Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

C702 Forensics and Network Intrusion > Investigating Web Attacks > Flashcards

Investigating Web Attacks Flashcards

1
Q

Web Forensic Challenges

A
  1. Web applications are generally distributed in nature
  2. Traces of activities are recorded across a number of hardware and software infrastructures
  3. Very limited or no downtime is allowed for investigation
  4. Huge volume of logs from different sources are analyzed and correlated
  5. Large databases are analyzed
  6. Requires complete knowledge of different web servers, application servers, databases and underlying applications
  7. Tracing back is difficult in case of reverse proxies and anonymizers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

OWASP Web vulnerability Top 10:

A

The OWASP Top 10 is an awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Buffer Overflow

A

Occurs when an application fails to guard its buffer properly and allows writing beyond its maximum size. As a result, it overwrites the adjacent memory locations. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack. The purpose of these attacks is to corrupt the execution stack of the web application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cookie Poisoning

A

Refers to the modification of a cookie for bypassing security measures or gaining unauthorized information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Insecure Storage

A

Sensitive information such as account records, credit card numbers, or passwords are generally stored in a database. If the developers make any mistakes while enforcing the encryption techniques on a web application or ignore the security aspects of some parts of the application, this sensitive information might be at risk. You should understand the processes used to store the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Leakage

A

Information leakage refers to the unintentional revelation of sensitive information to an unauthorized user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Improper Error Handling

A

When a web application is unable to handle internal errors properly. In such case, the website returns information, such as database dumps, stack traces, and error codes in the form of errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Broken Account Management

A

Refers to vulnerable account management functions including account update, recovery of the forgotten or lost password or resetting the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Directory Traversal

A

When attackers exploit HTTP by using directory traversal, they gain access to the unauthorized directories. Then, the attackers may execute commands outside the web server’s root directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Parameter/Form Tampering

A

Manipulating the communication parameters exchanged between the client and server to make changes in the application data. A Man in the Middle (MitM) is one of the examples of this type of attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Denial of Service (DoS)

A

Making the resources of the web server unavailable to clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Log Tampering

A

Web applications maintain logs to track the usage patterns, such as admin login credentials and user login credentials. The attackers usually inject, delete or tamper the web application logs to engage in malicious activities or hide their identities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Unvalidated Input

A

In order to bypass the security system, the attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, query strings, etc. User login IDs and other related data get stored in the cookies and this becomes a source of attack. Examples of attacks that caused un validated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Injection Flaws

A

Attackers inject malicious code, commands or scripts into the input gates of flawed web applications in such a way that the applications interpret and run the malicious input, which in turn allows them to extract sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cross Site Request Forgery (CSRF)

A

Forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Broken Access Control

A

An attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Insecure Direct Object References

A

When developers expose various internal implementation objects such as files, directories, or database records, it can result in a direct object reference that provides an attacker the ability to gain unauthorized access to system resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Insecure Direct Object References

A

When developers expose various internal implementation objects such as files, directories, or database records, it can result in a direct object reference that provides an attacker the ability to gain unauthorized access to system resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

SSL/TLS Downgrade Attack

A

Browsers are susceptible to protocol downgrade attacks; an active MITM can simulate failure conditions and force all browsers to downgrade from attempting to negotiate TLS 1.2, making them fall back to SSL 3. At that point, a cryptographic attack could be successfully attempted, such as the POODLE attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Failure to Restrict URL Access

A

An attacker tries to bypass the website security using techniques, such as forced browsing, and gains unauthorized access to specific web pages or other data files containing sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Cookie Snooping

A

An attacker using a local proxy decodes or cracks user credentials. Once the attacker gains these plain text credentials, he/she logs into the system as a legitimate user and gains access to unauthorized information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Authentication Hijacking

A

Attackers try to hijack credentials using various attack techniques like sniffing, social engineering, etc. Once they obtain these credentials, they carry out malicious acts, including session hijacking, service theft, and user impersonation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Hidden Field Manipulation

A

attackers manipulate hidden fields and change the data stored in them. This sort of attack is focused on e-commerce sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Unvalidated Redirects and Forwards

A

Attackers lure the victim and make them click on unvalidated links that appear to be legitimate. Such redirects may lead to the installation of malware or trick the victims into sharing their passwords or other sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Session Fixation Attack

A

the attacker tricks the user into accessing a genuine web server using an explicit session ID value. The attacker assumes the identity of the victim and exploits those credentials at the server.
The steps involved are as follows:
1. The attacker visits the target website and logs in using his/her credentials.
2. The web server sets a session ID on the attacker’s machine.
3. The attacker sends an email containing a link with a fixed session ID to the targeted user.
4. The user clicks on the link and is redirected to the website.
5. The user logs into the server using their credentials and fixed session ID.
6. The attacker logs into the server using the victim’s credentials with the same session ID.

