WEB APP

Question 1

What is the difference between a web server and a Dynamic type of server?

Answer 1

Web server just serves out static content, whereas dynamic content can reference a back end data store and server active content; most modern web applications are considered dynamic servers, running content

Question 2

What is an application server?

Answer 2

A server referenced by the web/dynamic server that executes code; things like Websphere, JBOSS, Weblogic, etc.

Question 3

What was improved from HTTP 1.0 to 1.1?

Answer 3

caching support, extensions, bandiwth optimization, host header field

Question 4

What is “push promise” ?

Answer 4

A feature of HTTP 2, it allows a web server to send content before the client has requested it. Like a predictive version of AJAX.

Question 5

What is http multiplexing?

Answer 5

A feature of HTTP 2, it allows a server to request multiple sockets at once to requests resources in parallel, rather than “pipelining” it all through the same connection.

Question 6

What moves HTTP to a text-based-on-the-wire type of connection to a binary form?

Answer 6

HTTP 2.0, which gives it better compression and reduces overhead/complexity

Question 7

What string in an http request identifies the type of client software used to connect?

Answer 7

User-agent string. Describes the web client.

Question 8

Where is the web server technology identified in an HTTP request?

Answer 8

the “server” field

Question 9

What is Windows 7/2008 listed as in the user-agent string? Windows 8/2012?

Answer 9

NT 6.1 and NT 6.3

Question 10

What is the difference between GET and POST?

Answer 10

Both request data from server, but GET uses the URL to pass parameters, POST uses the payload

Question 11

Why is POST more secure than GET?

Answer 11

Parameters aren’t written to web server or proxy logs

Question 12

What echoes an HTTP request as seen by the server back to a client, for diagnostics?

Answer 12

TRACE

Question 13

What HTTP request asks the server to return the list of request methods it supports? (which can then be used for interchange)

Answer 13

OPTIONS

Question 14

Method used when accessing the an application through a proxy server.

Answer 14

CONNECT

Question 15

How does a CONNECT request work?

Answer 15

The client connects to the proxy, and the CONNECT request tells the server where to go to connect to the resource

Question 16

What HTTP method is used for WebDAV attacks, and where are those type of systems usually found?

Answer 16

PUT, which lets you upload data to a resource that you specify. Found on intranet web servers, occasionally.

Question 17

“Switching Protocols” HTTP status code

Answer 17

101 (info)

Question 18

“redirect” HTTP status code

Answer 18

302

Question 19

“Not modified” HTTP status code, and what is it for?

Answer 19

304; used to say that the content hasn’t changed, so the client can continue to use data that has been cached.

Question 20

“Unauthorized” to access http status code (use authentication to access this)

Answer 20

401

Question 21

Page not found HTTP status code

Answer 21

404

Question 22

Server error HTTP status code series

Answer 22

5xx

Question 23

Websockets were integrated with the __________ technology scheme

Answer 23

HTML5

Question 24

This protocol establishes a bi-directional comm pipe over a SINGLE tcp socket

Answer 24

websocket

Question 25

How is a websocket established? How does it work?

Answer 25

A socket is established using JS/HTML5 code; a 101 (switching protocols) request is passed, and then requests are handled with the ws:// or wss:// protocol. Typically used with a .js file, but can be found insie an HTML page itself with

Question 26

What is method interchange?

Answer 26

When you are able to use a GET in lieu of a POST, etc.

Question 27

_______ authentication uses a base64 encoding when passed over the network, and uses a “real” to identify itself.

Answer 27

Basic

Question 28

How does basic authentication handle the actual process of authenticating?

Answer 28

The web server handles it. IIS uses local accounts, apache uses .htaccess

Question 29

What are some problems with basic authentication? (Things an attacker will look for)

Answer 29

1. No account lockout/max attempts
2. Auth traffic passed in clear
3. Can easily be replayed
4. No log out functionality w/o closing browser

Question 30

What is added to basic auth to to improve it in digest auth?

Answer 30

A nonce is added as a salt to the the md5 hashing off the password

Question 31

Why is digest auth not much more secure than basic?

