WEB APP Flashcards
1
Q
What is the difference between a web server and a Dynamic type of server?
A
Web server just serves out static content, whereas dynamic content can reference a back end data store and server active content; most modern web applications are considered dynamic servers, running content
2
Q
What is an application server?
A
A server referenced by the web/dynamic server that executes code; things like Websphere, JBOSS, Weblogic, etc.
3
Q
What was improved from HTTP 1.0 to 1.1?
A
caching support, extensions, bandiwth optimization, host header field
4
Q
What is “push promise” ?
A
A feature of HTTP 2, it allows a web server to send content before the client has requested it. Like a predictive version of AJAX.
5
Q
What is http multiplexing?
A
A feature of HTTP 2, it allows a server to request multiple sockets at once to requests resources in parallel, rather than “pipelining” it all through the same connection.
6
Q
What moves HTTP to a text-based-on-the-wire type of connection to a binary form?
A
HTTP 2.0, which gives it better compression and reduces overhead/complexity
7
Q
What string in an http request identifies the type of client software used to connect?
A
User-agent string. Describes the web client.
8
Q
Where is the web server technology identified in an HTTP request?
A
the “server” field
9
Q
What is Windows 7/2008 listed as in the user-agent string? Windows 8/2012?
A
NT 6.1 and NT 6.3
10
Q
What is the difference between GET and POST?
A
Both request data from server, but GET uses the URL to pass parameters, POST uses the payload
11
Q
Why is POST more secure than GET?
A
Parameters aren’t written to web server or proxy logs
12
Q
What echoes an HTTP request as seen by the server back to a client, for diagnostics?
A
TRACE
13
Q
What HTTP request asks the server to return the list of request methods it supports? (which can then be used for interchange)
A
OPTIONS
14
Q
Method used when accessing the an application through a proxy server.
A
CONNECT
15
Q
How does a CONNECT request work?
A
The client connects to the proxy, and the CONNECT request tells the server where to go to connect to the resource
16
Q
What HTTP method is used for WebDAV attacks, and where are those type of systems usually found?
A
PUT, which lets you upload data to a resource that you specify. Found on intranet web servers, occasionally.
17
Q
“Switching Protocols” HTTP status code
A
101 (info)
18
Q
“redirect” HTTP status code
A
302
19
Q
“Not modified” HTTP status code, and what is it for?
A
304; used to say that the content hasn’t changed, so the client can continue to use data that has been cached.
20
Q
“Unauthorized” to access http status code (use authentication to access this)
A
401
21
Q
Page not found HTTP status code
A
404
22
Q
Server error HTTP status code series
A
5xx
23
Q
Websockets were integrated with the __________ technology scheme
A
HTML5
24
Q
This protocol establishes a bi-directional comm pipe over a SINGLE tcp socket
A
websocket
25
How is a websocket established? How does it work?
A socket is established using JS/HTML5 code; a 101 (switching protocols) request is passed, and then requests are handled with the ws:// or wss:// protocol. Typically used with a .js file, but can be found insie an HTML page itself with
26
What is method interchange?
When you are able to use a GET in lieu of a POST, etc.
27
_______ authentication uses a base64 encoding when passed over the network, and uses a "real" to identify itself.
Basic
28
How does basic authentication handle the actual process of authenticating?
The web server handles it. IIS uses local accounts, apache uses .htaccess
29
What are some problems with basic authentication? (Things an attacker will look for)
1. No account lockout/max attempts
2. Auth traffic passed in clear
3. Can easily be replayed
4. No log out functionality w/o closing browser
30
What is added to basic auth to to improve it in digest auth?
A nonce is added as a salt to the the md5 hashing off the password
31
Why is digest auth not much more secure than basic?
The nonce (used as a salt in the md5 hashing of the password) is passed in the clear, making it vulnerable to man in the middle attacks
32
Integrated windows auth is perfect for ______ types of attacks
XSS/CSRF; if you can take over a client browser, you can get access to the web server
33
Typically, the authentication in "forms based" auth is handled by
LDAP or a backend database; the user requests the form, fills out the form, and submits it; the application (not the underlying web server) processes the request and either sends an error or returns the resource.
34
Attack vectors (issues) for forms based auth
1. Developer responsible for implementing proper security controls
2. Possible to sniff/intercept tokens/cookies/sessions
3. Possible to spoof the site (create a phishing attack)
35
Three parties for an Oauth transaction
User (@user)
Consumer (Tweetbot)
Service provider (Twitter)
36
Three items exchanged as part of an OAuth transaction
1. Request token
2. Secret
3. Access token
The secret is used to sign the request, which then goes back to the service provider. An access token is generated and given back to the service provider, which is used to post the data.