26
Q

IIS Record Logs

A

IIS records logs using UTC, which helps in synchronizing the servers in multiple zones. For calculating UTC, Windows offsets the value of the system clock with the system time zone. The administrator should also verify the process IIS is set to roll over logs using the local time. The server’s time zone setting can be verified by looking at the first entries in the log file. If the server is set to UTC -08:00, then the first log entries should appear around 16:00 (00:00 - 08:00 = 16:00). Because UTC does not follow daylight savings, the administrator must also consider the date. For example, UTC -8:00 will be -7:00 half the year.

27
Q

Web Architecture Layer

A

Client/User
Web Server
Business
Database

28
Q

Client/User Layer

A

Includes all the web appliances, such as smartphones and PCs, using which a user interacts with a web application deployed on a web server. The user requests for a website by entering a URL in the web browser and the request traverses to the web server. The web server responds to the request and the web browser displays the response in the form of a website

29
Q

Web Server Layer

A

Contains components that parse the request (HTTP Request Parser) coming from the clients and forwards the response to them. It holds all the business logics and databases that are responsible for building websites and store data in them. Example: IIS Web Server, Apache Web Server, etc. In some cases, the users access the application through the presentation layer, which serves as an intermediary between the user and the Web Server. This layer includes the user interface components. The presentation layer is not an absolute requirement and the client layer can interact directly with the service layer.

30
Q

Business Layer

A

Is responsible for the core functioning of the system and includes business logic and applications, such as .NET that is used by the developers to build websites according to the clients’ requirements. This layer also holds a legacy application, an older system integrated as an internal or external component

31
Q

Database Layer

A

Comprises of cloud services, B2B layer that holds all the commercial transactions and a Database Server that supplies an organization’s production data in a structured form. Example: MS SQL Server, MySQL server, etc.

32
Q

Database Layer

A

Comprises of cloud services, B2B layer that holds all the commercial transactions and a Database Server that supplies an organization’s production data in a structured form. Example: MS SQL Server, MySQL server, etc.

33
Q

IIS Web Server Architecture

A

Internet Information Server (IIS), a Microsoft-developed application, is a Visual Basic code application that lives on a Web server and responds to requests from the browser. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. An IIS application uses HTML to present its user interface and uses compiled Visual Basic code to process the requests and respond to events in the browser. IIS for Windows Server is a flexible and easy-to-manage Web server for web hosting.

34
Q

IIS Components

A 
Protocol listeners (HTTP.sys) 
Web services like World Wide Web Publishing Service (WWW service) 
Windows Process Activation Service (WAS)
35
Q

IIS Component Responsibilities

A

Listening to the requests coming from the server
Managing processes
Reading configuration file

36
Q

Where are IIS Logs stored for Win 2012

A

On Windows Server 2012, the log files are stored by default in the %SystemDrive%\inetpub\logs\LogFile

37
Q

Apache Core Components

A

The Apache Core

The Apache Modules

38
Q

What does the Apache Core do?

A

Deals with all the basic functionalities of the server, such as allocating requests, maintaining and pooling connections.

39
Q

What does the Apache Module do?

A

Simple Add-Ons

40
Q

What are the elements of the Apache Core?

A

http_protocol: This element is responsible for managing the routines, which interacts with the client and takes care of all the data exchange and socket connections between the client and the server.

http_main: This element handles the server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them.

http_request: This element controls the step by step procedure involved between the modules to complete a client request and is also responsible for error handling.

http_core: This element is hardly functional enough to serve documents.

Alloc.c: This element handles the allocation of resource pools.

http_config: This element is responsible for reading and handling the configuration files. One of the main tasks of http_config is that it arranges all the modules, which the server will call during various phases of the request handling.

41
Q

Common Apache Log Format

A

%h %l %u %t "%r" %>s %b is the common percent directive log format.
%h represents the client’s IP address
%l represents the Remote log name. This will return a dash unless mod_ident is present and IdentityCheck is set on
%u is the client user ID
%t represents the time when the server received the request. It is displayed in the format [day/month/year:hour:minute:second zone]
"%r" indicates the methods used for a request-response between a client and server, the resource requested by a client (apache_pb.gif), and the protocol used (HTTP/1.0)
%>s represents the status code which the server sends back to the client
%b represents the size of the object which the server sends to the client

42
Q

What are the two types of Apache logs?

A

Error

Access

43
Q

Apache Error Logs

A

The Apache Error Log is the location where the server records all the errors that occurred during the client request processing. The ErrorLog directive sets the location of the error log. The log file contains data pertaining to the issues in the server’s startup and operation. It also stores information related to the reason behind the issue and the steps involved in resolving it. The investigators need to use Linux applications like grep, cat, gedit or vi to read these log files.

The default location of error logs:
RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/error_log
Debian/Ubuntu Linux: /var/log/apache2/error.log
FreeBSD: /var/log/httpd-error.log

44
Q

Apache Access Logs

A

Requests processed by the Apache server are contained in the access log. It has a record of every request that goes through the server. The LogFormat directive helps in selecting the required log contents. The CustomLog directive sets the location and content of the Access log. The CustomLog directive also has the information to configure the server in such a way that the server can maintain access log records. The access logs are stored in the Common Log format by default and are highly configurable

The default location of access logs:
RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/access_log
Debian/Ubuntu Linux: /var/log/apache2/access.log
FreeBSD Linux: /var/log/httpd-access.log

45
Q

Check the following locations for Apache configuration file to find the exact location of the log files:

A

RHEL/Red Hat/CentOS/Fedora Linux: /usr/local/etc/apache22/httpd.conf
Debian/Ubuntu Linux: /etc/apache2/apache2.conf
FreeBSD: /etc/httpd/conf/httpd.conf

46
Q

Apache Access Log/Common Log Format Example:

10.10.10.10 - jason [17/Aug/2016:00:12:34 +0300] “GET /images/content/bg_body_1.jpg HTTP/1.0” 500 145

A
  1. 10.10.10 (%h): IP Address of the client/remote host
    - (%l): The requested information is not available

jason (%u): User ID of the person who sent the request

[17/Aug/2016:00:12:34 +0300] (%t): The time at which the server finished processing the request. +03 UTC represents East Africa Time Zone.

“GET /images/content/bg_body_1.jpg HTTP/1.0” ("%r"): The client used GET request method, and he/she requested the resource
/images/content/bg_body_1.jpg. The client used HTTP/1.0 protocol.
200 (%>s): The status code represents that the response was successful
1458 (%b): The server returned the object of size 1458 bytes to the client

47
Q

Apache Error Log example:

[Mon Sep 16 14:25:33.812856 2016] [core:error] [pid 12485:tid 8589745621] [client 10.10.255.14] File does not exist: /images/content/bg_body_1.jp

A

Anatomy of the Log:
Mon Sep 16 14:25:33.812856 2016
This is the first element in the log entry. It contains the timestamp (day, month, date, time, and year) of the log.

core:error 
The second element in the log describes the module producing the message. In this case, the Apache core is producing the message describing the security level (error).

pid 12485:tid 8589745621
The next element in the log contains the process ID and its corresponding thread ID.

client 10.10.255.14
The fourth element in the log is the client address that made the request.
File does not exist: /images/content/bg_body_1.jpg The final element in the log displays the status of the file, which the client has requested. In this case, the file does not exist. So, it displayed an error message stating the file does not exist on the server.

48
Q

Code with char encoding

A

http://www.bank.com/accounts.php?id=1%252f%252a/union%252f%252a /select%252f%252a/1,2,3%252f%252a/from%252f%252a/users–

49
Q

Deep Log Analyzer

A

The Deep Log Analyzer is a web analytics solution for small and medium size websites. It analyzes web site visitors’ behavior and gets the complete website usage statistics in easy steps.

50
Q

WebLog Expert

A

WebLog Expert is an access log analyzer which provides information about the site’s visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, etc. The program generates reports that include both text information tables and charts.

51
Q

Apache Logs Viewer (ALV)

A

Apache Logs Viewer (ALV) enables you to view, monitor, and analyze the Apache/IIS/nginx logs.

52
Q

AWStats

A

AWStats is a graphical tool that generates the web, streaming, ftp or mail server statistics. This log analyzer works as a CGI or from the command line and shows all possible information your log contains.

53
Q

Nagios Log Server

A

Nagios Log Server is a Centralized Log Management, Monitoring and Analysis Software. It simplifies the process of searching your log data. It sets up alerts to notify you when potential threats arise or simply query your log data to audit any system. Here, all log data are present in one location.

54
Q

Splunk

A

Splunk Enterprise helps in collection and analysis and acts upon the untapped value of the big data, which is generated by user’s technology infrastructure, security systems, and business applications—giving you the insights to drive operational performance and business result

55
Q

Web Log Storming

A

Web Log Storming is a web server log file analyzer (IIS, Apache, and Nginx) for Window

56
Q

LogCruncher

A

LogCruncher is a tool for analysis and data visualization of web server log files. It allows the user to see and understand the website analytics based on key metrics.

57
Q

GoAccess

A

GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser. It provides HTTP statistics for system administrators that require a visual server report.

58
Q

HTTP-ANALYZE

A

The http-analyze is a log file analyzer for web servers. It runs on any platform conforming to the ANSI C and POSIX standards ranging from personal computers to high-performance systems.

59
Q

Active LogView

A

Active LogView is a log analysis program that provides analysis of total requests, unique visits, advanced referrers list, hourly summary, user agents list, OS list, advanced filtration, advanced search and more.

60
Q

Webalizer

A

The Webalizer is a web server log file analysis program. It produces detailed, configurable usage reports in HTML format, for viewing with a standard web browser

61
Q

SmartWhois

A

SmartWhois is a network information utility that allows you to look up all the available information about an IP address, hostname or domain, name of the network provider, administrator, and technical support contact information. It supports Internationalized Domain Names (IDNs) and also fully supports IPv6 addresses

62
Q

ActiveWhois

A

ActiveWhois is a network tool for Windows which is used to find any information about the owners of IP address or Internet domain. You can determine the country, personal and postal addresses of the owner, and user of IP address and domains. ActiveWhois also allows users to explore DNS aliases

C702 Forensics and Network Intrusion (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions