Obj 1.3 - Indicators of Application Attacks

Question 1

Privilege Escalation

Answer 1

gaining higher-level access to a system to exploit it

can be horizontal - another user of same level

Question 2

Cross-site scripting

Answer 2

usually uses JS to inject code via a non-validated input on a web page

Two types:

• persistent (stored)
• non-persistent (reflected)

Question 3

Non-persistent (reflected)

Answer 3

an XSS attack requiring user to click a specific link

Question 4

persistent (stored)

Answer 4

an XSS attack stored permanently on a server
all page visitors will be running malware script
spreads quickly through “sharing pages” on social media

Question 5

injection types

Answer 5

SQL
DLL
LDAP
XML

Question 6

SQL injection

Answer 6

Structured Query Language

most common injection type
exploits site inputs without input validation

Question 7

DLL injection

Answer 7

Dynamic Link Library

hijacking an application to run a malicious DLL
often takes advantage of escalated privileges that host application has.
used to evade process-based defenses

Question 8

LDAP injection

Answer 8

Lightweight Directory Access Protocol

similar to SQL injection
exploits web apps that construct LDAP statements based on user input
executes arbitrary commands, grants permissions to unauth. queries, modifies content in the LDAP tree.

Question 9

null pointer reference || pointer/object dereference attack

Answer 9

Nullifying a value

can cause application crash, debug info display, DoS

Question 10

directory traversal

Answer 10

reading files outside of a website’s file directory

e.g. users shouldn’t be able to browse the windows folder

../../../

either web server or web application vulnerability

Question 11

SSL Stripping

Answer 11

HTTP downgrade + on-path attack

on-path attacker removes the “s” from https
ssl = secure sockets layer

Question 12

buffer overflows

Answer 12

writing data that overwrites adjacent memory locations.
enables malicious code to be written in areas for executable code, or to overwrite data, or gain privilege escalation.
can corrupt data, crash the program, or cause the execution of malicious code.

Question 13

race condition

Answer 13

when two things try to happen at the same time

Question 14

TOCTOU (time of check, time of use) attack

Answer 14

a race condition exploit

taking advantage of any gap in time between a “check” of valid data and the “use” of that data.

can cause:
reboot loops (mars rover)
communication failures (blackout of 2003)
or death (therac-25 radiation therapy in 80s)

Question 15

memory leak

Answer 15

unused memory not released
grows
uses all memory
system crashes
e.g. DoS

Question 16

integer overflow

Answer 16

an input where anything goes

always do a validation check
look for malicious input like sql injections
can cause: buffer overflows, DoS, etc.

Question 17

API attacks

Answer 17

API = relatively new communication path

can cause:

• exposing sensitive data
• DoS
• intercepted comms
• privileged access

Question 18

Resource exhaustion

Answer 18

a specialized DoS attack that uses up all the available resource of a device so that apps can’t run.

can be accomplished by a single device over low bandwidth.

Question 19

ZIP bomb

Answer 19

a resource exhaustion attack

sending a zip file that unzips to an unfathomable size

42kb .zip –> 4.5 petabytes (4500 terabytes) :
antivirus will usually id these

Question 20

DHCP starvation

Answer 20

a network-based resource exhaustion attack
floods network with “new devices” requesting IP addresses (really it’s just a new MAC address each time)
DHCP server quickly uses up all available IP addresses preventing real new devices from connecting
mitigation: configure switch to limit DHCP requests.

btw, it’s Dynamic Host Configuration Protocol

Question 21

replay attack

Answer 21

intercepted data is retransmitted or delayed, sometimes as part of spoofing by IP packet substitution
a man-in-the-middle attack

Question 22

session replay attack

Answer 22

using an active session ID to pose as the victim and communicate directly to a service without username or password.
mitigate: mask session IDs with SSL or TLS encryption.