CASP+ Ch 8
Popular tools for 'Session Hijacking'
- Burp Suite - OWASP ZAP - sslstrip
Common 'Input' Attacks
EXAMPLES > Injection attacks (XSS, SQL, or command) > Canonicalization attacks > Arithmetic attacks > Buffer overflow attacks - 'Input validation' offers an application a way to mitigate these forms of attacks. - One key principle is to consider all 'input' to be malicious until it has been cleaned or proven otherwise.
Secure by 'Design'
Involves ensuring that the application 'has considered the threat environment' it will be operating within and that it appropriately 'uses available technology' to achieve security.
Open ports
Ports that are necessary to keep open: - (80, 443) for web servers - (25, 110, 143) for web servers, etc.
Time of Use
'Using a shared resource without locking the resource from other activities' can create issues if multiple threads attempt 'simultaneous use' that is precluded by the resource type.
Race Condition
- ***A 'software flaw' that arises from different threads or processes having a dependence on an object or source that affects another thread or process. EXAMPLE: > One thread depends on a value (A) from another function that is actively being changed by a separate process. > The first process cannot complete its work until the second process changes the value of A. If the second function is waiting for the first function to finish, a lock is created by the two processes and their 'interdependence'. > These conditions can be difficult to predict and find.
Asynchronous JavaScript and XML (AJAX)
- ***a common programming methodology used to improve the end-user experience in web applications. - can add complexity in applications - can increase the workload on the client machine - a combination of the following technologies, and security issues associated with any of these can manifest themselves in an AJAX environment: > HTML or XHTML with CSS for presentation > DOM for dynamic presentation and interaction with data > JSON or XML for data exchange > XSLT for data manipulation > XMLHttpRequest (XHR) object for asynchronous communication > JavaScript to unite technologies together
Fuzzing
- A 'software testing methodology' used to 'detect input validation errors'. - Fuzzing is the mechanism that has found the majority of OS bugs. - Using a variable string length, followed by a payload, allows the tester to find exploitable buffer overflows. Specific sets of numbers can test for numerical overflows.
Resource Exhaustion
- A form of denial of service (DoS), where a required resource to perform some specific action is not available at the time of need. - 'Shared resources' are particularly vulnerable to this form of attack. - A 'SYN flood attack' is a resource-exhaustion attack. In a SYN flood, the multitude of SYN packets consume the system resources used to open connections. - Many times, resource-exhaustion vulnerabilities stem from 'design issues', where protocols or architecture did not consider the handling of excessive demand and the resultant effects. This makes corrective action for these examples more difficult because the solution must be created out of band. - A common programming error involves 'nested loops that consistently use some form of resource without releasing previous use'. - 'Memory leaks' are an example of this form of resource exhaustion. - The 'end result' of most resource-exhaustion attacks is a 'denial of service' associated with the service being provided by the function under attack.
Application Sandboxing
- A mechanism to constrain an application into a confined area during execution. - There are a variety of methods to implement sandboxing, from virtual machines (which sandbox a whole machine) to application-specific sandboxing (ex, JavaScript in a browser). NOTE: Although virtual machines are commonly used, recent advances in virtualization have introduced OS virtualization--or containerization--into many OSs, including Windows 10 and Windows Server 2016. - Containers provide application isolation benefits without requiring nearly as many resources as virtual machines.
Third-Party Libraries
- A method of 'reducing development time' and 'improving code quality and security' - Standard libraries with vetted calls to handle complex functions exist and should be employed as part of a secure development process. - There are numerous vetted and secure libraries for use in applications, including the following: > MS Web Protection Library (runtime protection from XSS and SQL injection) > OWASP Enterprise Security API input data validation and output encoding functions > OWASP AntiSamy > OWASP CSRFGuard
TCP Segment Hijacking or TCP Session Hijacking
- A method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. - Once the user's session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network. - NETWORK-LEVEL HIJACKING
Fault Injection
- A related testing methodology (to fuzzing) - A technique for enhancing the testing quality by involving the intentional faults in the software. - Fault injection is often in stress testing and it is considered as an important part of developing robust software. - The specific injection of faults into code, which can be done with 'inline code' for testing, to verify correct handling of specific fault conditions. - When inline code is used for testing, the code is removed before compiling for production, but this extra step is still an important and useful tool to verify correct handling of critical errors.
