Lesson 13 - Web App Attacks

Question 1

What type of attack an occur if you are missing input validation?

Answer 1

Injection Attacks

Question 2

T or F developers should put as much details into error handling as possible

Answer 2

False
Too much information will provide malicious actors into too much unnecessary insight

Question 3

What is the most likley outcome of a security misconfiguration

Answer 3

Exposing Sensitive Data

Question 4

What is the method of using a digital signature to ensure the source and integrity of programming code

Answer 4

Code Signing

Question 5

What can occur when the resulting outcome from execution process is directly depended on the order and timing of certain events

Answer 5

Causing Race Conditions

Question 6

A malicious actor steals a user’s session credentials then uses it to impersonate the user. What is the text file that can be used to manage user sessions

Answer 6

Session Hijacking

Cookie - contains Session ID

Question 7

Name the attack that forces a user to browse a website in the context of a known and valid session

Answer 7

Session Fixation - fake login page that uses the know SID

Question 8

Name the attack that requires the user repeat the authentication process and intercepts. What category of attack can this be accomplished by

Answer 8

Session Replay

Man in the Middle - On Path

Question 9

Name and describe two Crafting Request Forgery Attacks

Answer 9

Cross-Site Request Forgery (XSRF/CSRF) uses a malicious script hosted on attacker site that can exploit a session started on another site in same browser. the power of this type is that it is extremely hard to detect since it is carried out by user browser as business as usual

Server-Side request Forgery (SSRF) - takes advantage of trust between server and resources it can access such as a SQL Server.

Lab Lesson 13 exploiting Web Weakness

Question 10

Name the two Privilege Escalation techniques and how they are impact an attack

Answer 10

Horizontal Privilege Escalation - obtaining access to regular user accounts with different permissions than the current one. Allows malicious actor to stay unnoticed.

Vertical Privilege Escalation - higher privilege and use PrivEsc to elevate in a restrictive shell

Question 11

What is the method and syntax to launch Bash in interactive mode

Answer 11

/bin/bash -i

Question 12

What are vulnerabilities that arise from implementation and design issues that lead to unintended behavior

Answer 12

Business Logic Flaws

Question 13

Name the 3 most common API’s

Answer 13

RESTful: API based on REST
XML-RPC
SOAP - Simple Object Access Protocol

Question 14

What is a recommended web framework for apps that incorporate HTML and/or Java Script Code

Answer 14

Ruby on Rails
AngularJS
Django (Python)

Question 15

What is the most common type of code injection and what should you test for every single input to include

Answer 15

SQL Injection (SQLi)

URL Parameters
Form Fields
Cookies POST Data
HTTP Headers

Question 16

What is the simplest way and most common method for identifying possible SQL injection vulnerabilities in a Web Application

Answer 16

Using the Single Quote Method

This will provide an error that can details on syntax to construct an attack

Question 17

What is the process of injecting SQL queries when the web app response doe not contain the results of the query.

Answer 17

Blind SQL Injection

A boolean version of this is submitting a values that are always true and false. 1=1 or 1=2

Time based is submitting with time delays

Question 18

What is the application attack that allows access to commands, file and directories that may or may not be connected to a web document directory

Answer 18

Director Traversal

Within URL using ../ or ..\ to traverse up one parent directory.

If these are blocked pr filtered you can use encoding to bypass this such as
%2E is equivalent to . (Period)
%2F is equivalent to /

Question 19

What is a Null Byte used for in most programming languages and what is the Hexadecimal representations

Answer 19

Is a character with a value of zero that is used in most programming languages to indicated the termination of a string.
%00

Question 20

What is Code Injection and what makes it possible to Exploit

Answer 20

is an attack that introduces malicious code in a vulnerable application to compromise the security of that app.

Made possible by week or absent input processing routines in the app

Question 21

What is the injection attack that a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web app

Answer 21

Command Injection

Only using the native language of that app

Question 22

What is the attack that injects JavaScript that executes on the clients broswer and what are the 3 categories

Answer 22

Cross Site Scripting (XSS)

Persistent Attack - Stored attack where you inject malicious code on that server

Reflected Attack - Send a form or other request to server that contains malicious script. You send link to the victim with this request, the script is sent to the server and reflected off of it

Document Object Model (DOM) attack - done solely on a web app’s client-side implementation of Java Script to attack solely on client

Question 23

What is one type of technology that will protect you from attacks and where does it sit

Answer 23

Proxy
Between client and Webserver and can provide firewall

Question 24

What is the method to gain control of a browser by connecting to another devices such as an attacker’s tool or framework. Name a common Framework that uses JavaScript.

Answer 24

Hook a Browser

Browser Exploit Framework (BeEF)

Question 25

BeEF uses what colors to indicated against targets

Answer 25

Green - command works and invisible to user
Gray - works but may be visible
Orange - yet to be verified
Red - does not work

Question 26

Name the Tool that can obtain secrets from a GitHub repository

Answer 26

truffleHog

Question 27

What tools to check Ruby on Rails and performs static code analysis - high, medium, and weak.

Answer 27

Brakeman

Question 28

What tool for post exploitation of Active Directory

Answer 28

CrackMapExec

Question 29

Need to Memorize OWASP Top 10

Answer 29

Question 30

Name the Two Common Web Proxy Tools

Answer 30

BurpSuite
OWASP ZAP

Question 31

Can discover subdomains, directories, and files by Brute Forcing from a list of common names.

Answer 31

Gobuster

Question 32

WebApp brute-force finder for directories and files. Comes with 9 different lists,

Answer 32

DirBuster

Question 33

The WebApp Attack and Audit Framework allowing for identifying and exploiting a large set of web-based vulnerabilities. SQLi and XSS

Answer 33

w3af

Question 34

The Webapp vulnerability scanner that will automatically navigate a webapp looking for areas to inject data

Answer 34

Wapiti

Question 35

Focuses on web browser attacks by assessing the actual security posture of a target by using client side attack vectors

Answer 35

Browser Exploit Framework (BeEF)

Question 36

Automatically gathers data about a WordPress site and compares findings such as plugins against a database of known vulnerabiliteis

Answer 36

WPScan

Question 37

SQL injection scanner tool. Automates several attacks

Answer 37

SQLmap

Question 38

Exploit Finder that allows to search through the information found in Exploit-DB

Answer 38

SearchSploit