CS 454 Final

Web browsers

Browsers provide sandboxing capabilities to isolate extensions and plugins.

tools for forensics

CAINE

XSS Mitigations

Convert untrusted input into a sage form, where the input is displayed as data to the user

CONNECT

Converts the request connection to a transparent TCP/IP tunnel

XSS

Cross-Site Scripting

tools for forensics

DEFT

XSS attack type

DOM-based xss

Tools to practice security testing on iOS

Dang vulnerable iOS

DELETE

Deletes the specified resource

XSS Request Forgery Attacks

Different from XSS because they exploit the trust that an application has in a user's browser

DOM

Document Object Model

TRACE

Does a message loopback test along the path to the target resource

Injection-Based Vulnerabilities

Dynamic code injection

rainbow tables

Tables used to derive a password by looking at the hashed value. These precomputed tables are used for reversing cryptographic hash functions. A tool called RainbowCrack can be used to automate the cracking of passwords using rainbow tables.

Static and dynamic binary analysis

This is done using disassemblers and decompilers to translate an app's binary code or bytecode back into a more understandable format. By using these techniques on native binaries, you can obtain assembler code that matches the architecture for which the app was compiled.

port

This is optional portion of the URL designates the port number to which the target web server listens. (The default port number for HTTP servers is 80, but some configurations are set up to use an alternate port number.) In this case, the server is configured to use port 8123.

host

This is the IP address (numeric or DNS-based) for the web server being accessed; it usually follows the colon and two forward slashes. In this case, the host is theartofhacking.org.

path

This is the path from the "root" directory of the server to the desired resource. In this case, you can see that there is a directory called dir. (Keep in mind that, in reality, web servers may use aliasing to point to documents, gateways, and services that are not explicitly accessible from the server's root directory.)

scheme

This is the portion of the URL that designates the underlying protocol to be used (for example, HTTP, FTP); it is followed by a colon and two forward slashes (//). In this example, the scheme is http.

path-segment-params

This is the portion of the URL that includes optional name/value pairs (that is, path segment parameters). A path segment parameter is typically preceded by a semicolon (depending on the programming language used), and it comes immediately after the path information. In this example, the path segment parameter is id=89. Path segment parameters are not commonly used. In addition, it is worth mentioning that these parameters are different from query-string parameters (often referred to as URL parameters).

query-string

This optional portion of the URL contains name/value pairs that represent dynamic parameters associated with the request. These parameters are commonly included in links for tracking and context-setting purposes. They may also be produced from variables in HTML forms. Typically, the query string is preceded by a question mark. Equals signs (=) separate names and values, and ampersands (&) mark the boundaries between name/value pairs. In this example, the query string is name=omar&x=true.

OWASP SeraphimDroid

This privacy and device protection application for Android devices helps users learn about risks and threats coming from other Android applications.

HTTP Protocol

This protocol transaction consists of a single request and response

docker-bench-security

This script, created by Docker, checks for common security best practices when deploying Docker containers in production.

Dev-Sec.io

This tool allows you to automatically apply hardening best practices to different types of servers

CIS Docker Benchmark

This tool provides an automated way to test containers against well-known security best practices.

docker-explorer

This tool was created by Google to help analyze offline Docker file systems. It can be useful when performing forensic analysis of Docker containers.

Hypervisor-based keylogger

This type of keylogger is effective in virtual environments, where the hypervisor could be compromised to capture sensitive information.

Memory-injection-based keylogger

This type of keylogger tampers with the memory tables associated with the browser and other system functions.

XSS Request Forgery Attacks

Typically affect applications or sites that rely on a user's identity

Injection-Based Vulnerabilities

Uncontrollable format string

PUT

Uploads a representation of the specified URI

XSS Mitigations

Use CSS escape and strictly validate before inserting untrusted data into HTML-style properly values

XSS Mitigations

Use X-XSS-Protection response header

Clickjacking Mitigation

Use defensive code in the application to make sure the current frame is the top-level window

XSS Mitigations

Use the HTTPOnly cookie flag

XSS Mitigations

User URL escape before inserting untrusted data into HTML URL parameter values

Authenticated Session

Uses a session ID (token), a name/value pair

clickjacking

Using multiple transparent or opaque layers to induce a user into clicking on a web button or link on a page that he or she was not intending to navigate or click. Clickjacking attacks are often referred to as UI redress attacks. User keystrokes can also be hijacked by using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool a user into entering information or clicking on links in an invisible frame that could be rendered from a site the attacker created.

