Ethical Hacking Module 07:Web Application Attacks and Countermeasures

The following are the steps involved in the web application mechanism to fetch user requested data from a database. 1. User enters the website name or URL in the browser. Then, the user's request is sent to the web server. 2. The web application server then accessed the database to perform the requested task by updating or retrieving the information stored on it. 3. On receiving the request, the web server checks the file extension. 4. After processing the request, the web application s

1-3-5-2-4

SQL Injection Countermeasures

1. Limit the length of the user input 2. Use custom error messages 3. Monitor DV traffic using an IDS, WAF 4. Isolate the database server and web server 5. Always use a method attribute set for POST and low-privileged account for DB connection 6. Run a database service account with minimal rights 7. Move extended stored procedures to an isolated server 8. Use type safe variables to functions such as isNumeric () to ensure typesafety 9. Validate and sanitize user inputs passed to the database 10. Avoid using dynamic SQL and do not construct queries with the user input

Command Injection Attack Countermeasures

1. Perform input validation 2. Escape dangerous characters 3. Use language specific libraries that avoid problems due to shell commands 4. Use a safe API that avoids use of the interpreter entirely 5. Structure requests so that all supplied parameters are treated as data rather than potentially executable content 6. Use parameter used SQL queries 7. Use modular shell disassociation from the kernel 8. Use built in library functions and avoid calling OS commands directly 9. Implement the least privileges to restrict the permissions to execute the OS commands 10. Avoid executing commands such as exec or system without proper validation and sanitization 11. Prevent the shell interpreter using pcntl_forkans pcntl_exec within the PHP 12. Implement Python as web framework instead of PHP for application development

Broken Authentication and Session Management Countermeasures

1. Use SSL for all authenticated parts of the application 2. Verify whether all the users identities and credentials are stored in a hashed form 3. Never submit session data as part of a GET, POST 4. Apply pass phrasing with at least five random words 5. Limit the login attempts and lock the account for a specific period after a certain number of failed attempts 6. Limit the login attempts and lock the account for a specific period after a certain number of failed attempts 7. Use a secure platform session manager to generate long random session identifiers for secure session development 8. Make sure to check weak passwords against a list of the top bad passwords

Web Proxy

A proxy server that sits between the web client and the web server to prevent IP blocking and maintain anonymity

Which of the following application security risks occur when untrusted data is sent to an interpreter as part of a command or query, according to the OWASP?

A-1 Injection

Samuel, a professional hacker, targeted an organization's database server to manipulate its content. To accomplish his goal, Samuel intentionally started inserting bad input queries through an application and analyzed the error messages from the database to gather specific information from each query. He constructed a specially designed SQL query to compromise the data security and manipulated the stored content using the obtained information. Identify the type of SQL injection performed by Samuel in the above scenario. A. in-band SQL injection B. inferential SQL injection C. blind SQL injection D. WAITFORDELAY

A. in-band SQL Injection

Bob, a user, has been accessing "certified hacker.com" using his registered account. Don, an attacker, on the other hand, targeted Bob's system browser, used a sniffer to sniff the cookie that contains Bob's current session ID. Using the session ID, Don impersonated Bob and accessed Bob's already logged in page.

A2 - Broken Authentication

Identify the application security threat that occurs whenever an application includes untrusted data in a new web page without proper validation or escaping or whenever it updates an existing web page with user-supplied data.

A7 - cross-site scripting (XSS)

Which of the following practices can make an application or database server vulnerable to SQL injection attacks?

Allow entries that contain binary data, escape sequences, and comment characters

DNS Poisoning Attack

An attack that modifies or corrupts DNS results. DNSSEC helps prevent this. Also known as DNS spoofing.

Directory Traversal Attack

An attacker may be able to perform this attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to this type of attack.

Tautology

An attacker uses a conditional OR clause such that the condition of the WHERE clause will always be true. Such an attack can be used to bypass user authentication.

A2 - Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, thereby allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume identities of other users (temporarily or permanently)

Which of the following countermeasures should be followed to protect web applications against broken authentication and session management attacks?

Apply pass phrasing with at least five random words

Which of the following practices makes web servers vulnerable to various online attacks?

Apply unrestricted ACLs and allow remote registry administration***(recheck)

Which of the following practices makes web serves vulnerable to various online attacks?

Apply unrestricted ACLs and allow remote registry administration.

in-line comments

Attackers simplify an SQL injection attack by integrating multiple vulnerable inputs into a single query using in-line comments.

