Web and Database Attacks Flashcards
What types of attacks are typically found where there are insecure user-controlled values?
Injection attacks
What kind of attack often involves abuse of application programming interfaces (API) functions with names like exec, eval, cmd, or system?
Command Injection
What are some common commands used when performing a command injection attack?
whoami, ls, dir
Name some remediation methods for Command Injection attacks
- Avoid having the application call commands directly in the OS
- Use programming options to escape the command for the underlaying OS before sending the command
- Parameterize and perform input validation by using an allowlist for characters
- Run applications at the lowest possible privilege
What are two common methods to troubleshoot queries in a blind SQLi?
1) Boolean-based and 2) time-based
What are the two types of time-based searches in a blind SQLi?
Linear search and Binary search
What is sqlmap?
A penetration testing tool for SQL injection (SQLi). It automates the detection and exploitation of SQLi flaws and database server hijacking
What type of SQL attack builds two or more SELECT() statements that already exist within an application to create a single result in the application response? To be successful, both queries must return the same number of columns and the data types in each column have to match.
Union Query SQL Injection
What kind of SQL attack works by terminating the original query and then executing another query?
Stacked Queries SQL Injection
What are some remediation techniques against SQL attacks?
- Parameterize queries and perform input validation by using an allowlist for characters
- Use stored procedures
- Escape all user input
What kind of attack often involves an ou, cn, or dc, and can be distinguished by looking for key-value pairs in injeccted filters using parentheses and comparison characters?
LDAP Injection
What are some ways to remediate against LDAP Injection attacks?
- Escape all variables using LDAP encoding functions
- Use language-specific built-in safe frameworks for interacting with LDAP
- Run applications at the lowest possible privilege
What type of attack involves attackers injecting client-side scripts or HTML code into other web pages to steal information or bypass authentication?
Cross-site Scripting (XSS)
What are the three types of XSS (Cross-site Scripting) attacks?
- Reflect
- Stored
- DOM-based
What is a browser extension in Mozilla-based browsers that can help block unwanted scripts from executing in your browser and limit execution to only trusted websites?
NoScript
How can you recognize XSS (Cross-site Scripting) attacks?
They typically involve HTML tags, with symbols such as <, >, =, and quotes.
What kind of client-side injection attack involves a user performing an action they do not intend against a trusted website?
Cross-site Request Forgery (CSRF)
What is the free software that runs like a web application and is susceptible to many kinds of web-based attacks?
DVWA (Damn Vulnerable Web Application)
What is a common tool used for web and web application penetration testing?
Burp Suite Pro
Session-based authentication for most web frameworks are stateful. What does this mean?
This means each that the server and the client both keep a record of the session.
What are some Set-Cookie attributes that can be included in a response header from a server to a client’s browser?
- HTTPOnly - The cookie cannot be accessed via JavaScript, such as cookie theft through XSS attacks
- Path - This defines the URL where the cookie is valid
- Domain - Defines the domain where the cookie is valid
- Expires - This tells the browser to save the cookie locally for persistent storage and that it will be used by the browser for future requests until the expiration date
- Secure - This is used to ensure the cookie never makes its way over a nonencrypted connection, like HTTP
What are two ways to protect against Session Hijack attacks?
- invalidate a session as soon as user logs out 2. Web applications should assign a new session ID upon authentication
What is a well-known open-source product used for hosting and deploying Java-based web applications?
Apache Tomcat
What policy defines the requirement for how access to a resource should be managed and controlled based on the rule of least privilege?
Access Control Policy
Sensitive data exposure can come in the form of an error message or a reference to an internal function that inadvertently reveals the true nature of the request. An example would be exposing a database record as a referenced object within a web parameter or URL. What is this called?
An insecure direct object reference (IDOR)
what kind of attacks are a form of injection that enables a malicious actor to access content that would not normally be available by using shortcuts to browse outside of the web server’s root folder?
Directory and path traversal attacks
What is the difference between file inclusion vulnerability and a path or directory traversal attack?
With a traversal attack, you only have the ability to read the contents of a local resource, but with file inclusion the resource can be loaded and executed within the context of the application (providing code execution)
What kind of web or database attack is characterized by the ability to load arbitrary content within a web page?
Inclusion attack
What are the two types of file inclusion attacks?
LFI (Local File Inclusion) - includes files outside the web root and renders the contents of local operating system files to the browser window, such as the password fle.
RFI (Remote File Inclusion) - allows files or even whole pages to be displayed inside the vulnerable web page.
How can you mitigate against file inclusion attacks like LFI and RFI?
Input validation
What is it called when two or more application logic components have co-dependent data, do not have appropriate concurrency protections, and execute simultaneously?
Race condition
What is the purpose of the Document Object Model (DOM) within a user’s web browser?
During runtime, the application will pass the DOM to help structure content within the browser. DOM modules may include JavaScript code that can execute locally within the user’s browser.