Answer 31

The nonce (used as a salt in the md5 hashing of the password) is passed in the clear, making it vulnerable to man in the middle attacks

Question 32

Integrated windows auth is perfect for ______ types of attacks

Answer 32

XSS/CSRF; if you can take over a client browser, you can get access to the web server

Question 33

Typically, the authentication in “forms based” auth is handled by

Answer 33

LDAP or a backend database; the user requests the form, fills out the form, and submits it; the application (not the underlying web server) processes the request and either sends an error or returns the resource.

Question 34

Attack vectors (issues) for forms based auth

Answer 34

1. Developer responsible for implementing proper security controls
2. Possible to sniff/intercept tokens/cookies/sessions
3. Possible to spoof the site (create a phishing attack)

Question 35

Three parties for an Oauth transaction

Answer 35

User (@user)
Consumer (Tweetbot)
Service provider (Twitter)

Question 36

Three items exchanged as part of an OAuth transaction

Answer 36

1. Request token
2. Secret
3. Access token

The secret is used to sign the request, which then goes back to the service provider. An access token is generated and given back to the service provider, which is used to post the data.

Question 37

Hackers look for what in OAuth

Answer 37

1. Want to find the secret key (due to insecure storage or interception)
2. Highly dependent on consumer service to get the implementation right/regenerate key properly
3. Possible to spoof the sight, steal the username/password

Question 38

Difference between OAuth 1.0 and 2.0

Answer 38

1. SSL required for all 2.0 communications
2. Signatures not required for API calls once token is generated in 2.0
3. Tokens in 2.0 expire
4. Less data generated in 2.0

Question 39

SSL/TLS relies on _________ for encryption, which relies on trust with a ____________

Answer 39

PKI, certificate store

Question 40

When a browser requests an HTTPS page, it receives ______________.

Answer 40

The servers public key

Question 41

Heartbleed is a vulnerability in ________ and allows for the attacker to _____________.

Answer 41

SSL; read 64k chunks of memory and things resident there. (Username, passwords, server private key)

Question 42

Nmap script to check heartbleed

Answer 42

ssl-heartbleed.nse

Question 43

Five parts of the Sans reporting format

Answer 43

Exec summary
Introduction
Methodology
Findings
Conclusions
(optional: Presentation)

Question 44

Stages of the Sans Web app pen test methodology

Answer 44

Recon
Mapping
Discovery
Exploitation

Question 45

What is included with WHOIS record?

Answer 45

Identifies owner
Authoritative name servers
Email addresses
Phone numbers
Names of tech POCs

Question 46

What does DIG output that NSLOOKUP does not?

Answer 46

Specific types of DNS records (MX, AXFR (zone xfr) ANY)

Question 47

What is the fierce scanner for?

Answer 47

Designed to find hosts on a domain, using DNS queries. Will guess host names using a wordlist

Question 48

What does DNSrecon do?

Answer 48

Collects all of the standard records it can find from the domain, including SRV records (that can point to other attack vectors)

Reverse lookup for a range of IP addresses

Question 49

To omit a page or pages with specific strings from a google search

Answer 49

Use the “-“ key (site:www.sans.org -handlers)

Question 50

The google dorks (Google Hacking DB) is a repository of __________ and is found at _________.

Answer 50

Very specific searches, such as those finding webcams with default credentials and indexes/stock password pages.

It can be found at exploitdb

Question 51

Operators used in Shodan for finding things:

Answer 51

Finds devices based on city, country, lat/long, IP, hostname, operating system

Question 52

What is the “Google dorks” of Shodan? (The site where you can find legit uses of Shodan)

Answer 52

SHINE (www.infracritical.com) 
Finds things like: 
Medical devices
Traffic lights 
Serial port servers
Data radios
Webcams/CCTVS

Question 53

Tool that will search all the documents it can find on a site for METADATA (thinks like users, folders, printers, type of software, etc)

Answer 53

FOCA (Fingerprinting Orgs with Collected Archives)

Question 54

Tool that gathers information about domains via PUBLIC information sources (IP addresses, emails, hosts, etc)

Answer 54

The Harvester

Question 55

3 Tools that can be used to perform server foot printing

Answer 55

NMAP (with the -sV option)

Netcat: Connect to and grab the server string (i.e., connect and request a page, check response)