common tools for persistence

VNC

Virtual machines

Virtual machines can be used to restrict a guest operating system to run sandboxed so that the applications do not run natively on the host system and can only access host resources through the hypervisor.

lock bypass

a technique used in lock picking to get past a lock. locks may be bypassed in many ways, including by using simple loiding attempts (using a "credit card" or similar items against self-closing "latch" locks) and bypassing padlocks by shimming

PsExec

a utility used for executing processes on a windows system

reverse shell

a vulnerability in which an attacking system has a listener (port open), and the victim initiates a connection back to the attacking system

Clickjacking

also called UI redress attacks

Web Application Description Language (WADL) documents

an XML-based language for describing web applications

Web Services Description Language (WSDL) documents

an XML-based language that is used to document the functionality of a web service

fasle positive

an alert that incorrectly indicated that a vulnerability is present

false negative

an instance in which a security tool intended to detect a particular threat fails to do so

group policy object (gpo)

an item inside active directory that contains settings for user accounts, client computer settings, or settings for configuring policies on servers. typically, the goal is to configure gpos in such a way that they cannot be overridden by users

tools and frameworks to test android-based systems and apps

androick

HPP

attacker can append the same parameter to the GET or POST data but with a different value

Exploiting insecure direct object vulnerabilities

attacker can bypass authorization and access

bind shell

attacker connects to victim on listening port

Cookie Manipulation

attacker writes controllable data into the value of a cookie

Metasploit

auxiliary

CVSS environmental metric group

availability requirement

bash shell

available for linux, MacOS X, and even windows

common physical security attack

badge cloning

tampering techniques for mobile apps

binary patching ("modding")

Types of SQL Injection Attacks

blind (or inferential) sql injection

tools for vulnerability scanning

burp suite

tools for software assurance

buzzers and fuzz testing

tools for credential attacks

cain and abel

python

can be sued to automate receptive tasks and create applications

HPP

can happen if multiple http parameters have the same name

Exploiting insecure direct object vulnerabilities

can happen when web apps allow direct access to objects based on user input

tools for passive reconnaissance

censys

tools for credential attacks

cewl

post-engagement activities

clean any information added to databases

post-engagement activities

clean up any files left from successful or unsuccessful exploitation attempts

OWASP top mobile security risk

client code quality

HTTP status code 400-499

client errors

tampering techniques for mobile apps

code injection

iOS security core feature

code signing

OWASP top mobile security risk

code tampering

physical device security attack

cold boot attack

bash shell

command shell and language interpreter

Sysinternals and PSExec

command-line suite of tools to control windows-based computers from a remote terminal (run, kill, and stop services)

actions you can take on a compromised system

conducting dns and directory services enumeration

CVSS environmental metric group

confidentiality requirement

use cases for penetration testing tools

configuration compliance

actions you can take on a compromised system

configuring port forwarding

do not require their own OS

containers

META-INF

contains the metadata of manifest.mf, cert.rsa, and cert.sf

Local file inclusion

could allow an attacker to read and execute files on the victim's system

way to maintain persistence of a compromised system

creating additional back doors

way to maintain persistence of a compromised system

creating and manipulating scheduled jobs and tasks

way to maintain persistence of a compromised system

creating custom daemons and processes

way to maintain persistence of a compromised system

creating new users

way to maintain persistence of a compromised system

creating reverse and bind shells

actions you can take on a compromised system

creating ssh tunnels or proxies to communicate to the internal network

use cases for penetration testing tools

credential attacks

Exploiting Application Vulnerabilities

credential brute forcing

container example

cri-o

Local file inclusion

critical if a web app is running with high privileges or as root

use cases for penetration testing tools

debugging

tampering techniques for mobile apps

debugging and tracing

use cases for penetration testing tools

decompilation

covering your tracks and cleaning up

delete all files, executable binaries, scripts, and temp files from compromised systems

covering your tracks and cleaning up

delete all user accounts used during the test

tools for passive reconnaissance

dig

covering your tracks and cleaning up

do this after creating and delivering the report to the client

container example

docker

common physical security attack

dumpster diving

software assurance

dynamic application security testing (DAST)

decompilation, disassembling, and debugging tools

edb debugger

common physical security attack

egress sensors

bash shell

enables you to create scripts, parse data, and automate tasks

common tools for evasion

encapsulation and tunneling using DNS and protocols such as NTP

Metasploit

encoders

common tools for evasion

encryption

iOS security core feature

encryption and data protection

tools for active reconnaissance

enum4linux

use cases for penetration testing tools

enumeration

use cases for penetration testing tools

evasion

EXIF

exchangeable image file format information from graphic files, as well as the information discovered through the URL of a scanned website

