Web and Database Attacks Flashcards
What types of attacks are typically found where there are insecure user-controlled values?
Injection attacks
What kind of attack often involves abuse of application programming interfaces (API) functions with names like exec, eval, cmd, or system?
Command Injection
What are some common commands used when performing a command injection attack?
whoami, ls, dir
Name some remediation methods for Command Injection attacks
- Avoid having the application call commands directly in the OS
- Use programming options to escape the command for the underlaying OS before sending the command
- Parameterize and perform input validation by using an allowlist for characters
- Run applications at the lowest possible privilege
What are two common methods to troubleshoot queries in a blind SQLi?
1) Boolean-based and 2) time-based
What are the two types of time-based searches in a blind SQLi?
Linear search and Binary search
What is sqlmap?
A penetration testing tool for SQL injection (SQLi). It automates the detection and exploitation of SQLi flaws and database server hijacking
What type of SQL attack builds two or more SELECT() statements that already exist within an application to create a single result in the application response? To be successful, both queries must return the same number of columns and the data types in each column have to match.
Union Query SQL Injection
What kind of SQL attack works by terminating the original query and then executing another query?
Stacked Queries SQL Injection
What are some remediation techniques against SQL attacks?
- Parameterize queries and perform input validation by using an allowlist for characters
- Use stored procedures
- Escape all user input
What kind of attack often involves an ou, cn, or dc, and can be distinguished by looking for key-value pairs in injeccted filters using parentheses and comparison characters?
LDAP Injection
What are some ways to remediate against LDAP Injection attacks?
- Escape all variables using LDAP encoding functions
- Use language-specific built-in safe frameworks for interacting with LDAP
- Run applications at the lowest possible privilege
What type of attack involves attackers injecting client-side scripts or HTML code into other web pages to steal information or bypass authentication?
Cross-site Scripting (XSS)
What are the three types of XSS (Cross-site Scripting) attacks?
- Reflect
- Stored
- DOM-based
What is a browser extension in Mozilla-based browsers that can help block unwanted scripts from executing in your browser and limit execution to only trusted websites?
NoScript
How can you recognize XSS (Cross-site Scripting) attacks?
They typically involve HTML tags, with symbols such as <, >, =, and quotes.
What kind of client-side injection attack involves a user performing an action they do not intend against a trusted website?
Cross-site Request Forgery (CSRF)
What is the free software that runs like a web application and is susceptible to many kinds of web-based attacks?
DVWA (Damn Vulnerable Web Application)
What is a common tool used for web and web application penetration testing?
Burp Suite Pro
Session-based authentication for most web frameworks are stateful. What does this mean?
This means each that the server and the client both keep a record of the session.
What are some Set-Cookie attributes that can be included in a response header from a server to a client’s browser?
- HTTPOnly - The cookie cannot be accessed via JavaScript, such as cookie theft through XSS attacks
- Path - This defines the URL where the cookie is valid
- Domain - Defines the domain where the cookie is valid
- Expires - This tells the browser to save the cookie locally for persistent storage and that it will be used by the browser for future requests until the expiration date
- Secure - This is used to ensure the cookie never makes its way over a nonencrypted connection, like HTTP
What are two ways to protect against Session Hijack attacks?
- invalidate a session as soon as user logs out 2. Web applications should assign a new session ID upon authentication
What is a well-known open-source product used for hosting and deploying Java-based web applications?
Apache Tomcat
What policy defines the requirement for how access to a resource should be managed and controlled based on the rule of least privilege?
Access Control Policy