Netcraft toolbar

Question 56

Tool used (like Netcat) to perform SSL checks

Answer 56

OpenSSL (with it’s switches)

Ex: OpenSSL s_client -connect www.testurl.com

Question 57

.Net app that tests the strength of a web applications SSL ciphers

Answer 57

SSLDigger

Question 58

Free, publicly accessible site for testing the SSL configuration/strength of a publicly facing website. Gives you a nicely formatted output report

Answer 58

Qualys SSL Labs

Question 59

Easy test for heartbleed

Answer 59

the NMAP heartbleed script (–script=ssl-enum-ciphers heart.bleed -oN)

Question 60

Two types of virtual hosting

Answer 60

IP based: every host has a unique IP

Name based: every host shares an IP, and packets are addressed with the “host” field of the payload.

Question 61

Most common form of virtual hosting

Answer 61

Name based, which means all hosts share an IP but packets are multiplexed based on “host” field of packets

Question 62

Internet resource that can detect virtual hosting

Answer 62

Bing. use ip: to see all the host names that are returned on that IP

Question 63

How to identify load balancers in use

Answer 63

URL analysis (sans.org vs. www2.sans.org)
timestamps of responses

examine the “last modified” date on the packet headers

cookies! Load balancers usually save a cookie on the browser machine that directs them to the same server they initially made the request on (look for “load” or “LB” or balancer in the cookie name)

Look for differences in HTTPS: different certificate names or cipher versoins

Look for differences in the comments/source code

Question 64

Best tool for checking the method interchange (seeing what methods a web server requests)

Answer 64

netcat; just try to request each type of function. Can be easily scripted.

Question 65

Browser extensions that give you insight into operating systems, web servers, packaged web applications, Languages, frameworks, and APIS for a site that you visit

Answer 65

Netcraft and Wappalyzer

Question 66

How to get wget to ignore the robots.txt file and download all of a site’s content recursively

Answer 66

Wget -r -l -3

-3 gives it a recursive depth of 3

Question 67

Once you have a site map and have conducted flow charting, the next step to analyzing a web site is:

Answer 67

Relationship Analysis: Shows how the components of a web application relate to each other. Place to look for authentication bypass or authorization bypass.

Question 68

Why is it important to analyze junctions between code written by two different developers?

Answer 68

Misunderstandings are common; one developer may assume that authentication/authorization is handled by a different part of the app, for example

Also, if you find a vulnerability in one part of the code, you can then move to see if the problem is systemic

Question 69

Cross-platform Java app that checks to see if pages exist based on a word list

Answer 69

OWASPs dirbuster

Question 70

4 Things used to maintain “session” for a browser

Answer 70

Cookies (USERID)
URL parameters
Hidden form fields
IP/Browser info

Question 71

Cookies that look like

1. S2V2aW4gS9obnNvbg==
2. 72b27b1b696ecaadfc0f212f16809850
3. 655609cdf493495c9f166e6d

Answer 71

1. Base64
2. Md5sum
3. Hex-encoded output from crypt

Question 72

3 ways to collect session information from a web site

Answer 72

1. Manually (repeatedly request, check session tokens)
2. Custom scripts
3. Burp

Question 73

Difference between session data passed by GET and POST

Answer 73

Get passes it in the URL, Post passes it through hidden form elements in the payload

(They can also pass it in the cookie, or in a ViewState variable)

Question 74

How to determine what a specific type of framework/web app uses to store sessions

Answer 74

Google, idiot

Question 75

When developers create their own session IDs, they typically use the ____________ to create a token

Answer 75

The clients IP address

Question 76

Burp mode to analyze session tokens

Answer 76

Sequencer: we seed it URLs, and it tells you the method used to create the session token. Will tell you the randomness of the tokens when you give it other things to compare with.