actions you can take on a compromised system

executing additional exploits

tools for passive reconnaissance

exiftool

CVSS temporal metric group

exploit code maturity

CVSS base metric group

exploitability metrics

Exploiting Application Vulnerabilities

exploiting kerberos vulnerabilities

Metasploit

exploits

OWASP top mobile security risk

extraneous functionality

common physical security attack

fence jumping

tools for software assurance

findbugs, findsecbugs, and sonarqube

tools for passive reconnaissance

foca

use cases for penetration testing tools

forensics

Software assurance

fuzzing

iOS security core feature

general exploit mitigations

remote access protocols

gives you a full, interactive GUI of the compromised computer

lateral movement (pivoting)

goal is to move form one device to another to avoid detection, steal sensitive data, and maintain access

iOS security core feature

hardware security

tools for credential attacks

hashcat

post-engagement activities

have the client or system owner validate that your clean up is sufficient

Simple Object Access Protocol (SOAP)

his standards-based web services access protocol was originally developed by Microsoft and has been used by numerous legacy applications for many years. SOAP exclusively uses XML to provide API services. XML-based specifications are governed by XML Schema Definition (XSD) documents. SOAP was originally created to replace older solutions such as the Distributed Component Object Model (DCOM) and Common Object Request Broker Architecture (CORBA).

tools for passive reconnaissance

host

tools for credential attacks

hydra

Tools to practice security testing on iOS

iGoat

Tools to practice security testing on iOS

iMAS

decompilation, disassembling, and debugging tools

ida

decompilation, disassembling, and debugging tools

immunity debugger

CVSS base metric group

impact metrics

OWASP top mobile security risk

improper platform usage

Online brute-force attacks

in this type of attack, the attacker actively tries to log in to the application directly by using many different combinations of credentials

offline brute-force attack

in this type of attack, the attacker can gain access to encrypted data or hashed passwords

HTTP Staus code 100-199

informational

OWASP top mobile security risk

insecure authentication

OWASP top mobile security risk

insecure authorization

OWASP top mobile security risk

insecure communication

OWASP top mobile security risk

insecure data storage

OWASP top mobile security risk

insufficient cryptography

CVSS environmental metric group

integrity requirement

Clickjacking

involves using multiple.e transparent or opaque layers to induce a user into clicking a button or link that was not intended

time delay

it is possible to use database commands to delay answers. an attacker may use this technique when he or she doesn't get any output or error messages from the application

Clickjacking

keystrokes can also be hijacked using clickjacking techniques

actions you can take on a compromised system

launching brute-force attacks

container example

linux containers (lxc)

common physical security attack

lock picking

Stored (persistent) XSS Attack

malicious code or script is permanently stored on a vulnerable or malicious server using a database

Reflected XSS Attack

malicious code or scripts are injected using any method that yields a response as part of a valid HTTP request

tools for passive reconnaissance

maltego

Directory traversal vulnerabilities

manipulate variables that reference files with dot-dot-slash (../) sequences and its variations

tools for credential attacks

medusa

exploitation frameworks

metasploit

creating reverse and bind shells

meterpreter module in metasploit

tools for credential attacks

mimikatz

Tools to practice security testing on iOS

mobisec live environment mobile testing framework

Command Injection

modern app frameworks have better defenses against theses attacks

CVSS environmental metric group

modified base metrics

tools for software assurance

mutiny fuzzing framework

tools for credential attacks

ncrack

creating reverse and bind shells

netcat

XSS Mitigations

never insert untrusted data except in allowed locations

tools for vulnerability scanning

nexpose

tools for vulnerability scanning

nikto

tools for active reconnaissance

nmap

Metasploit

nops

tools and frameworks to test android-based systems and apps

nowsecure app testing

tools for passive reconnaissance

nslookup

decompilation, disassembling, and debugging tools

objdump

Local file inclusion

occurs when a web app allows a user to submit input into files or upload files to the server

metasploit

one of the most popular exploitation frameworks

tools for vulnerability scanning

openVAS

container example

openVz

Types of SQL Injection Attacks

out-of-band sql injection

tools for vulnerability scanning

owasp zed attack proxy (ZAP)

tools for credential attacks

patator

Metasploit

payloads

tools for software assurance

peach

actions you can take on a compromised system

performing arp scans and pin sweeps

use cases for penetration testing tools

persistence

common physical security attack

piggybacking/tailgating

Metasploit

post (for post-exploitation)