37
Hackers look for what in OAuth
1. Want to find the secret key (due to insecure storage or interception)
2. Highly dependent on consumer service to get the implementation right/regenerate key properly
3. Possible to spoof the sight, steal the username/password
38
Difference between OAuth 1.0 and 2.0
1. SSL required for all 2.0 communications
2. Signatures not required for API calls once token is generated in 2.0
3. Tokens in 2.0 expire
4. Less data generated in 2.0
39
SSL/TLS relies on _________ for encryption, which relies on trust with a ____________
PKI, certificate store
40
When a browser requests an HTTPS page, it receives ______________.
The servers public key
41
Heartbleed is a vulnerability in ________ and allows for the attacker to _____________.
SSL; read 64k chunks of memory and things resident there. (Username, passwords, server private key)
42
Nmap script to check heartbleed
ssl-heartbleed.nse
43
Five parts of the Sans reporting format
```
Exec summary
Introduction
Methodology
Findings
Conclusions
(optional: Presentation)
```
44
Stages of the Sans Web app pen test methodology
Recon
Mapping
Discovery
Exploitation
45
What is included with WHOIS record?
```
Identifies owner
Authoritative name servers
Email addresses
Phone numbers
Names of tech POCs
```
46
What does DIG output that NSLOOKUP does not?
Specific types of DNS records (MX, AXFR (zone xfr) ANY)
47
What is the fierce scanner for?
Designed to find hosts on a domain, using DNS queries. Will guess host names using a wordlist
48
What does DNSrecon do?
Collects all of the standard records it can find from the domain, including SRV records (that can point to other attack vectors)
Reverse lookup for a range of IP addresses
49
To omit a page or pages with specific strings from a google search
Use the "-" key (site:www.sans.org -handlers)
50
The google dorks (Google Hacking DB) is a repository of __________ and is found at _________.
Very specific searches, such as those finding webcams with default credentials and indexes/stock password pages.
It can be found at exploitdb
51
Operators used in Shodan for finding things:
Finds devices based on city, country, lat/long, IP, hostname, operating system
52
What is the "Google dorks" of Shodan? (The site where you can find legit uses of Shodan)
```
SHINE (www.infracritical.com)
Finds things like:
Medical devices
Traffic lights
Serial port servers
Data radios
Webcams/CCTVS
```
53
Tool that will search all the documents it can find on a site for METADATA (thinks like users, folders, printers, type of software, etc)
FOCA (Fingerprinting Orgs with Collected Archives)
54
Tool that gathers information about domains via PUBLIC information sources (IP addresses, emails, hosts, etc)
The Harvester
55
3 Tools that can be used to perform server foot printing
NMAP (with the -sV option)
Netcat: Connect to and grab the server string (i.e., connect and request a page, check response)
Netcraft toolbar
56
Tool used (like Netcat) to perform SSL checks
OpenSSL (with it's switches)
| Ex: OpenSSL s_client -connect www.testurl.com
57
.Net app that tests the strength of a web applications SSL ciphers
SSLDigger
58
Free, publicly accessible site for testing the SSL configuration/strength of a publicly facing website. Gives you a nicely formatted output report
Qualys SSL Labs
59
Easy test for heartbleed
the NMAP heartbleed script (--script=ssl-enum-ciphers heart.bleed -oN)
60
Two types of virtual hosting
IP based: every host has a unique IP
| Name based: every host shares an IP, and packets are addressed with the "host" field of the payload.
61
Most common form of virtual hosting
Name based, which means all hosts share an IP but packets are multiplexed based on "host" field of packets
62
Internet resource that can detect virtual hosting
Bing. use ip: to see all the host names that are returned on that IP
63
How to identify load balancers in use
```
URL analysis (sans.org vs. www2.sans.org)
timestamps of responses
```
examine the "last modified" date on the packet headers
cookies! Load balancers usually save a cookie on the browser machine that directs them to the same server they initially made the request on (look for "load" or "LB" or balancer in the cookie name)
Look for differences in HTTPS: different certificate names or cipher versoins
Look for differences in the comments/source code
64
Best tool for checking the method interchange (seeing what methods a web server requests)
netcat; just try to request each type of function. Can be easily scripted.
65
Browser extensions that give you insight into operating systems, web servers, packaged web applications, Languages, frameworks, and APIS for a site that you visit
Netcraft and Wappalyzer
66
How to get wget to ignore the robots.txt file and download all of a site's content recursively
Wget -r -l -3
| -3 gives it a recursive depth of 3
67
Once you have a site map and have conducted flow charting, the next step to analyzing a web site is:
Relationship Analysis: Shows how the components of a web application relate to each other. Place to look for authentication bypass or authorization bypass.
68
Why is it important to analyze junctions between code written by two different developers?
Misunderstandings are common; one developer may assume that authentication/authorization is handled by a different part of the app, for example
Also, if you find a vulnerability in one part of the code, you can then move to see if the problem is systemic
69
Cross-platform Java app that checks to see if pages exist based on a word list
OWASPs dirbuster
70
4 Things used to maintain "session" for a browser
Cookies (USERID)
URL parameters
Hidden form fields
IP/Browser info
71
Cookies that look like
1. S2V2aW4gS9obnNvbg==
2. 72b27b1b696ecaadfc0f212f16809850
3. 655609cdf493495c9f166e6d
1. Base64
2. Md5sum
3. Hex-encoded output from crypt
72
3 ways to collect session information from a web site
1. Manually (repeatedly request, check session tokens)
2. Custom scripts
3. Burp
73
Difference between session data passed by GET and POST
Get passes it in the URL, Post passes it through hidden form elements in the payload
(They can also pass it in the cookie, or in a ViewState variable)
74
How to determine what a specific type of framework/web app uses to store sessions
Google, idiot
75
When developers create their own session IDs, they typically use the ____________ to create a token
The clients IP address
76
Burp mode to analyze session tokens
Sequencer: we seed it URLs, and it tells you the method used to create the session token. Will tell you the randomness of the tokens when you give it other things to compare with.
77
How to define a python variable (individual and array)
```
Name = "blah and blah"
year = 1980
```
Relics = ("Holy grail, "Holy Hand grenade", "Knights")
78
How to store a name/value pair in Python
"Name": "Value",
knights = ("Lancelot":"The brave")
Print( knights("Lancelot")
79
How to comment in Python
Single line: #
Multi line:
""
'''
80
To define a python function, and then call it
# Define: def
Call: fuctionname() with required inputs in the parents
81
How to manipulate a file in Python
"Open"
"Read" loads the entire file into a string"
"Readlines" returns the entire file as a list
"Write" writes to the file
"Close"
82
Part of Burp suite used to analyze the randomness of session tokens
Burp Sequencer. Checks the entropy, looks for predictability.
83
Part of burp used to determine the specific way data is encrypted/compressed/encoded
Decoder
84
Pitchfork fuzzing attack in burp is used if...
Each payload position needs to be fuzzed simultaneously
Useful if related injections are needed
85
Battering ram fuzzing attack in Burp is used when...
One set of payloads will be injected into multiple positions
86
Some places to look for errors in a forms page that will let you know if the user account being checked is valid
```
HTTP Redirects (302)
Changes in the URL (=1 for existing accounts,=2 for nonexistent)
Differences in the size of the page returned (use burp comparer)
```
87
Python script that iterates user accounts based on a word list and tries to dump them into a forms account
User_enum script
88
Command injection example
Using a DNS entry form to insert Linux commands to the underlying operating system.
89
HTTP://multiplicand/index.pho?page=http://127.0.0.1/id.txt is an example of....
RFI.
90
"Incorrect syntax near' " is an error message from a ________ DB
MS SQL
91
"You have an error in your SQL syntax" is an error message from ________ kinds of DBs
MySQL error
92
To create some database object like a record, table, or stored-procedure use the ______ cmd
CREATE
93
The __________ command adds conditions to a SQL query
WHERE
94
the __________ command deletes data from a SQL DB
DROP (drop user_table;)
95
All SQL commands end with
;
96
Select a part of the string in a SQL command
SUBSTRING
97
Standard SQL query looks like:
Select from ;
98
How do we use Boolean statements to look for Blind SQL?
We can send an acceptable SQL statement that returns YES if a condition is met.
IE, return index.php?itemid=0' and 1=1; --
99
Python based framework to speed th exploitation of blind SQL injection flaws
Does binary and frequency searches: BBQSQL
100
A JavaScript "switch" statement is used to
Choose between multiple conditions; the case runs until the break is encountered. (Iterates through different case statements until one is executed and a break happens)
101
JavaScript variables are defined by
Loosely typing them. var x; or var x="Sarah";
102
A JavaScript "even" is...
A thing that happens that calls a function. Such as "onload" or "onclick" being when the page loads or an item is clicked, respectively.