Question 77

How to define a python variable (individual and array)

Answer 77

Name = "blah and blah"
year = 1980

Relics = (“Holy grail, “Holy Hand grenade”, “Knights”)

Question 78

How to store a name/value pair in Python

Answer 78

“Name”: “Value”,
knights = (“Lancelot”:”The brave”)

Print( knights(“Lancelot”)

Question 79

How to comment in Python

Answer 79

Single line: #

Multi line:
“”
‘’’

Question 80

To define a python function, and then call it

Answer 80

Define: def

Call: fuctionname() with required inputs in the parents

Question 81

How to manipulate a file in Python

Answer 81

“Open”
“Read” loads the entire file into a string”
“Readlines” returns the entire file as a list
“Write” writes to the file
“Close”

Question 82

Part of Burp suite used to analyze the randomness of session tokens

Answer 82

Burp Sequencer. Checks the entropy, looks for predictability.

Question 83

Part of burp used to determine the specific way data is encrypted/compressed/encoded

Answer 83

Decoder

Question 84

Pitchfork fuzzing attack in burp is used if…

Answer 84

Each payload position needs to be fuzzed simultaneously

Useful if related injections are needed

Question 85

Battering ram fuzzing attack in Burp is used when…

Answer 85

One set of payloads will be injected into multiple positions

Question 86

Some places to look for errors in a forms page that will let you know if the user account being checked is valid

Answer 86

HTTP Redirects (302)
Changes in the URL (=1 for existing accounts,=2 for nonexistent)
Differences in the size of the page returned (use burp comparer)

Question 87

Python script that iterates user accounts based on a word list and tries to dump them into a forms account

Answer 87

User_enum script

Question 88

Command injection example

Answer 88

Using a DNS entry form to insert Linux commands to the underlying operating system.

Question 89

HTTP://multiplicand/index.pho?page=http://127.0.0.1/id.txt is an example of….

Answer 89

RFI.

Question 90

“Incorrect syntax near’ “ is an error message from a ________ DB

Answer 90

MS SQL

Question 91

“You have an error in your SQL syntax” is an error message from ________ kinds of DBs

Answer 91

MySQL error

Question 92

To create some database object like a record, table, or stored-procedure use the ______ cmd

Answer 92

CREATE

Question 93

The __________ command adds conditions to a SQL query

Answer 93

WHERE

Question 94

the __________ command deletes data from a SQL DB

Answer 94

DROP (drop user_table;)

Question 95

All SQL commands end with

Answer 95

;

Question 96

Select a part of the string in a SQL command

Answer 96

SUBSTRING

Question 97

Standard SQL query looks like:

Answer 97

Select from ;

Question 98

How do we use Boolean statements to look for Blind SQL?

Answer 98

We can send an acceptable SQL statement that returns YES if a condition is met.

IE, return index.php?itemid=0’ and 1=1; –

Question 99

Python based framework to speed th exploitation of blind SQL injection flaws

Answer 99

Does binary and frequency searches: BBQSQL

Question 100

A JavaScript “switch” statement is used to

Answer 100

Choose between multiple conditions; the case runs until the break is encountered. (Iterates through different case statements until one is executed and a break happens)

Question 101

JavaScript variables are defined by

Answer 101

Loosely typing them. var x; or var x=”Sarah”;

Question 102

A JavaScript “even” is…

Answer 102

A thing that happens that calls a function. Such as “onload” or “onclick” being when the page loads or an item is clicked, respectively.

Question 103

What does the “Find_accounts” python script do

Answer 103

Lets you iterate through a word list of last names to see if they can find the /URL/~username pages.

Question 104

Things that a script can NOT change in the request and expect to get a response because of same original policy

Answer 104

Port, host name, protocol.

Question 105

Two application filtering methods used to screen XSS traffic

Answer 105

Whitelist and Blacklists

Question 106

THREE methods to bypass input filtering

Answer 106

Encoding (Unicode, hex, etc)

Using an IMG tag instead of SCRIPT tags

Question 107

Most common way to get a user to actuate reflected XSS

Answer 107

Phishing. (Send them a crafted link)

Question 108

Is DOM XSS considered reflected or persistent?

Answer 108

Reflected

Question 109

Most common type of system exploited with DOM-based XSS

Answer 109

Hybrid/Mashup/Analytic systems, where they need to use the URL or other information from another box

Question 110

What is an “admin” type of persistent XSS flaw?

Answer 110

When you find a stored XSS flaw that requires admin approval: way to attack admin users, g’tee higher privilege level of first look

Question 111

What actually executes a DOM based XSS attack?

