Obj 1.3 - Indicators of Application Attacks Flashcards
Privilege Escalation
gaining higher-level access to a system to exploit it
can be horizontal - another user of same level
Cross-site scripting
usually uses JS to inject code via a non-validated input on a web page
Two types:
- persistent (stored)
- non-persistent (reflected)
Non-persistent (reflected)
an XSS attack requiring user to click a specific link
persistent (stored)
an XSS attack stored permanently on a server
all page visitors will be running malware script
spreads quickly through “sharing pages” on social media
injection types
SQL
DLL
LDAP
XML
SQL injection
Structured Query Language
most common injection type
exploits site inputs without input validation
DLL injection
Dynamic Link Library
hijacking an application to run a malicious DLL
often takes advantage of escalated privileges that host application has.
used to evade process-based defenses
LDAP injection
Lightweight Directory Access Protocol
similar to SQL injection
exploits web apps that construct LDAP statements based on user input
executes arbitrary commands, grants permissions to unauth. queries, modifies content in the LDAP tree.
null pointer reference || pointer/object dereference attack
Nullifying a value
can cause application crash, debug info display, DoS
directory traversal
reading files outside of a website’s file directory
e.g. users shouldn’t be able to browse the windows folder
../../../
either web server or web application vulnerability
SSL Stripping
HTTP downgrade + on-path attack
on-path attacker removes the “s” from https
ssl = secure sockets layer
buffer overflows
writing data that overwrites adjacent memory locations.
enables malicious code to be written in areas for executable code, or to overwrite data, or gain privilege escalation.
can corrupt data, crash the program, or cause the execution of malicious code.
race condition
when two things try to happen at the same time
TOCTOU (time of check, time of use) attack
a race condition exploit
taking advantage of any gap in time between a “check” of valid data and the “use” of that data.
can cause: reboot loops (mars rover) communication failures (blackout of 2003) or death (therac-25 radiation therapy in 80s)
memory leak
unused memory not released grows uses all memory system crashes e.g. DoS
integer overflow
an input where anything goes
always do a validation check
look for malicious input like sql injections
can cause: buffer overflows, DoS, etc.
API attacks
API = relatively new communication path
can cause:
- exposing sensitive data
- DoS
- intercepted comms
- privileged access
Resource exhaustion
a specialized DoS attack that uses up all the available resource of a device so that apps can’t run.
can be accomplished by a single device over low bandwidth.
ZIP bomb
a resource exhaustion attack
sending a zip file that unzips to an unfathomable size
42kb .zip –> 4.5 petabytes (4500 terabytes) :
antivirus will usually id these
DHCP starvation
a network-based resource exhaustion attack
floods network with “new devices” requesting IP addresses (really it’s just a new MAC address each time)
DHCP server quickly uses up all available IP addresses preventing real new devices from connecting
mitigation: configure switch to limit DHCP requests.
btw, it’s Dynamic Host Configuration Protocol
replay attack
intercepted data is retransmitted or delayed, sometimes as part of spoofing by IP packet substitution
a man-in-the-middle attack
session replay attack
using an active session ID to pose as the victim and communicate directly to a service without username or password.
mitigate: mask session IDs with SSL or TLS encryption.
