Week 7 - Web Security and Malware

Question 1

What is a SQL injection attack?

Answer 1

When an attack users input maliciously to deploy SQL queries rather than an expected data input. This attack only words for application that use a sql database.

Question 2

What could and attacker use an SQL injection to do?

Answer 2

They could ‘drop’ all tables or records in the database.
They could modify a record or multiple records.
They could select and display row data to themselves.
They could attempt to disrupt validation.

Question 3

What is password spraying?

Answer 3

When an attacker refers to a list of common passwords to attempt to attack a large number of accounts. An attacker might use sql injection to disrupt validation so that instead of looking for and account with a certain username or password, the sql only looks for an account with the specified password. If the attacker uses the list of common passwords they will likely gain access to at least one account.

Question 4

How do you do comments in SQL?

Answer 4

You use –

Question 5

How would you inject mutple SQL statements at once?

Answer 5

You would use batch sql would allow you to execute mutple SQL statements by separating the statements with a ; or joining them using UNION. Separating with a ; typically doesn’t work as application do not normally deal with a second set of data return from a second sql statement.

Question 6

Why might using ; to execute more sql statements to get a second set of data not work as compared to a UNION statement?

Answer 6

Separating with a ; typically doesn’t work as applications do not normally deal with a second set of data returned from a second sql statement, thus the second set of data will be dropped in favour of dealing with the first commands data.

A UNION statement on the other hand join statements together and allows for the data returned from those statements to be joined as one result table.

Question 7

How might one prevent an SQL injection?

Answer 7

Prepared statements/parameterised queries

Stored procedures

Question 8

What is a prepared statement?

Answer 8

It is a way of executing sql in Web application that allows the sql command and the parameters to be defined separately so that the application can tell what is code and what is not. The command is defined first and the parameters and passed in afterwards. This means that any parameter inouts will never be considered code and thus cannot inject sql.

Question 9

How would you implement a prepared statement?

Answer 9

You would first get the parameters from the input data.
Next you would defined the sql command as a string, with a placeholder value that goes where parameters should go (in java this placeholder is ?).
Next you create a prepared statement object which let’s the application know that that the sql command string is a command, and convert it as such.
Finally we can pass in the input parameters to this prepared statement and it will add them in order to all the placeholders, knowing not to treat the parameters as sql code (In java we use the prepared statement method setString(…) to add the parameters).

Question 10

What is a stored procedure?

Answer 10

Stored procedures are used to prevent sql injections by defining an SQL query and the parameters separately, and passing the parameters in later so that the application does not recognise parameters as code. This is very similar to prepared statements, but the difference is that stored procedures are defined in the database itself, not the application. The application must retrieve the stored procedure to use it.

Question 11

What is the difference between a stored procedure and a prepared statement?

Answer 11

Stored procedures are defined and stored in the database rather than defined in the code of the application.

Question 12

How would you implement a stored procedure?

Answer 12

First, you get the parameters from the I out data.
Next you retrieve the procedure from the database and stored it is as a stored procedure in the code (In java it is stored as a CallableStatement).
Next you pass the parameters and add them into the statement in order (in java CallableStatement has a method setString(…) for this purpose) .
Now execute the statement.

Question 13

What is cross site scripting?

Answer 13

It’s when an attacker takes advantage of unsanitised inputs to embed client side scripting (Normally java script) into a legitimate website.

Question 14

What are the dangers of cross site scripting?

Answer 14

Once the script has eebn embedded in the site, all users that view the page with that script will have the script be executed for them, and depending on the purpose of the script it could potentially cause harm.

Question 15

Give an example of cross site scripting?

Answer 15

A website has an inout like a comment box. If the comment box input is not sanitised, then script (e.g. Java script) entered into the comment will be registered as code rather than text. This means that the comment entered will be executed for users who view the comment.

Question 16

What are the 2 categories of cross site scripting?

Answer 16

Stored cross site scripting attack

Reflected cross site scripting attack

Question 17

What happens during a stored cross site scripting attack?

Answer 17

An attacker inouts malicious script into a website.
The site stores this data on its servers, without sanitising the input.
When a user accesses this data, the script is executed because the script is registered as code rather than text.

Question 18

What are some uses for cross site scripting?

Answer 18

To open an unsafe website for the user.
To download an unsafe file onto the users pc.
To send data from the users session back to the attacker.
To comment out the rest of the Web page.