103
What does the "Find_accounts" python script do
Lets you iterate through a word list of last names to see if they can find the /URL/~username pages.
104
Things that a script can NOT change in the request and expect to get a response because of same original policy
Port, host name, protocol.
105
Two application filtering methods used to screen XSS traffic
Whitelist and Blacklists
106
THREE methods to bypass input filtering
Encoding (Unicode, hex, etc)
| Using an IMG tag instead of SCRIPT tags
107
Most common way to get a user to actuate reflected XSS
Phishing. (Send them a crafted link)
108
Is DOM XSS considered reflected or persistent?
Reflected
109
Most common type of system exploited with DOM-based XSS
Hybrid/Mashup/Analytic systems, where they need to use the URL or other information from another box
110
What is an "admin" type of persistent XSS flaw?
When you find a stored XSS flaw that requires admin approval: way to attack admin users, g'tee higher privilege level of first look
111
What actually executes a DOM based XSS attack?
The browser; the web page uses values from the URL (GETS)
| Everything executed within the browser
112
Tool used to test for both XSS and SQLi on the a page.
TamperData
113
Python based script that is used to automate testing for reflected XSS. Attacks a specific URL. Can crawl the site to discover additional points or funnel through a proxy.
XSSSniper
114
Python XSS discovery tool with a GUI front end that can attempt to find filtering and bypass it. Has "special techniques" to attack things like USer-agents, Referers, cookies, etc.
XSSer
115
XSS tool that injects a specific string everywhere in the site to see if it will reflect back to the browser
XSScrapy
116
Two best parts of Burp to check for reflected XSS content
Use the Battering Ram payload, to test at multiple positions with one string
Use "Grep payloads" to search through the application responses for that string
117
Key to CSRF attacks being viable
When transactions on a page use predictable parameters.
118
Four step process for finding CSRF in an application
1. Review the app logic
2. Find functions that have predictable parameters and are worth screwing with
3. Create a page with a link that executes that transaction
4. Get an attacker to click on the link once they've already logged into the app with the predictable parameters
119
Python application that hosts CSRF for testing and lets you automate CSRF attacks
Monkey first
120
The xmlhttp.open AJAX request establishes
The properties of the request; GET or POST, and the resource being retrieved.
It does NOT initiate the request
121
Xmlhttp.send() does...
Actually creates the connection with the URL
122
Xmlhttp.onreadystatechange does...
Sets which function should be called when the ready state changes. (I.e., when the ready state number increases, what function gets called)
123
XML.readystate does what?
A number, 0-4, that provides information about the state of the of the request. Can set different function (actions) for each ready state.
```
0-initialized
1-request has been set up
2-request has been sent
3-waiting for a response
4-response complete/received
```
124
XMLhttp.responseText does what?
Is the property that contains the contents of the response from the server
125
What is a "mash up" Web 2.0 server
A web server that integrates application widgets from multiple other sites to create a "mash-up" of connectivity. May require a proxy capability to work around same-origin restrictions.
126
What is a proxy mash up feature?
When one application retrieves code from multiple other sites, using xmlhttp requests, and then delivers it to the client
127
Why mash up application proxy servers can be attacked
If we can change the URL parameters (from POST to GET) we can have it retrieve content from malicious sources, or browse to other internet locations
128
Application for performing android mobile code testing?
Base-androidlabs app, developed by security compass
129
API file attacks with AJAX is commonly exploited by...
Looking for function calls that are loaded by scripts but NOT used by the app and using them for malicious purposes. (*For example, using an "add users" function despite not having access to the admin page*)
130
WHy is it a good idea to find third party API/libraries when mapping source content?
Can use these libraries, which are pre-built and add functionality to a site, to carry out attacks.
131
Things to look for that may call attention in source code to third party APIs and libraries? (Such as query or Google web toolkit)
SRC attributes, XHR requests
132
What is JSON?
Similar to XML, but strictly for JavaScript/JAVA. It's an array of arrays, or a "flat DB" of objects that can be parsed by JS and used to pass large amounts of data
133
Why is JSON often vulnerable to information disclosure?
Application developers don't want to parse requests both at the server and at the client, so often huge data sets are send to the client app and then parsed to display only what the browser needs
134
Book method for injecting JSON content
Prematurely complete an object, insert a JS string, and comment the rest of the code out with //
135
Automated scanner that mainly acts as a passive proxy and collects data on a site as you walk it.
RatProxy
136
free, open source Automated scanner that performs adaptive scanning, brute forcing, and handles multiple languages at once (php, ASPX, etc). Uses
Skipfish