Session Management (web session; performed through cookies; session hijack)
- A rule set that governs interactions between a 'web-based application' and 'user'. - Browsers and websites use HTTP to communicate, and a 'web session' is a series of 'HTTP requests and response transactions' created by the same user. - ***Session management is the process of keeping track of a user's activity across sessions of interaction with the computer system performed through 'cookies'. - An unauthorized eavesdropper could use session information to perform a session hijack. (p 316)
FTP (File Transfer Protocol)
- A way of transferring files between computers. - A way to 'transfer files' from one computer to another over any TCP/IP network, such as a LAN or the Internet. - It is both a noun and a verb. > As a noun, FTP is the name for a method of sending files. It is also the name of the 'program' that actually sends the files.
EXAM TIP:
- A well-known type of 'buffer overflow attack' is called the 'no-operation (NOP) sled'. Attackers flood an application with a series of NOP instructions meant to bypass having to know the exact memory addresses along the way to its final memory destination. - If you use a 'packet sniffer', you may be able to detect NOP sleds through the presence of 'multiple strings of 90'.
Improper Error and Exception Handling
- All exceptions and errors should be trapped and handled. - In the process of handling the error, if information is passed back to the user, it should meet several criteria. - The information should be clear and actionable by the end user. - Generic 'contact your administrator' messages, only frustrate the user. - It's very important not to provide information that gives up sensitive data. - Paths to resources, databases, or other items could be used by an attacker and should not be disclosed. - If a user has forgotten a user id or password the proper procedure is to tell the user that there is an authentication error, without identifying which one is wrong.
Clickjacking (invisible form in background)
- An attack where a user is tricked into clicking something on a web page and then a different operation is performed. - The user thinks he is clicking a button to perform a specific action, but a 'hidden form' activates a different set of code other than expected by the user. MITIGATIONS > Client-side browser extensions such as 'NoScript' and 'Ghostery' can be used to detect clickjacking and other exploits.
SQL Injection
- An injection attack designed to attack the 'database' associated with a web application. - Different types of databases can be targeted: > A 'user database' with user access information can be harvested to obtain system credentials. > An 'application database' can be harvested to obtain application information. - The objective of a SQL injection could also be destructive, such as deleting records or dropping tables. - The vast majority of SL injection attacks occur because of a combination of poor 'input validation' and 'inline SL calls'. - Programs build a specific query based on user input and pass that query on to the database. - SQL injection is one of the most common attack vectors used today.
OWASP (Open Web Application Security Project)
- An organization focused on improving the state of security in web applications. - Vendor neutral - OWASP Top Ten project - details the most commonly found errors in web applications. Using this list for awareness and as a checklist can significantly improve web application security in an enterprise.
Specific Application Issues
- Applications are a popular target for several reasons. > First, they are typically developed by personnel with less resources and training than the major OS and networking vendors. > Second, applications tend to have the information that today's hackers desire. - In the past, the information was gained by getting into the 'network' and 'OS layers', but today those avenues are much harder to exploit. At the same time, the growth of 'web applications', typically developed with much less emphasis on security, has accelerated, thus providing attackers a fertile bed of opportunity. - Applications are programs that respond to a series of inputs, perform some form of computation, and respond via an output process. - Different applications have different input, computation, and output requirements. - Inputs that aren't validated can allow an adversary to send inputs that force a program outside its design, resulting in unexpected behaviors.
Improper Storage of Sensitive Data
- Applications frequently have data that could be considered sensitive or of high value to an attacker. - Passwords, encryption keys, paths, and other elements that the application needs to run correctly are common examples--but would cause harm if published. - A simple encoding of a secret in strings inside the executable code has 'two distinct disadvantages': 1. It makes strings difficult to change. 2. Strings can be discovered via reverse engineering and code examination. Examples: Numerous applications have fallen prey to hard-coded passwords. A hard-coded password is discoverable and, once know, is next to impossible to change without changing the code--and hence becomes a glaring vulnerability. The same is true for cryptographic keys. - Storing the data in a configuration file does not significantly improve the situation. - Configuration files are frequently discovered and if the secret is one that is common among installations, then simply obtaining a copy of the program in demo mode allows information as to how to obtain the secrets from a licensed version. - Not only are configuration files sensitive, so are some forms of operational files.