Union SQL Injection

Attackers use a UNION clause to add a malicious query to the requested query

Which of the following countermeasures helps developers or testing teams secure the database against SQL injection attacks?

Avoid constructing dynamic SQL with concatenation input values

Which of the following countermeasures helps a security specialist defend the application against command injection attacks?

Avoid executing commands such as exec.

Steve, the head of the software development team, escalated a product to Jack's testing team for validation. As part of testing, Jack employed an SQL injection detection tool to determine if the application is immune to SQL injection attacks. Identify the tool Jack employed in the above scenario to detect SQL injection attacks. A. Foremost B. Burp Suite C. WinHex D. Autopsy

B. Burp Suite

Don, a professional hacker, targeted an organization and decided to disrupt its online services. Don initiated an attack by manipulating the input fields of the target web application. He injected a query "SELECT * FROM EMP WHERE EMP.EID = 1001 AND EMP.ENAME = 'David'" by concatenating the delimiter ( ;) and malicious query to the original query as "SELCT * FROM EMP WHERE EMP.EID = 1001 AND EMP.ENAME = 'Bob'; DROP TABLE DEPT;". On execution of the injected malicious query in place of the original one, the DBMS dropped the table DEPT from the target database. Which of the following types of SQL injection attack has Don performed in the above scenario? A. tautology B. piggybacked query C. logical incorrect query D. illegal incorrect query

B. Piggybacked query

Alex, a disgruntled employee in an organization, was digging deep into his company's web application to find any security vulnerabilities. He found that restrictions for authenticated users were not enforced properly. Alex exploited this flaw to access unauthorized functionalities such as accessing other users' accounts and viewing their sensitive data. Identify the web application security risk exploited by Alex in the above scenario. A. XML external entity (XXE) B. broken access control C. b

B. broken access control

Don, a professional hacker, targeted John's official email account and wanted to access confidential data saved in his account. Don initiated the process by entering the username and then used a predefined file with an automated password cracking program. Eventually, Don succeeded in cracking John's email account password. Which of the following techniques has Don employed in the above scenario? A. brute-force attack B. dictionary attack C. keylogger attack D. SQL injection

B. dictionary attack

Identify the type of SQL injection technique used by the attacker when they cannot directly exploit any other SQL injection techniques.

Blind SQL injection

Which of the following tool supports the entire web application testing process, from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities?

Burp Suite

Which of the following layers of web application includes the functional programming of the web application that can be implemented using technologies such as .NET, Java, and Python?

Business Logic Layer

Edward, a professional hacker, targeted an organization's official web page to damage the company's reputation. He employed the SQL injection technique to access the targeted web page, applied unauthorized modifications to change its visual appearance, and displayed another page containing its own messages. Identify the attack technique utilized by Edward in the above scenario. A. DNS server hijacking B. web server misconfiguration C. website defacement D. directory traversal attack

C. website defacement

Database Layer

Consists of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization's production data in a structured form (MS SQL Server, MySQL server)

business logic layer

Consists of two layers: Web-Server logic layer and the business logic layer. The web-server logic layer contains various components such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler, resource handler, and a hardware component (server).

Nicholas, a software developer, develops an application. Before launching it, he asks Anna, a pen tester, to review it and find out whether there were any security loopholes in the application. Anna performed penetration testing and found out that the application included untrusted data on the web page. There was no proper validation or escaping, and it was susceptible to several attacks if not patched. Which of the following application security risks was identified by Anna in the above scenar

Cross-site scripting (XSS)

David, a professional hacker, targeted Alice's net banking account for financial benefits. David initiated the process by entering Alice's user id on the net banking website, then used an automated password cracking tool to crack her net banking password. David successfully cracked the password and transferred the amount from Alice's account to his account. Identify the tool employed by David to crack the password. A. MegaPing B. ShellPhish C. Nmap D. THC Hydra

D. THC Hydra

Bob, a professional hacker, targeted a company's web server that hosts websites. Bob started searching for published vulnerabilities in the CVE database for the target web server. He identified and then exploited vulnerabilities to gain access to the server and manipulate services. Which of the following layers of the vulnerability stack was exploited by Bob in the above scenario? A. layer 4 B. layer 2 C. layer 3 D. layer 5

D. layer 5

Joseph, an administrator in an organization, has installed server software on a machine. Soon after installing the software, he updated the server machine with all the necessary solutions to secure the server and the network. Which of the following security practice does Joseph need to follow to secure the web server? A. use the same user account for each application if multiple web applications are hosted B. store website files and scripts on the same drive C. allow remote registry administra