Answer 111

The browser; the web page uses values from the URL (GETS)

Everything executed within the browser

Question 112

Tool used to test for both XSS and SQLi on the a page.

Answer 112

TamperData

Question 113

Python based script that is used to automate testing for reflected XSS. Attacks a specific URL. Can crawl the site to discover additional points or funnel through a proxy.

Answer 113

XSSSniper

Question 114

Python XSS discovery tool with a GUI front end that can attempt to find filtering and bypass it. Has “special techniques” to attack things like USer-agents, Referers, cookies, etc.

Answer 114

XSSer

Question 115

XSS tool that injects a specific string everywhere in the site to see if it will reflect back to the browser

Answer 115

XSScrapy

Question 116

Two best parts of Burp to check for reflected XSS content

Answer 116

Use the Battering Ram payload, to test at multiple positions with one string

Use “Grep payloads” to search through the application responses for that string

Question 117

Key to CSRF attacks being viable

Answer 117

When transactions on a page use predictable parameters.

Question 118

Four step process for finding CSRF in an application

Answer 118

1. Review the app logic
2. Find functions that have predictable parameters and are worth screwing with
3. Create a page with a link that executes that transaction
4. Get an attacker to click on the link once they’ve already logged into the app with the predictable parameters

Question 119

Python application that hosts CSRF for testing and lets you automate CSRF attacks

Answer 119

Monkey first

Question 120

The xmlhttp.open AJAX request establishes

Answer 120

The properties of the request; GET or POST, and the resource being retrieved.

It does NOT initiate the request

Question 121

Xmlhttp.send() does…

Answer 121

Actually creates the connection with the URL

Question 122

Xmlhttp.onreadystatechange does…

Answer 122

Sets which function should be called when the ready state changes. (I.e., when the ready state number increases, what function gets called)

Question 123

XML.readystate does what?

Answer 123

A number, 0-4, that provides information about the state of the of the request. Can set different function (actions) for each ready state.

0-initialized
1-request has been set up
2-request has been sent
3-waiting for a response
4-response complete/received

Question 124

XMLhttp.responseText does what?

Answer 124

Is the property that contains the contents of the response from the server

Question 125

What is a “mash up” Web 2.0 server

Answer 125

A web server that integrates application widgets from multiple other sites to create a “mash-up” of connectivity. May require a proxy capability to work around same-origin restrictions.

Question 126

What is a proxy mash up feature?

Answer 126

When one application retrieves code from multiple other sites, using xmlhttp requests, and then delivers it to the client

Question 127

Why mash up application proxy servers can be attacked

Answer 127

If we can change the URL parameters (from POST to GET) we can have it retrieve content from malicious sources, or browse to other internet locations

Question 128

Application for performing android mobile code testing?

Answer 128

Base-androidlabs app, developed by security compass

Question 129

API file attacks with AJAX is commonly exploited by…

Answer 129

Looking for function calls that are loaded by scripts but NOT used by the app and using them for malicious purposes. (For example, using an “add users” function despite not having access to the admin page)

Question 130

WHy is it a good idea to find third party API/libraries when mapping source content?

Answer 130

Can use these libraries, which are pre-built and add functionality to a site, to carry out attacks.

Question 131

Things to look for that may call attention in source code to third party APIs and libraries? (Such as query or Google web toolkit)

Answer 131

SRC attributes, XHR requests

Question 132

What is JSON?

Answer 132

Similar to XML, but strictly for JavaScript/JAVA. It’s an array of arrays, or a “flat DB” of objects that can be parsed by JS and used to pass large amounts of data

Question 133

Why is JSON often vulnerable to information disclosure?

Answer 133

Application developers don’t want to parse requests both at the server and at the client, so often huge data sets are send to the client app and then parsed to display only what the browser needs

Question 134

Book method for injecting JSON content

Answer 134

Prematurely complete an object, insert a JS string, and comment the rest of the code out with //

Question 135

Automated scanner that mainly acts as a passive proxy and collects data on a site as you walk it.

Answer 135

RatProxy

Question 136

free, open source Automated scanner that performs adaptive scanning, brute forcing, and handles multiple languages at once (php, ASPX, etc). Uses

Answer 136

Skipfish