Ch 14: Summarizing Secure Application Concepts
What is an SDK and how does it affect secure development?
A software development kit (SDK) contains tools and code examples released by a vendor to make developing applications within a particular environment (framework, programming language, OS, and so on) easier. Any element in the SDK could contain vulnerabilities that could then be transferred to the developer's code or application.
You are discussing execution and validation security for DOM scripting with the web team. A junior team member wants to know if this relates to client-side or server-side code. What is your response?
The document object model (DOM) is the means by which a script (JavaScript) can change the way a page is rendered. As this change is rendered by the browser, it is client-side code.
You are reviewing access logs on a web server and notice repeated requests for URLs containing the strings %3C and %3E. Is this an event that should be investigated further, and why?
Those strings represent percent encoding for HTML tag delimiters (< and >). This could be an XSS attempt to inject a script so should be investigated.
What feature is essential for managing code iterations within the provisioning and deprovisioning processes?
Version control is an ID system for each iteration of a software product.
What is a persistent XSS attack?
Where the attacker inserts malicious code into the back-end database used to serve content to the trusted site.
What vulnerabilities might default error messages reveal?
A default error message might reveal platform information and the workings of the code to an attacker.
What type of dynamic testing tool would you use to check input validation on a web form?
A fuzzer can be used to submit known unsafe strings and randomized input to test whether they are made safe by input validation or not.
What is the effect of a memory leak?
A process claims memory locations but never releases them, reducing the amount of memory available to other processes. This will damage performance, could prevent other processes from starting, and if left unchecked could crash the OS.
You have been asked to monitor baseline API usage so that a rate limiter value can be set. What is the purpose of this?
A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious entity generates millions of spurious requests to block legitimate ones. You need to establish a baseline to ensure continued availability for legitimate users by setting the rate limit at an appropriate level.
Which life cycle process manages continuous release of code to the production environment?
Continuous deployment.
What is secure staging?
Creating secure development environments for the different phases of a software development project (initial development server, test/integration server, staging [user test] server, production server).
Which response header provides protection against SSL stripping attacks?
HTTP Strict Transport Security (HSTS).
What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?
Input validation provides some mitigation against this type of input being passed to an application via a user form. Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
You are discussing a security awareness training program for an SME's employees. The business owner asserts that as they do not run Microsoft Office desktop apps, there should be no need to cover document security and risks from embedded macros and scripts. Should you agree and not run this part of the program?
No. While Visual Basic for Applications (VBA) can only be used with Microsoft Office, other types of document can contain embedded scripts, such as JavaScript in PDFs. Other Office suites, such as OpenOffice and LibreOffice, use scripting languages for macros too.
What coding practice provides specific mitigation against XSS?
Output encoding ensures that strings are made safe for the context they are being passed to, such as when a JavaScript variable provides output to render as HTML. Safe means that the string does not contain unauthorized syntax elements, such as script tags.
You are providing security advice and training to a customer's technical team. One asks how they can identify when a buffer overflow occurs. What is your answer?
Real-time detection of a buffer overflow is difficult, and is typically only achieved by security monitoring software (antivirus, endpoint detection and response, or user and entity behavior analytics) or by observing the host closely within a sandbox. An unsuccessful attempt is likely to cause the process to crash with an error message. If the attempt is successful, the process is likely to show anomalous behavior, such as starting another process, opening network connections or writing to AutoRun keys in the registry. These indicators can be recorded using logging and system monitoring tools.
You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?
Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.
A log shows that a PowerShell IEX process attempted to create a thread in the target image c:\Windows\System32\lsass.exe. What is the aim of this attack?
The Local Security Authority Subsystem Service (LSASS) enforces security policies, including authentication and password changes. Consequently, it holds hashes of user passwords in memory. Attacks on lsass.exe are typically credential dumping to steal those hashes.
Your log shows that the Notepad process on a workstation running as the local administrator account has started an unknown process on an application server running as the SYSTEM account. What type of attack(s) are represented in this intrusion event?
The Notepad process has been compromised, possibly using buffer overflow or a DLL/process injection attack. The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.
How does a replay attack work in the context of session hijacking?
The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.
How does a clickjacking attack work?
The attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing.
How might an attacker exploit a web application to perform a shell injection attack?
The attacker needs to find a vulnerable input method, such as a form control or URL or script parser, that will allow the execution of OS shell commands.
You have been asked to investigate a web server for possible intrusion. You identify a script with the following code. What language is the code in and does it seem likely to be malicious? import os, sockets, syslog def r_conn(ip) s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(("logging.trusted.foo",514))
The code is written in Python. It uses various modules with default library code to interact with the OS and network, and also the syslog logging platform. The first lines of code define a function to connect to a host over port 514 (syslog). SOCK_DGRAM is a UDP connection, which is standard for syslog. Most likely the script is for remote logging and unlikely to be malicious, especially if trusted.foo is a known domain.
How does a specially configured compiler inhibit attacks through software diversity?
The compiler can apply obfuscation routines to make the code difficult for a threat actor to reverse engineer and analyze for vulnerabilities.
How might an integer overflow be used as part of a buffer overflow?
The integer value could be used to allocate less memory than a process expects, making a buffer overflow easier to achieve.
Which tools can you use to restrict the use of PowerShell on Windows 10 clients?
There are various group policy-based mechanisms, but for Windows 10, the Windows Defender Application Control (WDAC) framework provides the most powerful toolset for execution control policies.
Other than endpoint protection software, what resource can provide indicators of pass the hash attacks?
These attacks are revealed by use of certain modes of NTLM authentication within the security (audit) log of the source and target hosts. These indicators can be prone to false positives, however, as many services use NTLM authentication legitimately
How can DLL injection be exploited to hide the presence of malware?
Various OS system functions allow one process to manipulate another and force it to load a dynamic link library (DLL). This means that the malware code can be migrated from one process to another, evading detection.