windows legitimate utilities

powershell

common tools for persistence

powershell/powersploit

ruby

programming language used in many web and other types of applications

Dang Vulnerable iOS

provides an iOS application to practice mobile attacks and security defenses

PCI Data Security Standard

provides reporting guidelines that are useful for structuring your report

HTTP proxies

proxies that make requests to web servers on behalf of other clients. they enable HTTP transfers across firewalls and can also provide support for caching of HTTP messages. proxies can also perform other roles in complex environments, including network address translation (NAT) and filtering of HTTP requests

common tools for evasion

proxy chains

session fixation attack

the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim's web browser

executive summary

the section of a penetration testing report that provides enough information for anyone reading the report to get a clear idea of the results

tools for passive reconnaissance

theharvester

cat, cd, pwd, ls

these same as the commands found in linux or unix-based systems

Code injection

this allows you to explore and modify processes at runtime

CERT.SF

this file lists resources and the hash of the corresponding lines in the MANIFEST.MF file

MANIFEST.MF

this file stores hashes of the app resources

CERT.RSA

this file stores the app's certificate(s)

clair

this is an open source static analysis for Docker containers from Core-OS

out-of-band technique

this is typically used to obtain records from the database by using a different channel. for example, it is possible to make an HTTP connection to send the results to a different web server or a local machine running a web service

union operator

this is typically used when a sql injection vulnerability allows a select statement to combine two queries into a single result or a set of results

error-based technique

this is used to force the database to generate an error in order to enhance and refine an attack (injection)

boolean

this is used to verify whether certain conditions are true or false

notary

this open source project includes a server and a client for running and interacting with trusted containers

common tools for evasion

tor

actions you can take on a compromised system

uploading additional tools

XSS Mitigations

use HTML escape before inserting untrusted data into HTML element content or HTML common attributes

XSS Mitigations

use JavaScript escape before inserting untrusted data into JavaScript data values

Directory traversal vulnerabilities

use absolute file paths to access files on the vulnerable system

XSS Mitigations

use an auto-escaping template system

clearev

used to clear the application, system, and security logs on a windows-based system

remote access protocols

used to communicate with a compromised system

SQL: CREATE DATABSE

used to create a new database

SQL: CREATE TABLE

used to create a new table

SQL: CREATE INDEX

used to create an index or a search key element

SQL: DROP TABLE

used to delete a table

SQL: DROP INDEX

used to delete and index

SQL: DELETE

used to delete data from a database

ps

used to display a list of running processes on the victim system

webcam_list

used to display all webcams on the victim system

lpwd and lcd

used to display and change the local directory (on the attacking system)

ipconfig

used to display the network interface configuration and IP addresses of the victim system

idletime

used to display the number of seconds that the suer at the victim system has been idle

getuid

used to display the user logged in on the compromised system

download

used to download a file form a victim system

hashdump

used to dump the contents of the SAM database in a windows system

resource

used to execute Meterpreter commands listed inside a text file, which can help accelerate the actions taken on the victim system

shell

used to go into a standard shell on the victim system

SQL: INSERT INTO

used to insert new data into a database

search

used to locate files on the victim system

migrate

used to migrate to a different process on the victim system

SQL: ALTER DATABASE

used to modify a database

SQL: SELECT

used to obtain data from a database

edit

used to open and edit a file on a victim system using the vim linux environment

execute

used to run commands on the victim system

webcam_snap

used to take a snapshot using a webcam of the victim system

SQL: UPDATE

used to update data in a database

upload

used to upload a file to the victim system

Clickjacking

uses a combination of CSS stylesheets, frames, and text boxes

actions you can take on a compromised system

using local system tools

actions you can take on a compromised system

using management profiles and compromised credentials to perform additional enumeration and system manipulation

actions you can take on a compromised system

using vpn to access the internal network

common tools for evasion

veil

DOM-based XSS Attack

victim clicks on a malicious URL link, loading a site that has a vulnerable DOM route handler; payload executes the attack in the user's context on that site

reverse shell

victim connects to attacker on listening port

remote access protocol example

vnc

use cases for penetration testing tools

vulnerability scanning

Cookie Manipulaiton

vulnerable applications store user input and then embed that input in a response within a part of the DOM

tools for credential attacks

w3af

tools for vulnerability scanning

w3af

tools for passive reconnaissance

whois

decompilation, disassembling, and debugging tools

windows debugger

windows legitimate utilities

windows management instrumentation (Wmi)

common tools for persistence

x server forwarding

remote access protocol example

x server forwarding

tools for active reconnaissance

zenmap

Cookie Manipulaiton

This input is later processed in an unsafe manner by a client-side script

Binary patching ("modding")

This involves changing the compiled app in binary executables or tampering with resources. Modern mobile operating systems such as iOS and Android enforce code signing to mitigate binary tampering.

aqua security

This is a commercial tool for securing container-based applications.