Question 19

What happens during a Reflected cross site scripting attack?

Answer 19

In this type of scripting attacker, the malicious script is not inputed into inout fields on a Web page but rather variables in the Web page url. If the variable is not sanitised, then the script can be executed. This type of attacker only affects the user who enters the script.

E.g. Url:
https://www.example.co.uk/index?variablename=Insert script here

Question 20

How might an attacker weaponise a Reflected cross site scripting attack, when the script is only executed for the person how enters it?

Answer 20

The attacker could send the link to an end user with the script as part of it in a url variable. If the user clicks the link then the script is executed for them.
An attackwr might use a url shortener to hide the fact that script is in the url, or link is on an online forum where the link shows as a title rather than the url.

Question 21

What methods could you use to prevent a cross site scripting attack?

Answer 21

Being careful about what untrusted inputs you are injecting into your html and Web page code and clearly define sections fo your code that will refer to untrusted inputs.

Encoding inputs before injecting the data into your Web page.

Question 22

What does Encoding your inouts do?

Answer 22

It ensures that inputs are not executed, by making sure that are not recognised as script/code. It goes through the inout and encodes characters that might result in the inout being executed e.g. Html <> tags. These characters may be encoded, but when displayed as text on screen they show as the original character.

Question 23

What is broken authentication?

Answer 23

When authentication is not implemented properly. A company might implement their own password and session management, but this may not adhere to good security protocols.

For example, if a user logs into their bank account from a public company and the session time out is ey to an hour, someone else might be able to use that public computer to access the account before the session times out.

Question 24

What is sensitive data exposure?

Answer 24

It is when unauthorised access is gained to sensitive data, and this data is copied, retrieved or stolen etc..
This could happen in different ways, e.g. Sql injection attacks, or compromised data servers.

Question 25

How should you mitigate sensitive data exposure?

Answer 25

Only store sensitive data which you need to carry out your service. Ensure that there is appropriate security and effective authentication and authorisation on the data. You might use encryption or hashing.

Question 26

What are XML external entities?

Answer 26

It is when you use XML within a Web application to retrieve external data from another source.

Question 27

How to mitigate attacks that take advantage of XML external entities?

Answer 27

Using the latest version of JSON or something similar. Upgrading older XML processors. Disabling the processing of external entities.

Question 28

How might an attacker take advantage of XML external entities?

Answer 28

A malicious url could be provided as the source of the external entities, and thus retrieving and evaluating this data could result in a security incident e.g. Remote request for access, DoS,, scanning if the Web app system...

Question 29

What is security Misconfiguration?

Answer 29

When security controls and protocols are poorly implemented, inaccurately configured or left insecure, putting your data at risk.

Question 30

What is an example of security Misconfiguration?

Answer 30

Poor password management - allowing users to choose weak passwords, or storing passwords in physical locations. Default account management - using default names for usernames and passwords and not changing them e.g. Admin. Lack of maintenance of software - not updating software such as antiviruses and or other software or hardware.

Question 31

What is broken access control?

Answer 31

It is the failure to uphold proper authentication of users and authorisation of permissions. Broken access control can main that users could act outside of their intended permissions and do things they otherwise couldn't do.

Question 32

What are examples of broken access control?

Answer 32

Insecure direct object references Missing function level access control

Question 33

What is insecure direct object references?

Answer 33

When an object is directly referenced from the url as a url parameter. These are insecure because the user could change the data being retrieved to data they cannot access by changing the parameter data in the url. It allows users to bypass permissions and authorisations. It only works if improper authentication is in place that doesn't check that the user should have access to the data.

Question 34

How would you mitigate insecure direct object references?

Answer 34

Implementing better authentication,by checking whether or not a user should have access to the data being referenced. This could be done with session variables that check which user is logged in, and check whether that user can access the data. Another option is to remove direct object references from url, and use indirect object references using input fields. E.g. A drop down inout that shows the ONLY the data that the user can access.

Question 35

What is missing function level access control?

Answer 35

When improper authentication is in place that allows a user to request functionality they don't have access to and are given access because their authorisation is not checked. Authentication is only happening at the presentation level, not the function level.

Question 36

How would you mitigate the vulnerability of missing function level access control?

Answer 36

By implementing better authorisation. This authorisation must be at function level, rather than presentation level.

Question 37

What is insecure deserialisation?

Answer 37

When there is no validation for editing a serialised object, thus introducing insecurities when derialisation of that object occurs if the deserialisation process does not valid the object either.