Web Application
- Applications that are hosted on a 'private' or 'public' web server, which is accessed by a user's web browser application. - May be used for e-commerce, file storage, collaboration, learning management systems (LMSs), content management systems (CMSs), virtual classrooms, and more. ADVANTAGES: > Ease of deployment (because most client devices have built-in web browsers) as well as web-based standards to ensure the secure and consistent delivery of data.
Secure by 'Default'
- Based on the principle that, when deployed in a default configuration, security is maintained -- doesn't require a user-selectable option requiring user interaction to invoke security functionality in an application. - One method of securing an application by default is in minimizing default program functionality, thus reducing the attack surface of the application. - If certain options are not commonly used, disabling them by default reduces the code being invoked during a default installation, and thus reduces the opportunity for attackers to exploit the application. - A key aspect in understanding the level of security needed is found by examining the specific threat environment that the software may run in as deployed. - Consider disabling 'Java scripts', 'VB scripts', and 'ActiveX controls'. Although these may be important for a client system to enhance a user's browsing experience. EXAMPLE > Out of the box, IE has a different level of functionality on MSS Windows Server than it does on a Windows client-based OS. Turning off some functions in the server environment is done to prevent unnecessary elements being exposed to attackers. Example > The deployment profile of Windows 10 and Windows Server 2019 - Many program options, such as FTP server, are not installed during a default setup. If an administrator needs FTP services on a server, then it can be installed. Otherwise having the functionality disabled prevents it from being an attack vector.
Memory Leak
- Computer programs use memory for the storage of objects, variables, and other resources. - When an application has a need for more memory resources, it can request additional memory from the OS. When the application is done with memory it has requested, how the memory is returned to the OS is language dependent. - 'Failure to correctly manage memory' can result in continued request until the shared resource is exhausted. It may be in small steps, 1KB at a time, but in long-running programs even a small memory leak can have significant consequences. - 'Better code review' and 'development practices' can help prevent memory leaks, in addition to the implementation of software patches.
Secure Cookie Storage and Transmission
- Cookies are an important part of web applications. - Cookies provide client-managed storage in the form of text files that enable a web browser to store information locally from a web application. - Cookies are often vulnerable with web browsers, and many methods of stealing cookies have been developed and exploited. - It should be assumed that adversaries can get access to the cookies associated with an application. - This places two burdens on application designers and developers. > First, secrets stored in cookies must be encrypted. Simple encoding is not encrypting, so actual encryption methods should be used. > Second, essential information should not be stored in the cookie, but rather on the application server itself. The cookie can store a pointer to the location on the server. By using the cookie to store a 'reference pointer' (or session ID), the secrets associated with the cookie can be safely managed on the server side of the application. - As with all things web related, transmission of data between client and server are often in clear text and subject to observation. > To address this issue, all sensitive communications should be done over secure channels with 'SSL/TLS' designed specifically for this functionality.
Security risks of HTML5
- Cross-domain trusts - Permits websites from different DNS domains to communicate between iframes in web browser - With HTML5's increased reliance on client-side input validation, servers might fall prey to an increase in 'client-side attacks'. - Servers and web browsers will need to be programmed and configured to ensure 'input validation' is also performed on the 'server'.
A SOAP message is a basic 'XML document' made up of the following components
- Envelope - categorizes the XML document as a SOAP message - Header - stores header information - Body - contains call-and-response data - Fault - provides 'error information' during message processing
Bug
- Errors in software.- - A BUG that can be 'exploited' is referred to as a 'software vulnerability'.
Web Application Firewall (WAF)
- Filters, monitors, and blocks HTTP traffic to and from a web application. - Differentiated from a regular firewall in that a WAF is able to filter the content of specific 'web applications' while regular firewalls serve as a safety gate between 'servers. - Created for web applications to impart HTTP-specific rules to guard against a variety of attack vectors, including everything from 'cross-site scripting' (XSS) and 'session hijacking' to 'SQL injection' and 'file injection attacks'. - Web applications are both easily accessible and stacked with valuable data; therefore, they routinely endure more attack vectors than most targets.
Patch vulnerabilities
- If you install patches immediately after release, you risk system reliability issues due to lack of quality assurance patch testing - If you perform lengthy quality assurance testing, you risk leaving your systems open for exploitation - MUST balance the need for thorough quality assurance testing with the need for expedient patch management
To protect against session hijacking
- Implement the 'logout feature' on websites to ensure sessions are expired. - Generate 'session IDs' after login and accept session IDs generated by the 'server' only - Use secure security protocols such as SSL/TLS, SSH, Kerberos, and IPSec. - Use different username/passwords for different accounts. - Use longer session IDs other than the ones generated by previous algorithms. - Provide end-user security training - Employ anti-malware scans - Engage in patch management - Employ session timeouts - Force reauthentication after a certain period of time
Countermeasures against SQL injection attacks
- Implementing input validation - Disabling commands like xp_cmdshell - Suppressing error messages or customizing error messages - Ensuring database accounts use least privileges - Monitoring SQL statements to identify any statements that look malicious - Using parameterized queries - Escaping user-supplied input
Geotagging
- Involves attaching geographical identification properties (location, coordinates, place names, and timestamps) to media such as photos, websites, videos, and so on. - Foursquare is a popular application for geotagging - Unless absolutely necessary, 'geotagging' should be disabled on smartphones and on social media websites.
Cross-Site Scripting (XSS) (Javascript)
- Involves attackers discovering and exploiting vulnerability on 'websites' in order to 'inject malicious code'--typically 'JavaScript' - Attackers take advantage of poor input validation controls on a website to covertly inject the malicious code - The attacker's goal is for unsuspecting users to visit the website and run the malicious code. - Once the victim's web browser runs the malicious code, it can lead to stolen cookies, stolen session IDs, session hijacking, malware installation and bypassed access controls. - One of the most 'widespread website attacks'
Database Activity Monitor (DAM)
- It independently monitors the 'transactions' and other 'activity' of database services. - DAMs are important because databases contain some of the most important information in the organization; therefore, many attacks concentrate on databases. - Common uses of DAMs include monitoring applications and users for unauthorized or fraudulent activity, such as 'SQL injection attacks'. - 'Accountability' and 'compliance auditing' can also be aided by DAMS.
Code Reuse
- It involves the authorized use of someone else's proven code, or knowledge about code, to improve software development efforts. - Saves time and resources as well as helps create more usable, functional, and secure software overall. - May be sourced from third-party software development kits (SDKs) and software libraries
XMLHttpRequest (XHR)
- Objects that are used to interact with servers. - You can retrieve data from a URL without having to do a full page refresh.
'Integer' Overflow Error or 'Arithmetic' Overflow Error
- Occurs when a 'number is too large to be stored in the variable'. - Can occur in a number of ways 1) In the simple concept that a given number will require a specific size of register or variable to store the value. 2) Lies in how numbers are represented digitally. If the more significant bit of a number is used to present the sign of a a number, then adding two large positive numbers can cause this 'bit to flip', making the result 'negative'. This overflow condition is not automatically trapped in all languages and can result in some spectacular errors. - This error can be caught in several ways. 1) 'All math should be checked prior to use'. This will result in overflows being caught and then handled as exceptions. 2) One that should be a routine check is 'output validation'. Whenever you have an output of a function, it is important to 'validate the output value as landing in an expected range'.
Insecure Direct Object References
- Occurs when an 'application request' refers to the 'actual name of objects' such as files, folders, databases, or storage elements. - If these 'object references' are left unchecked by the application, attackers can manipulate the requests to gain access to unauthorized resources, or access authorized resources in unauthorized ways. MITIGATIONS - Implement 'access control checks' to ensure users are authorized to access the requested object. - Use 'per-user' or 'per-session' indirect object references to prevent hackers from directly accessing unauthorized resources.
Secure by 'Deployment'
- Once software is deployed, the interaction with other processes, users, and security features creates opportunities to avoid or bypass security controls. Configuring the system so that items such as automatic updates occur seamlessly is important. - EXAMPLE: During installation, software will often create accounts and passwords used as part of the installation process. > Deleting, disabling, or renaming these accounts at the conclusion of setup prevents them from being used by unauthorized personnel. > Forcing changes of passwords associated with any resident accounts created by the software is another lesson learned.
Session Fixation Attack
- Permits an attacker to hijack a valid user session. - The session fixation attack is a class of 'Session Hijacking', which steals the established session between the client and the Web Server 'after' the user logs in. - APPLICATION-LEVEL HIJACKING
EXAM TIP: Simple Object Access Protocol (SOAP)
- SOAP is the 'communication language' of web services - Web Service Definition Language (WSDL) is the way we describe the communication details and the application-specific messages that can be sent in SOAP. - WSDL, like SOAP, is encoded using XML-based grammar. - WSDL is much more than a mere instruction manual on how to use the web service it describes. - Web services development software can process a WSDL document and automatically generate the SOAP messages needed to invoke a specific service.
Application Security Design Considerations
- Secure by Design - Secure by Default
Secure Encrypted Enclaves
- Secure enclaves use a 'separate coprocessor' from the system's main processor to prevent the main processor from having direct access to information stored in the secure encrypted enclave. - Secure hardware enclaves offer an alternative approach for enabling secure computation at minimal performance cost. - Secure enclaves enable a program to run computations over confidential data while providing strong isolation from other applications, the operating system, and the host. - An enclave can attest to the correct execution of a program inside the enclave to a remote party. - Such information may include 'encryption keys', 'biometric information', etc. - OSs should operate under the assumption that they're already infected - A method is needed to ensure that 'malware-infected kernels' cannot compromise the entire OS. - The 'safe' portion of the OS that is isolated from the malware is known as a secure encrypted enclave.
Exam Tip:
- Since fuzzing will test for web application input validation flaws, implementing stronger input validation controls is an excellent countermeasure to fuzzing. - Also, consider using a 'web application firewall' (WAF) from a provider such as 'Barracuda' or 'Cloudflare'.
Java Applets
- Small playform-independent and Internet-based programs accessible with a web browser. - The Java program, or 'bytecode', would execute within a Java virtual machine (JVM), which was a separate process from the web browser. - Such isolation helps provide a baseline of security between the 'web browser' and the 'OS'. - Like ActiveX controls, Java applets may be hostile in nature and can cause damage to a machine if downloaded, so care must be taken in their usage. - Options exist within web browsers to 'disable Java applets' to improve host security.
Encryption vulnerabilities
- Symmetric Encryption: AES is always a great choice; RSA, ECC, or a variation of the two is good too - Hashing: SHA-256 or better - VPN: IPSec - Web Communications: TLS 1.2 or 1.3 - Wireless Communications: WPA/2 NOTE: Do not make your own cryptography algorithms
Cross-Site Request Forgery (CSRF or XSRF) or Session Riding (takes advantage of 'keep me logged' in)
- The 'reverse' of 'XSS attacks' because CSRF takes advantage of the 'website's trust of the user's browser' (attacks the user's browser?) as opposed to the 'client's trust in the website' (XSS) (attacks the website?). - CSRF attacks are the result of malicious code found in 'emails', 'websites', or 'instant messages' that results in a user's web browser executing undesired actions on a site to which the user is already authenticated. - The term 'forgery' is used since the attacker forces the user to run malicious code against the trusted site--unbeknownst to the user--and the site believes the code originates from the user's browser. - This attack frequently takes advantage of websites that have a 'keep me logged in' checkbox, such as bank and social media sites. COUNTERMEASURES > Use anti-CSRF tokens > Use 'same site cookies' if web browsers support them. > Require users to click the 'logout' button on websites as opposed to just closing the window. > Prevent browsers from caching usernames/passwords. > Do not include 'remember me' or 'keep me logged in' button on websites > Implement plug-ins such as 'NoScript'.
State Management
- The Web is stateless (not knowing the previous page or data) - State can be managed in a variety of ways, but the 2 primary ways are both via cookies: 1. The state is maintained either in the 'cookie' itself, or 2. On the 'server' via a lookup process > different applications have different needs > Keeping prices in a cookie (prices in a shopping cart), and relying on them can result in a disaster when the prices are altered to a penny or a negative number, thus creating a refund condition.
HTML5
- The latest version of Hypertext Markup Language (HTML) - The code that 'describes' the 'contents' and 'appearance' of web pages - It's actually 3 kinds of code: > HTML, which provides the structure > Cascading Style Sheets (CSS), which take care of presentation > JavaScript, which makes things happen - Successor to HTML and XHTML - Enhanced to support more multimedia capabilities, added mobile device support, plus many other features. - Comparable to Adobe Flash, but can't do everything Adobe Flash can; hence the need for CSS and JavaScript
Attack Surface
- The number of possible ways an attacker can get into a device or network and extract data. - Most businesses think they are too small to be a target but a quick look at their attack surface shows that it is often quite large, which increases their exposure to risk. - All the aspects of software accessible to an individual, whether by design or not.
Buffer Overflow Vulnerability
- The potential for a buffer overflow exists any time data is read into a memory location; if the size of the data being read is larger than the destination, then an overflow occurs, overwriting the memory buffer and if larger than the destination, an overflow occurs, overwriting the memory buffer and potentially damaging other values or introducing executable code. - It occurs when any program reads input into a buffer (an area of memory) and does not validate the input for correct length. - Exists when a developer does not properly 'validate user input' to ensure that it is of an appropriate size. - An attacker develops an executable program that performs some action on the target machine and appends this code to a legitimate response to a program on the target machine. When the target machine reads through the too-long response, a buffer-overflow condition can result in the original program's failure. The extra data past the original buffer length can be malicious code that is now in the machine's memory, awaiting execution. If the attacker executes it correctly, the program can skip into the attacker's code, running it instead of crashing. MITIGATIONS: 1. Bounds Checking - the application checks an allocated block of memory to prevent inputted code from exceeding the allocated space. 2. Canary values - like canaries that didn't survive in a mine, a canary value is an added value that, if destroyed, symbolizes that the buffer preceding it in memory was overflowed. 3. Tagging - a method of tagging data types in memory; tags serve as a non-executable barrier to prevent buffer overflows.
Session Prediction Attack
- The session prediction attack focuses on predicting session ID values that permit an attacker to bypass the authentication schema of an application. - By analyzing and understanding the session ID generation process, an attacker can predict a valid session ID value and get access to the application. - In the first step, the attacker needs to collect some valid session ID values that are used to identify authenticated users. Then, they must understand the structure of session ID, the information that is used to create it, and the encryption or hash algorithm used by the application to protect it. - Some bad implementations use session IDs composed by username or other predictable information, like timestamp or client IP address. In the worst case, this information is used in clear text or coded using some weak algorithm like base64 encoding. - In addition, the attacker can implement a brute force technique to generate and test different values of session IDs until they successfully get access to the application. - APPLICATION-LEVEL HIJACKING
Session ID Sniffing
- This Session Hijacking attack consists of the exploitation of the 'web session control mechanism', which is normally managed for a session token. - Because HTTP communication uses many different TCP connections, the web server needs a method to recognize every user's connections. - The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. - A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition. - The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. - The session token could be compromised in different ways; the most common are: > Predictable session token > Session Sniffing > Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc) > Man-in-the-middle attack > Man-in-the-browser attack - APPLICATION-LEVEL HIJACKING
Threat Modeling
- Threat modelling works to 'identify, communicate, and understand threats and mitigations within the context of protecting something of value. - Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. There are very few technical products which cannot be threat modelled; more or less rewarding, depending on how much it communicates, or interacts, with the world. Threat modelling can be done at any stage of development, preferably early - so that the findings can inform the design.
Privilege Escalation
- To gain a level of control necessary to achieve an objective - Named accounts serve a variety of purposes, one of which is to regulate the level of control a user can have when interacting with a system. - 'Shared resources', such as file systems, can have areas that are usable by different accounts, blocking other users from accessing these files. - A typical goal of many hackers is to achieve 'root' or 'administrator' status, because this allows them unfettered access to all system resources. - As 'root' they can start, stop, and change anything, including log files. - Another way of gaining higher access is to exploit a vulnerability in an application that is running with elevated privileges. - The exploit that allows arbitrary code to be run does so at the elevated privilege level of the application program, and does so under the application program's legitimate credentials, thus reducing the alert footprint significantly. This is why vulnerabilities associated with privilege escalation are highly sought after by hackers.
Examples of Operating System Vulnerabilities
- Unnecessary services - Encryption - Hardening - Open ports - Patches
What JavaScript Object Notation (JSON)
- Utilizes a simple text format for the 'storage and exchange of data' between a 'browser' and 'web applications'. - Similar to Extensible Markup Language (XML), yet its lack of verbosity makes it a popular alternative to XML. - an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and array data types. - A language-independent data format derived from JavaScript.
Data Remnants
- When data is deleted from online and offline storage containers all of the data just disappears. The data often remains where it is. What actually occurred was the 'pointers' to the data were removed. - Any information that remains after file deletion or destruction techniques is known as a 'data remnant'. - To properly dispose of data so that little to no data remnants remain, consider these data-destruction techniques: > Overwriting - Involves the replacement of the 1's and 0's on the storage medium with a different pattern of 1's and 0's to render the original data unrecoverable. > Degaussing - Performed by sending a powerful 'magnetic' force to the storage medium to destroy the information (and sometimes other physical components of the drive as well). > Encryption - Drive encryption, and destruction of the decryption key, makes the information on the drive essentially unrecoverable. (fast & cheap method) > Physical destruction - Involves physically destroying the drive by 'shredding' it, 'burning' it with powerful chemicals, drilling holes in it, or incinerating it. (best technique and the most expensive.)
Input Validation
- When developers ensure all input is proper in form and length before processing or using it in any fashion. - All input should be considered malicious until proven otherwise. - 'Buffer overflows' are a prime example of the effect of not validating input before use. - The application should have an idea of how long the data input should be. If the data is too long, it can overwrite the buffer and result in failure. - After screening for length, the more difficult task of screening for content begins. Content screening has two forms: > Whitelist screening, where only acceptable items are passed > Blacklist screening, where disallowed objects are removed or rejected.
Unnecessary services
- When in doubt, leave it out. - Unnecessary services lead to open ports, which lead to malicious vulnerability research and exploitation. - Disable any services that are not required. - If you're running a Windows IIS web server, disable 'NetBIOS' and 'SMB services'
Secure by 'Default'
- Without changing default settings, the application is secure. - For example, some server features/services have certain security capabilities, but those features/services must be enabled in order to function, so that a hacker cannot take advantage of it. A product that requires the enabling of the security functions is not secure by default.
ActiveX
- a MS software framework designed for Internet Explorer - it's purpose was to run dynamic media content such as display videos, animations, and documents directly from the browser without requiring separate software. - It runs on the local computer with the same security privileges as the user, thus providing potential loopholes into a system for attackers. - The MS store no longer supports ActiveX, and MS's newest Edge browser does not support ActiveX. - For security purposes, make sure ActiveX support is disabled on your browser.
Client-Side Processing vs. Server-Side Processing
- a classic case of input validation - Client-side processing can be circumvented by a proxy between the client and the server, and values can be changed. - The key element behind 'input validation' is that one cannot trust culprit is not just the client, but also any machines that may be between the client and the server, including proxies. - Any processing before the server can be changed during transmission, so the only secure way to verify input validation is on the server side of the conversation.
Representational State Transfer (REST)
- a framework that relies on various web protocols to define how clients and servers can exchange web resources with a high degree of interoperability. - it is often preferred over SOAP since it is lighter weight, consumes less bandwidth, works with more tools, and has better scalability. - a web service that uses REST is referred to as 'RESTful API.'
Simple Object Access Protocol (SOAP) (p. 331)
- a specification for exchanging information associated with web services - Uses a combination of protocols (XML, HTTP, and SMTP) to transmit messages across the Web. - Created as an object access protocol with three major characteristics: > extensibility > neutrality > independence - Can be used across a wide range of 'transport protocols', including TCP, TTP, and SMTP - The independence of SOAP, and its basis in XML, allows it to be used with virtually any programming language or model. - A SOAP message has two major components: > envelope - 'defines the elements of the body' so that a web service understands how to interpret a message > body - contains 'call-and-response information' as well as a 'fault element' containing error information - A typical SOAP exchange involves a 'request message' and a 'reply message' - The Web Service Definition Language (WSDL) describes a web service and the format of requests processed using SOAP. - Provides a means of exchanging structured information - SOAP will benefit from web services security (WS-Security), which is a security extension for SOAP messages. - WS-Security - can specify signing SOAP messages for integrity, encrypt messages for confidentiality, and attach security tokens to identify the sender.
Hardening
- changing default settings WINDOWS HARDENING - Modify the following: > registry settings > group policies (such as pw policies, account lockout policies, auditing, user right assignment, and AppLocker settings) NOTE: Don't forget to enable 'BitLocker' drive encryption and 'Encrypting File System' (EFS) LINUX HARDENING - lock the boot directory - disable USB support - remove unnecessary software packages - hardening the SSH service - enable SELinux for kernel protection - modify default permissions
Firmware Vulnerabilities
- often forgot about, outdated firmware can produce serious vulnerabilities Three misguided beliefs: 1) Firmware updates don't provide any noticeable benefits 2) The risk of bricking the firmware entirely outweighs the benefits 3) The current firmware works just fine, so "if it ain't broke, don't fix it." - Hackers can exploit network appliances with older firmware - Not only should the firmware be updated, just how many devices have firmware need to be accounted for such as: > Workstations/servers > Hard drives > Optical drives > Expansion cards/peripherals > Routers/switches/firewalls > NAS systems > Mobile devices > Smart TVs > Cameras > Scanners > Gaming consoles
JavaScript
- primary purpose of JavaScript is to enable features such as validation of forms before they are submitted to the server. - a scripting language developed by Netscape and designed to be operated within a browser instance - runs within the browser, and the code is executed by the browser itself > this has led to compatibility problems between vendors and between browser versions - Malware can change its settings lowering the security settings - In Firefox, use the 'NoScript plugin' as a solution to this -- but leads to reduced functionality for user, can break many applications, and requires more diligent user intervention - is subject to eavesdropping, spamming, or causing other problems
Popular SQL injection tools
- sqlmap - SQL Power Injector - The Mole - jSQL Injection
Browser Extensions / browser add-ons / plug-ins
- tiny programs connected to a web browser that provide extra functionality.
Three Cross-Site Scripting (XSS) examples (Javascript)
1) Nonpersistent (reflected) vulnerability > Attacker creates a URL link containing malicious code which is sent through email to a particular user to run. > User clicks the link, gets redirected to nefarious website, which "reflects" the script back to the user's browser for processing. > The attack is considered "non-persistent" because it only affects the user who received the malicious link. The term REFLECTED stems from the script reflecting off the website and running within the user's browser. This is the 'most common' variety of vulnerability. 2) Persistent (stored) vulnerability > Begins at the website. Attacker injects the malicious code into a website's message board or search field, then the user visits the website and comes across the code, and the code executes. > May result in stealing the user's cookie for impersonation purposes. > A PERSISTENT vulnerability due to the script surviving, 'persisting', on website for extended period of time. > STORED because malicious code is stored on target website. > Not as common as REFLECTED attack, but 'more devastating'. 3) Document Object Model-based (DOM-based) vulnerability > REFLECTED and STORED cross-site scripting vulnerabilities both take advantage of a website's vulnerability. > DOM-based XSS attack uses 'JavaScript' to exploit vulnerabilities in the client's web browser--after which the web browser then runs the malicious JavaScript code. MITIGATION METHODS > 'Comprehensive code review' processes and 'input validation' are musts. > 'Anti-XSS library' functions > 'Disable scripts' > 'Patching' 'web servers' and 'browsers' > **Implementing a web application firewall (WAF) can help filter out XSS attacks.
Security considerations for JSON/REST
> Use 'API keys' to prevent 'service hijacking', which can lead to DoS conditions. > Implement 'access control' at API endpoints > Implements 'audit logs' > Employ 'input validation' > Restrict 'HTTP methods' to only allow GET, POST, and PUT > Use 'HTTPS' to secure the communication channel > Use 'non-verbose error messages' > Utilize 'JSON web tokens' for the security token, which can then be digitally signed for integrity
High-level Hijacking concepts to be aware of
APPLICATION-LEVEL HIJACKING > Session fixation attack > Session prediction attack > Session ID sniffing NETWORK-LEVEL HIJACKING > TCP segment hijacking
EXAM TIP
Prevention of 'resource-exhaustion attacks' require one of two activities: 1. Either the attack is recognized and further resource use on the part of the attacker is denied at least temporarily or, 2. As resources are consumed, they are throttled in a manner to prevent rapid consumption.
Time of Check
When software is going to 'update' or 'change' some aspect of a resource, it is common to check the item before change.