NowSecure App Testing

This is a mobile app security testing suite for Android and iOS mobile devices.

bane

This is an AppArmor profile generator for Docker containers.

dagda

This is another tool for performing static analysis of known vulnerabilities.

Exploiting Application Vulnerabilities

taking advantage of default credentials in use

decompilation, disassembling, and debugging tools

the GNU project debugger (GDP)

Ret2libc

A "return-to-libc" attack, which is an attack that typically starts with a buffer overflow. In this type of attack, a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process. This is done to potentially bypass the not-execute (NX) bit Linux feature and allow the attacker to inject his or her own code.

CPassword

A component of Active Directory's Group Policy Preferences that was used to allow administrators to set passwords via Group Policy. If administrators used CPassword to perform common tasks (such as changing the local administrator account), any user with basic read rights to the SYSVOL directory could obtain the authentication key and crack it by using tools such as John the Ripper and Hashcat.

need-to-know

A determination that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized function. This determination helps manage the dissemination of information.

PCI DSS Penetration Testing Guide

A great reference for all aspects of the penetration testing process. This document covers topics such as penetration testing components, qualifications of a penetration tester, penetration testing methodologies, and penetration testing reporting guidelines.

dreads framework

A handy tool that can ingest the results from many penetration testing tools and allows a penetration tester to compile and output reports in formats such as CSV, HTML, and PDF. It is very flexible because it allows a tester to use existing add-ons or create new ones.

Kernel-based keylogger

A program on the machine obtains root access to hide itself in the operating system and intercepts keystrokes that pass through the kernel. This method is difficult both to write and to combat. Such keyloggers reside at the kernel level, which makes them difficult to detect, especially for user-mode applications that don't have root access. They are frequently implemented as rootkits that subvert the operating system kernel to gain unauthorized access to the hardware. This makes them very powerful. A keylogger using this method can act as a keyboard device driver, for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.

penetration testing report

A report that follows a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

Shodan

A search engine for devices connected to the Internet that continuously scans the Internet and exposes its results to users via the website Shodan and also via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices, infrastructure devices, and so on). Penetration testers can use this tool to gather information about potentially vulnerable systems exposed to the Internet without actively scanning the victim.

web session

A sequence of HTTP request and response transactions between a web client and a server, including pre-authentication tasks, the authentication process, session management, access control, and session finalization. Numerous web applications keep track of information about each user for the duration of the web transactions. Several web applications have the ability to establish variables such as access rights and localization settings; these variables apply to each and every interaction a user has with the web application for the duration of the session.

Session

A sequence of HTTP requests and response transactions between a web client and a server

tailgating

A situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility.

CVSS

A standard created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) that is used to identify the principal characteristics of a vulnerability and rate the vulnerability using a numeric score that reflects its severity.

sysinternals

A suite of tools that allows administrators to control Windows-based computers from a remote terminal. It is possible to use Sysinternals to upload, execute, and interact with executables on compromised hosts. The entire suite works from a command-line interface and can be scripted to run commands that can reveal information about running processes and to kill or stop services.

keylogger

A tool that an attacker uses to capture keystrokes of users in a system in order to steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user's keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.

blind (or inferential) SQL injection

A type of attack in which the attacker does not make the application display or transfer any data but instead reconstructs the information by sending specific statements and discerning the behavior of the application and database.

in-band sql injection

A type of attack in which the attacker obtains data by using the same channel that is used to inject SQL code. This is the most basic form of an SQL injection attack, in which the data is dumped directly in a web application (web page).

out-of-band sql injection

A type of attack in which the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query, or the attacker might be able to send the compromised data to another system.

cross-site request forgery (CSRF or XSRF)

A type of attack that involves unauthorized commands being transmitted from a user who is trusted by the application. CSRF is different from XSS in that it exploits the trust that an application has in a user's browser. CSRF vulnerabilities are also referred to as "one-click attacks" or "session riding." CSRF attacks typically affect applications (or websites) that rely on a user's identity. An attacker may trick a user's browser into sending HTTP requests to a target website. For example, a user who is authenticated by an application based on a cookie saved in the browser might unwittingly send an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

command and control (c2)

A type of system that attackers use to send commands and instructions to compromised systems. A C2 can be an attacker's system (desktop, laptop, and so on) or a dedicated virtual or physical server. Attackers often use virtual machines in a cloud service or even other compromised systems. Even services such as Twitter, Dropbox, and Photobucket have been used for C2 tasks. C2 communication can be as simple as maintaining a timed beacon, or "heartbeat," to launch additional attacks or for data exfiltration.

Reflected XSS Attack example

A user being persuaded to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user's browser, causing it to execute the code or script

shell

A utility (software) that acts as an interface between a user and the operating system (the kernel and its services). For example, in Linux there are several shell environments, such as bash, ksh, and tcsh. In Windows, the shell is the command prompt (command-line interface), which is invoked by cmd.exe as well as PowerShell.

cross-site scripting (XSS)

A very common web application vulnerability that can lead to installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, or site redirection. There are three major types of XSS: reflected XSS, stored (persistent), and DOM-based XSS.

XSS Mitigations

Prevent DOM-based by following OWASP's recommendations

race condition

A vulnerability in which a system or an application attempts to perform two or more operations at the same time but, due to the nature of such system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. Race condition attacks are very difficult to perform. Race conditions are also referred to as time of check to time of use (TOCTOU) attacks. An example of a race condition is a security management system pushing a configuration to a security device (such as a firewall or an intrusion prevention system) and then rebuilding access control lists and rules from the system.

html injection

A vulnerability that occurs when an unauthorized user is able to control an input point and inject arbitrary HTML code into a web application. Successful exploitation could lead to disclosure of a user's session cookies, which could be used to impersonate a victim or to allow the attacker to modify the web page or the application content seen by victims.

tools for forensics

AIDA

Writable services

Administrators often configure Windows services that run with SYSTEM privileges. This could lead to a security problem because an attacker may obtain permissions over the service or over the folder where the binary of the service is stored (or both). Services configured this way are also often found in third-party software (TPS) and may be used for privilege escalation.

tools for software assurance

American fuzzy lop

credentials brute-force attack

An attack in which the attacker attempts to log in to an application or a system by trying different usernames and passwords.

command injection

An attack in which the attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell. This type of attack involves trying to send operating system commands so that the application can execute them with the privileges of the vulnerable application.

Nikto

An open source, freely available web server scanner that can test for various issues, such as outdated server software, dangerous methods, and many other vulnerabilities typically found in web servers.

anchore

Anchore is used to analyze container images for the presence of known security vulnerabilities and against custom security policies. It has both open source and commercial versions.

common tools for persistence

Apple Remote Desktop

remote access protocol example

Apple Remote Desktop

Command Injection

Attacker tries to execute operating system commands via a vulnerable application

HEAD

Basically the same as GET but returns only HTTP headers and no document body

exploitation frameworks

BeEF

tools for vulnerability scanning

Qualys

GraphQL

GraphQL is a query language for APIs that provides many developer tools. GraphQL is now used for many mobile applications and online dashboards. Many different languages support GraphQL. You can learn more about GraphQL at link.

Injection-Based Vulnerabilities

HTML script injection

HTML5

HTML5 has a sandbox attribute for use with iframes.

HPP

HTTP parameter pollution

HTTP status code 300-399

HTTP redirects

Unquoted service paths

If an executable (application binary) is enclosed in quotation marks (""), Windows knows where to find it. On the contrary, if the path where the application binary is located doesn't contain any quotation marks, Windows will try to locate it and execute it inside every folder of this path until it finds the executable file. An attacker can abuse this functionality to try to elevate privileges if the service is running under SYSTEM privileges. A service is vulnerable if the path to the executable has a space in the filename and the filename is not wrapped in quotation marks; exploitation requires write permissions to the path before the quotation mark.

XSS Mitigations

Implement content security policy

sandbox

In cybersecurity, a means of isolating running applications to minimize the risk of software vulnerabilities spreading from one application to another. Sandboxes are also used to run untested or untrusted software from unverified or untrusted third parties, suppliers, users, or websites. For example, sandboxes are used in order to test malware without allowing the software to compromise the host system. In web development, a sandbox is a mirrored production environment that developers use to create an application before migrating it to a production environment. Companies like Amazon, Google, and Microsoft, among others, provide sandboxing services.

Types of SQL Injection Attacks

In-band sql injection

Debugging and tracing

It is possible to identify and isolate problems in a program as part of the software development life cycle. The same tools used for debugging are valuable to reverse engineers even when identifying bugs is not their primary goal. Debuggers enable program suspension at any point during runtime, inspection of the process's internal state, and even register and memory modification.

physical device security attack

JTAG debugging, reconnaissance, and tampering

tools for credential attacks

John the ripper

Web form-grabbing keylogger

Keyloggers can steal data from web form submissions by recording the web browsing on submit events.

LFI

Local file inclusion

JavaScript-based keylogger

Malicious JavaScript tags can be injected into a web application and then capture key events (for example, the onKeyUp() JavaScript function).

common tools for persistence

Microsoft's Remote Desktop protocol (RDP)

remote access protocol example

Microsoft's Remote Desktop protocol (rdp)

tools for vulnerability scanning

Nessus

tools and frameworks to test android-based systems and apps

OWASP seraphimdroid

Injection-Based Vulnerabilities

Object injection

XSS Request Forgery Attacks

Occur when unauthorized commands are transmitted from a user that the application trusts

HTML Injection

Occurs when an unauthorized users controls an input point and injects arbitrary HTML code into a web application

Microsoft Office

Office has a sandbox mode to prevent unsafe macros from harming the system.

decompilation, disassembling, and debugging tools

OllyDbg

Oscap-docker

OpenSCAP (created by RedHat) includes the oscap-docker tool, which is used to scan Docker containers and images

tools for forensics

PALADIN

Command Injection

Possible when an app does not validate data supplied by the user

Injection-Based Vulnerabilities

Remote file inclusion

RFI

Remote file inclusion

HTTP Protocol

Request/response model

GET

Retrieves information from the server

OPTIONS

Returns the HTTP methods that the server supports

tools for forensics

SIFT Workstation

Injection-Based Vulnerabilities

SQL Injection

XSS Mitigations

Sanitize HTML markup with a library such as ESAPI

tools for forensics

Security Onion

Sandboxing on native hosts

Security researchers may use sandboxing to analyze malware behavior. Even commercial solutions such as Cisco's ThreatGrid use sandbox environments that mimic or replicate the victim system to evaluate how malware infects and compromises such a system.

POST

Sends data to the server (typically using HTML forms, API requests, and so on)

HTTP Protocol

Server maintains the state of the interaction throughout the session

Injection-Based Vulnerabilities

Shell injection

HTTP Protocol

Simple, stateless application-level protocol in the TCP/IP protocol suite

tools for forensics

Skadi

windows management instrumentation (Wmi)

The infrastructure used to manage data and operations on Windows operating systems. It is possible to write WMI scripts or applications to automate administrative tasks on remote computers. WMI also provides functionality for data management to other parts of the operating system, including the System Center Operations Manager and the Windows Remote Management (WinRM). Threat actors use WMI to perform different activities in a compromised system.

Java virtual machines

These VMs include a sandbox to restrict the actions of untrusted code, such as a Java applet.

Secure Computing Mode (seccomp) and seccomp-bpf (seccomp extension)

These are sandboxes built in the Linux kernel to only allow the write(), read(), exit(), and sigreturn() system calls.

Representational State Transfer (REST)

This API standard is easier to use than SOAP. It uses JSON instead of XML, and it uses standards such as Swagger and the OpenAPI Specification for ease of documentation and to encourage adoption.

androick

This collaborative research project allows any user to analyze an Android application.

assets

This directory contains app assets (files used within the Android app, such as XML files, JavaScript files, and pictures), which the AssetManager can retrieve.

classes.dex

This directory contains classes compiled in the DEX file format that the Dalvik virtual machine/Android runtime can process. DEX is Java bytecode for the Dalvik virtual machine, and it is optimized for small devices.

lib

This directory contains native compiled libraries that are part of the APK, such as the third-party libraries that are not part of the Android SDK.

res

This directory contains resources that haven't been compiled into resources.arsc.

resources.arsc

This file contains precompiled resources, such as XML files for layout.

AndroidManifest.xml

This file contains the definition of the app's package name, target, and minimum API version, app configuration, components, and user-granted permissions.

.NET Common Language Runtime

This implementation enforces restrictions on untrusted code.

A jail

This implementation is commonly used in mobile devices where there is restricted filesystem namespace and rule-based execution to not allow untrusted applications to run in the system. This is where the term jail-braking comes in. Users may "jail-break" their phones to be able to install games and other applications. With a jail-broken phone, an attacker can more easily impersonate applications and deliver malware to the user because a jail-broken device does not have the security controls in place to prevent malware from running on the system.

Rule-based execution in SELinux and AppArmor security frameworks

This implementation restricts control over what processes are started, spawned by other applications, or allowed to inject code into the system. These implementations can control what programs can read and write to the file system.

Adobe Reader

This implementation runs PDF files in a sandbox to prevent them from escaping the PDF viewer and tampering with the rest of the computer.

Software fault isolation (SFI)

This implementation uses sandboxing methods in all store, read, and jump assembly instructions to isolated segments of memory.

Insecure Direct Object Reference

Vulnerabilities that are exploited when web applications allow direct access to objects based on user input. Successful exploitation could allow attackers to bypass authorization and access resources that should be protected by the system (for example, database records, system files). This type of vulnerability occurs when an application does not sanitize user input and does not perform appropriate authorization checks.

HTTP parameter pollution (HPP)

Vulnerabilities that are introduced when multiple HTTP parameters have the same name. HPP may cause an application to interpret values incorrectly. It is possible to take advantage of HPP vulnerabilities to bypass input validation, trigger application errors, or modify internal variables values.

sql injection (sqli)

Vulnerabilities that can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts, or "injects," partial or complete SQL queries via a web application. SQL commands are injected into data-plane input in order to execute predefined SQL commands.

API-based keylogger

With this type of keylogger, compromising APIs reside inside a running application. Different types of malware have taken advantage of Windows APIs, such as GetAsyncKeyState() and GetForeground Window(), to perform keylogging activities.

socat

a C2 utility that can be used to create multiple reverse shells

dropbox c2

a c2 utility that uses dropbox

twittor

a c2 utility that uses twitter direct messages for command and control

powersploit

a collection of powershell modules that can be used for post exploitation and other phases of an assessment

PowerSploit

a collection of powershell modules that can be used for post-exploitation

dnscat2

a dns-based c2 utility that supports encryption and that has been used by malware, threat actors, and pen testers

JTAG

a hardware access interface that allows a penetration tester to perform debugging of hardware implementations. debuggers can use JTAG access registers, memory contents, and interrupts, and they can even pause or redirect software instruction flows

Swagger (OpenAPI)

a modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS)

meterpreter

a post-exploitation module that is part of the Metasploit framework

wmimplant

a powershell based tool that leverages wmi to create a c2 channel

rainbow table

a precomputed table for reversing cryptographic hash functions and for cracking password hashes

dumpster diving

a process in which an unauthorized individual searches for and attempts to collect sensitive information form the trash

trevorc2

a python base c2 utility created by Dave Kennedy of trustedsec

wsc2

a python based c2 utility that uses web sockets

methodology

a section of a penetration testing report that provides details about the process followed. this section provides the details of the methodology that the tester followed and any modification made throughout the process

Subresource Integrity (SRI)

a security feature that allows you to provide a hash of a file fetch by a web browser (client)

Kerberoast

a set of tools for attacking Microsoft kerberos implementations

bind shell

a situation in which an attacker opens a port or a listener on a compromised system and waits for a connection. this is done in order to connect to the victim from any system and execute commands and further manipulate the victim

piggybacking

a situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility

fence jumping

a situation in which an unauthorized individual jumps a fence or a gate to enter a restricted building or facility

lock picking

the act of manipulating or tampering with a lock to enter a building or obtain access to something else that is protected by a lock

tools for passive reconnaissance

recon-ng

use cases for penetration testing tools

reconnaissance

Exploiting Application Vulnerabilities

redirect attacks

XSS attack type

reflected xss

CVSS temporal metric group

remediation level

covering your tracks and cleaning up

remove all backdoors, daemons, services, and rootkits

covering your tracks and cleaning up

remove all custom data form your systems, including attacking systems and support systems

post-engagement activities

remove any malicious scripts

post-engagement activities

remove any user accounts created

CVSS temporal metric group

report confidence

covering your tracks and cleaning up

return any modified systems and their configurations to the original values

OWASP top mobile security risk

reverse engineering

container example

rocket (rkt)

iOS security core feature

sandbox

iOS security core feature

secure boot

Clickjacking Mitigation

send the proper content security policy (CSP) frame ancestors directive response headers to instruct the browser not to allow framing from other domains

physical device security attack

serial console debugging, reconnaissance, and tampering

HTTP status code 500-599

server errors

Exploiting Application Vulnerabilities

session hijacking

tools for passive reconnaissance

shodan

Stored (persistent) XSS Attack

signing an online guestbook with malicious code

containers

similar in some ways to virtual machines

Remote file inclusion

similar to LFI but instead of accessing a file on the victim, the attacker executes code hosted on the attacking system

use cases for penetration testing tools

software assurance

SFI

software fault isolation

tools for vulnerability scanning

sparta

tools for vulnerability scanning

sqlmap

tampering techniques for mobile apps

static and dynamic binary analysis

software assurance

static application security testing (SAST)

XSS attack type

stored (persistent) xss

HTTP status code 200-299

succesful transactions

windows legitimate utilities

sysinterals and psexec