Question 38

What is serialisation?

Answer 38

When a piece of data is converted into a format that can be stored more efficiently. Normally into a string that can be stored easily.

Question 39

What is deserialisation?

Answer 39

The reverse process of serialisation. When you convert data from its stored form back to its original form.

Question 40

What is an example exploit of insecure deserialisation?

Answer 40

An attacker could change the deserialised object of someone's account data, like a cookie, so that they could change the permissions of that account or change the user logged in to gain unauthorised access to data. When deserialisation occurs, the attacker is recognised as an authorised user by the object wasn't validated for untrusted changes.

Question 41

What can we do to mitigate the vulnerabilities of insecure deserialisation?

Answer 41

Reduce the amount of deserialisation taking place. Checking integrity of serialised objects before deserializing them using digital signatures. Logging exceptions and failures for deserialization.

Question 42

What is a vulnerability of using premade components in a system?

Answer 42

If the component cotnians malicious data it could be used to enact malicious incidents on your organisation or system.

Question 43

What is a premade component?

Answer 43

A component of code e.g. Classes, a block of code, methods, libraries, that are premade and can be added to systems for use.

Question 44

What is the issue with having insufficient logging and monitoring of a system?

Answer 44

It could mean that you cannot identify incidents as they occur or even afterwards, and means you will have less data to understand what happened and how to mitigate it in future.

Question 45

How should you improve organsational logging and monitoring?

Answer 45

By implementing logging policies that must be followed throughout the organisation, laying out what data should be logged and when. Using tools that help with monitoring your system, for example security information and event management systems (SIEMS) which make it easier to understand the data being logged by outputting it in dashboards, or intrusion detection and prevention systems (IDPS) that are focused on a organisations networks and Firewalls to find out security issues there etc.

Question 46

What is malware?

Answer 46

A malicious software that causes damage to the system which it has infected.

Question 47

What are some types of malware?

Answer 47

Virus Worm Trojan horse

Question 48

Can malware affect hardware or just software?

Answer 48

It can affect both.

Question 49

Can different viruses attack different kinds of OSs?

Answer 49

Yes, malware can be OS specific.

Question 50

What is a virus?

Answer 50

A malicious executable that attaches itself to a host. The virus is executed when the host is interacted with. The virus's purpose is to spread to as many computers as possible.

Question 51

What is a host in terms of a virus?

Answer 51

A batch file An executable file A macro with an excel file

Question 52

What is a mutating virus?

Answer 52

A virus that mutants itself by changing part of itself before it copies itself to another host. This many many different hosts will have that virus, but slightly different versions. When it mutates, the viruses signature changes, which makes it harder to combat against.

Question 53

What is a virus signature?

Answer 53

An identifier that is attributed to a virus and can be used to identify it if it is on a system.

Question 54

How can a antiviruses software combat against viruses?

Answer 54

By having a dictionary of virus signatures, which is full of known virus signatures. It can then identify known viruses infecting the computer.

Question 55

How might a virus make itself harder to detect?

Answer 55

Encrypting itself | Mutating itself

Question 56

Does a virus infect the same host twice?

Answer 56

No, the virus will check if the host is infected. If it is then it moves on, if it is not then it infects the computer and leaves its signature there so that if the virus comes back to the computer it will know it is already infected.

Question 57

What are the 3 components of the anatomy of a virus?

Answer 57

Concealment - trying to hide itself Propagation - trying to spread itself Signature - the virus identifier

Question 58

What are the 3 main parts of the code of the virus?

Answer 58

There is code relating the the concealment of the virus. The payload of the virus. The code to propagate itself across many hosts.

Question 59

What are the 2 types of triggers for viruses?

Answer 59

Time bombs | Logic bombs

Question 60

What is a time bomb virus?

Answer 60

A virus that triggers at a specific date/time specified in the virus code.

Question 61

What is a logic bomb virus?

Answer 61

A virus that triggers when a specific event occurs. E.g. A user logs into their account, they run a certain application etc..

Question 62

What are some infection classifications of viruses?

Answer 62

``` File infection Boot sector infection OS infection Macro infection Email infection ```

Question 63

TRUE OR FALSE: Viruses can be classified into different sub types of malware.

Answer 63

TRUE A virus can be further classified depending on the actions its payload is taking e.g. If the payload encrypts the comouters data, it is a ransomware virus.

Question 64

What are some types of viruses?

Answer 64

Ransomware | Spyware

Question 65

What is a Worm?

Answer 65

A Worm is a piece of malware that spreads extremely fast until it causes damage to a system/network with the number of copies and the amount of resources it has taken up with its propagation. Note: Not all worms are created with malicious intent, but can become malicious if they spread too fast and get out of control of the creator.

Question 66

What is the difference between a Worm and a virus?

Answer 66

A Worm does not attach itself to a host file, whereas a virus does. A Worm can propagate without user interactions, whereas a virus can only spread if the user has interacted with its host file.

Question 67

What is considered the first Internet Worm.

Answer 67

The Morris Worm. Created by Robert Tappan Morris, with the purpose to count the number of computers on a network. He did not properly implement the Worm Propagation and it ended up overloading the network and causing a DoS.

Question 68

How does a Worm propagate?

Answer 68

It can use SSH to travel between comouters of a network assuming the SSH isn't secure in its password or authorisation. Bugs and issues in networks can be exploited to slip between the computers. Vulnerabilities in OS can also be exploited. It can also spread through instant messaging too.

Question 69

What is a Trojan horse sofware?

Answer 69

A piece of malware that disguises itself as a legitimate sofyware/application to seem non-threatening. It presents itself as a useful program and delivers on that useful service, but also has hidden malicious code that executes when you use the legitimate program. Note: this can commonly introduce what is referred to as a backdoor.

Question 70

What is a backdoor?

Answer 70

A way for an attacker to gain access to the system and bypass security for the system.

Question 71

What is a Trojan horse common malware type?

Answer 71

Spyware, so that it can take data from the computer and send it back to the attacker with the guise of still being a legitimate program. It take son this more passive type of attack so that it is less likely to be discovered.

Question 72

What are the 3 approaches that an antiviruses can take?

Answer 72

Dictionary approach Activity monitor approach Integrity checker approach

Question 73

What is the dictionary approach for antiviruses?

Answer 73

In this approach the antivirus software stores and refers to a dictionary of known signatures for viruses/malware. It scans the system looking for any of the signatures in the database as this would be an instance of that virus. If it finds one, then it will notify the user and take actions against the virus. It normally does this through quarantining the file.

Question 74

What is the activity monitor approach for antiviruses?

Answer 74

In the approach the antivirus looks at the behaviour of the system overall and monitors the activities of a system. If it thinks an activity occuribg on the system is malicious then it can take action. It might notice things like if a program is taking longer than normal to run. Once it notices strange behaviour like this, it can ntofiy the user and quarantine the source.

Question 75

What is the integrity checker approach for antiviruses?

Answer 75

Sometimes known as the 'behaviour blocker' approach. In this approach the antivirus software monitors files for changes that are unusual e.g. A very old file that suddenly becomes much larger in size. Instances of unlikely behaviour can be notified to the end user, and the antivirus can then quarantine the file.

Question 76

What is quarantining in reference to an anitivirus software?

Answer 76

When an antivirus software takes a file it knows to be malware and removes it from the systems operations so it cannot execute. It can be done in many ways, one of these includes setting up a VM that is referred to as a sandbox that is disconnected from the system and put the file in there. Note: Once a file has been quarantined, the antivirus can monitor its behaviour in a safe environment (Sandbox) to see if it is malware, and if so what was it trying to do.

Question 77

What are the disadvantages of the dictionary approach?

Answer 77

Antivirus software must be kept up to date so that the dictionary is updated with new virus signatures. Its unlikely to catch new virus that have not been discovered and added to the dictionary. It can also have challenges with polymorphic mutating viruses, whose signatures change when they mutate.

Question 78

What are the disadvantages with the integrity checker approach?

Answer 78

The anitivirus is reactive, and must first wait for some malicious behaviour to happen before it takes action.

Question 79

How can we detect viruses that are unknown i.e. Never been discovered before?

Answer 79

When vrisues are generated from the same software, they might have common structure and similarities that can be identified by an antivirus. We also look to researchers whose job it is to identify new viruses. They look for instances of entirely new malware in the 'wild', and try to get a copy of it to analyse (Find out its purpose) , disassembling (Look at its inner structure) and identify (Give it an identifier and let antivirus software know about it) within an isolated environment.

Question 80

Why might disassembling a virus help to identify it?

Answer 80

It helps us see the inner structure and code of the virus, and this can help us identify its original code and use in future to identify similar viruses.

Question 81

What does a researcher do when trying to analyse a piece of malware?

Answer 81

They are trying to identify its purpose as a virus. They will split it into the separate components of the virus e.g. Split it into propagation, concealment and the payload. From this point they can look for a signature to identify the virus.

Question 82

What can an antivirus do after identifying a piece of malware and after quarantine has occurred?

Answer 82

It could disenffect it. It attempts to remove the virus from the infected host file in an attempt to keep the file intact. This isn't always successful. It can completely remove the virus. It removes the virus and the host from the system, this can sometimes be difficult as a virus may attempt to prevent this from happening.

Question 83

What is an IOC?

Answer 83

An indicator of compromise is an indicator that suggests the presence of malware or the occurrence of a secutiry incident or intrusion. This could be an event on the system, a certain behaviour or a file. These can be used to identify future incidents, by notifying the system whenever previously identified IOCs occur.

Question 84

What are the 3 types of malware analysis?

Answer 84

Static Dynamic Hybrid of both

Question 85

What is static malware analysis?

Answer 85

Static analysis looks at the code and structure of the suspected malware without actually executing it. It looks at the file names, hashes, file header data, domains and such to identify whether it is malicious. It can be used to identify malicious infrastructure, libraries and packed files.

Question 86

What is dynamic malware analysis?

Answer 86

In dynamic analysis the suspected malicious code is executed within an isolated safe sandbox environment. This allows the system to observe the behaviour of the malware and identify its purpose without risking a security incident.

Question 87

What is hybrid malware analysis?

Answer 87

A combitons of static and dynamic analysis. It analysis the structure and internal code of the malware and runs it in a sandbox, meaning it can dig deeper into the malware by implementing both techniques.

Question 88

What is the disadvantage of static analysis?

Answer 88

Since it doesn't actually run the code, sophisticated malware and malicious runtime behaviour can go undetected. Meaning that not all malware can be identified by this analysis.

Question 89

What is the disadvantage of dynamic analysis?

Answer 89

Attackers are getting smarter, and since they know about the existence of sandboxes, they can code the malware to detect sandboxes.this means that some malware may be coded with hidden executables that remain dormant even when the main code is run, and only run when certain conditions are met. This can mean that the true nature of the malware might not be identified if the hidden code cannot be observed.

Question 90

What is the advantage to using a hybrid analysis approach?

Answer 90

It means that you get the best of both static and dynamic, withiut the disadvantages. Runtime behaviours can be noticed when running the code during dynamic analysis, while hidden code that will not execute with the main payload can be identified during static analysis.

Question 91

What do incident response teams do?

Answer 91

They provide root cause analysis of an incident, determine its impact on the system and attempt remediation and recovery after the attacker.

Question 92

What do threat hunters do?

Answer 92

They use behavior known to be malicious, and monitor the system for that behaviour or activity similar to it e.g. Access to a particular port or network that shouldn't be connected to.

Question 93

What are the common steps of malware analysis?

Answer 93

Static property analysis Interactive behaviour analysis Fully automated analysis Manual code reversing

Question 94

What is static property analysis?

Answer 94

The analysis and identification of the properties of the malware, such as embedded resources, file header details, hashes and so on. These are used to created initial IOCs and determine whether deeper analysis must take place.

Question 95

What is interactive behaviour analysis?

Answer 95

Analysis used to oberseve and interact with the malware sample running in a lab. The behaviour of the malware is monitored, such as its interaction with the network, howbeit uses memory, its fuke system etc.. This process is time consuming and requires a skilled analyst.

Question 96

What is fully automated analysis?

Answer 96

Quick and easy analysis that runs without the need of an analyst. It assesses the malware and determines the repercussions of it and the damage it could cause ofln the network. It then produces and easy to read report for the security teams. This is the best type of analysis for processing malware at larger scales.

Question 97

What is manual code reversing?

Answer 97

.

Question 98

What is a tarpit?

Answer 98

A security mechanism used to slow done network connections to a server. It is used to delay attacks such as DoS attacks and worms. It slows done the Worm infection and delays DoS attacks.

Question 99

What is a a honeypot?

Answer 99

A decoy computer on the server that is set up to look like a legitimate computer on the network. It stores no valuable data and it is made to look enticing to attacks and malware. Once it is infected, the affects of the malware cna be observed on the computer and information can be gathered on it.