
-Client sends a SYN (with random sequence number A)
-Server sends ACK (with ack number A+1 and random sequence number B)
-Client sends (with ack number B+1 and sequence number A+1)
At this point, arbitrary data is sent by the client (for example, TLS hello). First packet has sequence number A+1 and ack number B+1 again.
Reliable transmission:
-All messages contain a sequence number to keep track of order/number of bytes to be received.
-Every TCP message has a 2-byte checksum in the TCP header
-Retransmission:
–On timeout
–On lost segment (detected by ACK with repeated seq number, sent by receiver when a segment is received before one that’s expected)
Flow control: https://www.brianstorti.com/tcp-flow-control/
-Data receiver advertises a Receive Window (rwnd) which is the spare room in the TCP receive buffer. This is sent with every ACK.
-There is a sliding window controlling the number of bytes in flight (not yet received). This is based on the last-known rwnd and the number of bytes that have not yet been ACKed.
Congestion control:
-Based on frequency of lost data
-@TODO: More info?
Connection termination:
-Connection closer (either client or server) sends a FIN packet
-Receiver sends ACK followed by a FIN
-Closer sends ACK
-Image: https://upload.wikimedia.org/wikipedia/commons/thumb/5/55/TCP_CLOSE.svg/1280px-TCP_CLOSE.svg.png
Attacks:
-SYN flood (DDoS): https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
-Mitigation: Set a maximum number of half-open TCP connections, and kill the oldest one if a new connection comes in and the limit has been reached.
Explain ARP (and potential attacks/mitigations)
(Over Ethernet or IP or other protocols)
ARP is used to resolve the MAC address associated with an IP address
Works in two ways:
-Announcements
-Request/response
Attack:
-ARP caches can be poisoned by ARP spoofing (responding to ARP requests that aren’t for you)
-Mitigation: ARP snooping
-Note: Neighbor Discovery Protocol (NDP) replaces ARP in IPv6 networks
SAST vs DAST? Strengths/weaknesses of each?
-Static Application System Testing (SAST) - Analysis of source code to detect known vulnerabilities. More akin to white box testing
Strengths (SAST):
-Cheaper and easier to fix problems in production
Weaknesses (SAST):
-Automation can lead to false positives
-Automated systems have trouble detecting more complex application-specific logic vulnerabilities
Examples (SAST): SonarQube, KlocWork
-Dynamic Application Security Testing (DAST) - Analysis at runtime. e.g., fault injection testing such as fuzzing. More akin to black box testing
Strengths (DAST):
-Can find issues in production builds
Weaknesses (DAST):
-Can’t get 100% code coverage
Examples (DAST): ZAP, WebInspect
Describe ways you have automated a process
-Job 2: Penetration Test request/planning process
-Music database population - given a set of MP3 files with metadata:
–Parsed metadata with ffmpeg Python bindings
–Used beautiful soup and Genius API to search Genius, fetch lyrics, and extract them from HTML data
–Used regex to determine whether lyrics contained profanity
–Used Google images API and very refined search parameters to fetch album art
–Populated MySQL database with MP3 metadata, lyrics, and profanity flag
-Same project (Audium), I created MySQL procedures for randomly-generating users, playlists, and listens
-More recently, DXMD daily challenge fetching:
–Created a server emulator for the game’s back-end API
–Patched a copy of the game executable to use my server
–Created a script that starts the server, starts the game, extracts an authentication ticket from the game web request (using the server emulator), kills both processes, creates a well-formed web request for the daily challenge API endpoint, sends the request to the real-world server, and stores the configuration with a file name that is the current date.
How do you stay up-to-date on the current threat landscape?
-Reddit /r/netsec
-DayZeroSec podcast
-ARSTechnica
-Twitter - follow interesting InfoSec people and companies, and subscribe to InfoSec topics
-Tailored my Google news feed to show me InfoSec news
-Occasionally: Google Project Zero, Android Security Blog, Krebs on Security, Schneier on Security
Describe Mitre ATT&CK
https://attack.mitre.org/
High-level techniques:
-Reconnaissance
-Resource development
-Initial access
-Execution
-Persistence
-Privilege escalation
-Defense evasion
-Credential access
-Discovery
-Lateral movement
-Collection
-Command and control
-Exfiltration
-Impact
What is the SDLC? List the phases. What are some effective ways of securing the SDLC?
SDLC: Software/System/Security Development Life Cycle
Stages:
-Requirement analysis
-Planning
-Software/architecture design
-Software development
-Testing
-Deployment
Securing the SDLC:
-Generally, “shift security left” by including security considerations/checks/testing in every phase of the SDLC
-Static Application System Testing (SAST) - Analysis of source code to detect known vulnerabilities (white box testing)
-Dynamic Application Security Testing (DAST) - Analysis at runtime. e.g., fault injection testing such as fuzzing
-Interactive Application Security Testing (IAST) - combination of SAST and DAST
-Secrets detection - check for leaked API keys, credentials, and private keys (for signing apps, etc.)
-Dependency scanning - check for vulnerabilities in dependencies
-Runtime Application Self Protection (RASP) - Detects attacks in real-time. RASP tools analyze behavior of an application within its context.
See also Microsoft SDL 12 practices:
https://www.microsoft.com/en-us/securityengineering/sdl/practices
-Provide training
-Define security requirements
-Define metrics & compliance reporting
-Perform threat modeling
-Establish design requirements
-Define and use cryptography standards
-Manage the security risk of using third-party components
-Use approved tools
-Perform SAST
-Perform DAST
-Perform penetration testing
-Establish a standard incident response process
Discuss anything you have done to prevent attacks that could potentially compromise large systems, company trust, or customer data
Hobby project: Reverse engineering and analysis of Square Enix OnlineSuite (used in several games)
Discovered and reported customer PII/account information disclosure vulnerability
Android and platform security - anything else to discuss? Application security lifecycle?
@TODO
Discuss a scenario where you’ve made a decision without higher up/manager approval
Null answer:
I can’t say I’ve ever gone over a manager’s head on anything significant; if I were to do something like that I would have high confidence it was beneficial to our work and that there were no significant risks to the organization. Note that although Amazon has a leadership principle about “Bias towards action,” the opposite is true in the national security space. They want you to carefully consider everything you do and consult a security officer if you have any doubts.
Describe a situation where you both met a goal and went above and beyond with your work
-Job 1
-Generally the manager creates work plans and finds customers
-I found an obscure story about a mobile app being used in a specific region that was of interest to one of our customers whose contract was going to expire
-I brought this to my manager’s attention and convinced him to make a new work plan around it
-Turned into a several-month (part time) project gathering news and reverse engineering the app to explain its functionality from a technical perspective, as well as contextual research about its usage and prevalence in society in that region.
-Delivered white papers, slides, and documentation about a proprietary TCP protocol I reverse-engineered (used by the app)
Describe the differences between TCP and UDP
Transmission Control Protocol (TCP): Connection-oriented, provides error checks, guaranteed delivery of packets and also re-transmits the packets when dropped, flow control not to overwhelm the receiver, and congestion control based on frequency of lost data. Reliable (and in-order) transmission is ensured by sequence numbers.
TCP examples: FTP, HTTP, SSH
User Datagram Protocol (UDP): Connectionless, doesn’t care if the packets are received, no order maintained, no flow control. UDP is faster than TCP. Generally, UDP datagrams with bad checksums are dropped.
UDP datagram structure: source port, dest port, length, checksum, data
UDP examples: Video streaming, online games, DNS (generally), DHCP
https://en.wikipedia.org/wiki/User_Datagram_Protocol#Comparison_of_UDP_and_TCP
DDOS attack and remediations? L3, L4, L7
https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
“I explained how a CDN can absorb all the attacks before they reach target server.- Not sure if he was satisfied”
Cloud Security - IAM vs STS?
AWS Identity and Access Management (IAM):
-@TODO
AWS Security Token Service (STS):
-@TODO
Have you done anything innovative recently?
Yes:
-Job 1
-Developed a novel (post-auth) technique to obtain a root shell on a popular consumer router.
-Did so via the configuration backup/restore mechanism
-Leveraged a file write vulnerability in the config extraction to create a cron job for command execution
-Innovative part: Uploading a config would cause the device to restart, deleting the malicious cron job. I worked around this by feeding a malformed configuration to the device, causing the mechanism to fail out before restarting (allowing the malicious cron to persist).