D. screen and filter incoming traffic requests

Joseph, an administrator in an organization, has installed server software on a machine. Soon after installing the software, he updated the server machine with all the necessary solutions to secure the server and the network. Which of the following security practice does Joseph need to follow to secure the web server? A. use the same user account for each application if multiple web applications are hosted B. store website files and scripts on the same drive C. allow remote registry administration D. screen and filter incoming traffic requests

D. screen and filter incoming traffic requests

Roger, a security professional, monitored the web application to determine any susceptibilities and protect it from unauthorized access. He noticed that developers used weak cryptographic encryption methods and stored the cryptographic keys at insecure locations. Identify the type of application security risk noticed by Roger in the above scenario. A. XML external entity (XXE) B. broken authentication C. command injection D. sensitive data exposure

D. sensitive data exposure

WS-Policy

Describes the capabilities and constraints of the security and business policies on intermediaries and endpoints

Which of the following countermeasures help developers prevent applications from becoming vulnerable to SQL injection attacks?

Design the code such that it traps and handles exceptions appropriately

Which of the following components of a web server stores critical HTML files related to the web pages of a domain name that can be sent in response to the user requests?

Document Root

Find

During this operation, service descriptions are published to allow the requester to discover the services.

Identify the operation in web service architecture that involves obtaining the service interface description at development time and obtaining the binding and location description calls at a run time.

Find

A8 - Insecure Deserialization

Flaws occur when an application receives hostile serialized objects. Leads to remote code execution. Serialized objects can be replayed, tampered with, or deleted to spoof users, conduct injection attacks, and elevated privileges.

Freddy, a professional hacker, targets an organization and identifies that the target web application is vulnerable to an SQL injection, but we cannot view the results. He therefore uses a technique for retrieving a large amount of data that can perform time delay SQL injection attacks by using multiple joins on the system tables. Identify the type of attack performed by Freddy in the above scenario.

Heavy query

Bob, a professional hacker, targeted administrator Alice's credentials to log into a remote server. Bob employed both dictionary attacks and brute-force attacks to crack the password. Using this method, Bob easily obtained Alice's password and accessed the remote server. Identify the technique employed by Bob in the above scenario. A. hybrid attack B. SQL injection C. website defacement D. guessing

Hybrid Attack

Which of the following practices is NOT a countermeasure to defend against web server attacks?

Install IIS server on a domain controller

While performing web application testing, Ruben, a software developer, found out that the web application failed to protect sensitive traffic flowing in the network. Additionally, the web application supported weak algorithms and used expired or invalid certificates, making it susceptible to various attacks that revealed user data.

Insufficient transport layer protection

Which of the following Burp Suite built-in tools is used to perform customized attacks and find and exploit unusual vulnerabilities in the target web application?

Intruder tool

Blind SQL Injection

Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.

Service

It is a software module offered by the service provider over the internet. It communicates with the requesters. At times, it can also serve as a requester, invoking other services in its implementation.

Service Requester

It is the application or client that is seeking a service or trying to establish communication with a service. In general, the browser is a requester, which invokes the service on behalf of the user.

Server Root

It is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored.

Service Description

It provides interface details and service implementation details. It consists of all the operations, network locations, binding details, data types. It can be stored in a registry and invoked by the requester.

In which of the following layers of vulnerability stack do security professionals configure solutions such as IDS and IPS to raise alarms if any malicious traffic enters a target server?

Layer 1

In which of the following layers of the vulnerability stack do attackers scan an operating system to find open ports and vulnerabilities and then develop appropriate malware to exploit them and gain control over the system?

Layer 3

Henry, a professional hacker, targeted an organization's database server to steal user IDs, passwords, phone numbers, and other particulars. He exploited a few underlying vulnerabilities using tools such as sqlmap and gained control over the target database server. In which of the following layers of the vulnerability stack has Henry performed the above attack? A. layer 4 B. layer 7 C. layer 5 D. layer 1

Layer 4

Identify the layer of the vulnerability stack in which attackers exploit flaws in the business logic by performing input validation attacks such as XSS.

Layer 7

Which of the following practices can help security teams protect the webserver from cyberattacks?

Limit the server functionality to support only the web technologies to be used

Which of the following practices can help security teams protect the webserver from cyberattacks?

Limit the server functionality to support only the web technologies to be used.

Which of the countermeasures helps a security specialist defend the application against LDAP injection attacks?

Make the LDAP filter as specific as possible.

XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

Which of the following types of SQL injection attack is difficult to perform as the attacker needs to communicate with the server and determine the features of the database used by the web application?

Out of band SQL Injection

Which of the following layers of the web application architecture includes all physical devices on the client side, such as laptops, smartphones, and computers?

Presentation Layer

Which of the following layers of the web application architecture includes all physical devices on the client side, such as laptops, smartphones, and computers?

Presentation/Client Layer

Some other measures to defend against web server attacks

Relocate sites and virtual directories to non-system partitions and use IIS web permissions to restrict access. Remove all unnecessary IIS script mappings for optional file extensions to avoid exploitation of any bugs in the ISAP extensions that handle these types of files. Enable minimum level of auditing on the web server and use NTFS permissions to protect log files. If a database server, such as Microsoft SQL Server, is to be used as a backend database, install it on a separate server. Use security tools provided with web server software and scanners that automate and simplify the process of securing a web server. Configure a separate anonymous user account for each application, if multiple web applications are hosted. Limit the server functionality to support only the web technologies to be used.

Measures to defend against web server attacks

Relocate sites and virtual directories to non-system partitions and use IIS web permissions to restrict access. Remove all unnecessary IIS script mappings for optional file extensions to avoid exploitation of any bugs in the ISAPI extensions that handle these types of files. Enable a minimum level of auditing on the web server and use NTFS permissions to protect log files. If a database server, such as Microsoft SQL Server, is to be used as a backend database, install it on a separate server. Use security tools provided with web server software and scanners that automate and simplify the process of securing a web server. Configure a separate anonymous user account for each application, if multiple web applications are hosted. Limit the server functionality to support only the web technologies to be used.

Inferential SQL Injection

Results of the attack come back in other means. Meaning, if we get an error message that doesn't tell us what we want to know we may be able to derive the answer by inferring certain things about the response we did do get.

Which of the following countermeasures helps security specialist defend the application against SQL injection attacks?

Run a database service account with minimal rights

Which of the following countermeasures helps administrators defend against web server attacks?

Screen and filter incoming traffic requests

Which of the following countermeasures helps administrators defend against webserver attacks?

Screen and filter incoming traffic requests.

Which of the following built l-in tool of Burp Suite is used for testing the randomness of session tokens?

Sequencer tool

Identify the attack in which an attacker exploits vulnerabilities that evolve from the unsafe use of functions in an application in public web servers to send crafted requests to the internal or backend servers.

Server-Side Request Forgery

Which of the following roles in a web service is a place where the provider loads services descriptions and discovers the service and retrieves binding data from the service descriptions?

Service Registry

Document Root

Stores critical HTML files related to the web pages of a domain name that will be served in response to the requests

Which of the following practices helps develops defend against SQL injection attacks?

Test the content of string variables and accept only expected values

Piggybacked queries

The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request

Bind

The requester tries to obtain service descriptions. This operation can be processed in two different phases: obtaining the service interface description at development time and obtain the binding and location description calls a run time.

Virtual Document Tree

This provides storage on a different machine or a disk after the original disk is filled-up. It is case sensitive and can be used to provide object-level security.

Identify the component of web service architecture, which is a directory service that lists all the services available.

UDDI (Universal Description, Discovery, and Integration)

UDDI

Universal Description Discovery and Integration. Is a directory service that lists all the services available.

Which of the following countermeasures helps security teams prevent sensitive data from being exposed?

Use AES encryption for stored data and use TLS with HSTS for incoming traffic.

Which of the following components in a web server uses a technique where multiple domains can be placed on the same server and allows sharing of resources among various servers?

Virtual Hosting

Identify the attack that is likely to be performed by the attacker if the web server and application have HTTP response-splitting flaws.

Web Cache Poisoning Attack

Which of the following components of a web server is located between the web client and web server to pass all the requests and is also used to prevent IP blocking and maintain anonymity?

Web proxy

Identity the web-based attack in which the attacker makes unauthorized changes to a website's content that results in changes to the visual appearance of the web page or website.

Website Defacement

WSDL (Web Services Description Language)

XML-based language for describing Web services. Provides a standard by which a Web service can tell its client what kind of messages it will accept and what results will be returned. Includes the data types it can process, the methods it exposes, and the URLs through which those methods can be accessed.

Business Logic Layer

also known as the domain layer, the part of a three-layer architecture that contains the programs that implement the business rules and processes.

end-line comment

appears at the end of a line of code Typically explains the purpose of that

A10 - Insufficient Logging and Monitoring

coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

In-band SQL Injection

is an injection attack in which the attacker uses one channel to inject malicious queries and retrieve results.

WS-Security

plays an important role in securing web services. It is an extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users.

Web Server Misconfiguration

refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft