D385: Logging and Security Issues
What do system monitoring and review of audit trails provide?
- Accountability
ALE
- Annualized Loss Expectancy
Integration Testing Types
- Big Bang - Bottom Up - Top Down - Sandwich
Which two classes does the bdb module implement?
- Breakpoint - Bdb
Attributes of Intelligible Exceptions?
- Brief - Meaningful - Actionable
CSRF Mitigation
- CSRF tokens - SameSite cookies - avoid using GET requests for state-changing actions
CDI/UDI
- Constrained Data Interface - UnConstrained Data Interface
Dynamic Analysis
- DAST - performed by executing programs on a real or virtual processor in real time - find security errors in a program while it is running - cannot provide exact location where problems reside
What are the logging levels and values?
- DEBUG = 10 - INFO = 20 - WARNING = 30 - ERROR = 40 - CRITICAL = 50
Phases of Penetration Test?
- Data collection - Vulnerability assessment - Actual Exploit - Result in analysis and report preparation
Which test is solely black box testing?
- Integration testing
Which protocol caches a token after it has been acquired?
- MSAL
MTBF
- Mean Time Before Failure
MTTR
- Mean Time to Repair
MTSR
- Mean Time to Service Repair
What standard specifies minimum security requirements for audit data (logs)?
- NIST FIPS 200
When practicing defensive programming, what should your attitude about data be?
- Never trust data
6 important aspects of OSSTMM?
- Open Source Security Testing Methodology Manual 1. project scope 2. confidentiality 3. change process 4. test plan 5. test process 6. reporting standard
What does cross-origin resource sharing (CORS) allow users to do?
- Override same starting policy for specific resources
Three Assertion Categories?
- Precondition: something that must be true at the start of a function in order for it to work correctly - Postcondition: something that the function guarantees is true when it finishes - Invariant: something that is always true at a particular point inside a piece of code
What are the popular Python unit testing frameworks?
- PyUnit (built-in) - PyTest
SSRF
- Server-side Request Forgery - attacker us able to send requests on behalf of the server - allows attackers to forge the request signature and assume a privileged position on a network, bypassing firewall controls, and gaining access to internal services
What does a Session require?
- Session ID (randomly generated) - Cookies (never contain sensitive data) - session expiration
SLE
- Single Loss Expectancy
What should be Penetration Tested?
- Software - Hardware - Network - Processes - End-user behavior
How many arguments does the clear_break() method take?
- Two - filename, line number
What Data should be Validated?
- User input - Internal data - External data
Which logging function may indicate an impending full disk?
- WARNING - indicates that there could be a problem in the immediate future
Integration Testing Issues
- When to integrate? - Who does the testing? - What methods?
What kind of attacks does Client-side Testing look to prevent?
- XSS - SQLi - CORS - Clickjacking - HTML injection
What kind of defects does Static Analysis find?
- XSS - SQLi - configuration mistakes - patch errors - vulnerabilities introduced in the runtime environment
XML External Entity Attacks
- XXE - when attackers exploit an XML parser to read arbitrary files on your server - attackers might also be able to read config files, retrieve user information
What are Assertion statements?
- a statement that something must be true at a certain point in a program - if true the program does nothing - if false the program halts immediately and prints an error message (if one is provided)
Advantages of Static Code Analysis?
- access to the actual instructions the software will execute - can find the exact location of weaknesses in the code - can be conducted by trained software developers who understand the code - allows quick turnaround time - relatively fast if automated tools are used - automated tools can scan the entire code base - automated tools can provide mitigation recommendations - issues found earlier in the development lifecycle
Integration Testing
- after unit testing put together to test together
Defensive Coding Basic Concepts?
- all data is important - all data is tainted - all code is insecure - design by contract - sanitize (make sure no attack characters)
Recoverability
- application bounces back with minimal impact to data - data resumes being usable
What is the general structure of an assertion statement?
- assert expression [assertion_message]
What is defensive programming?
- assuming mistakes will happen and guarding against them - assertions are the most common way of doing this - code checks itself as it runs - always check, validate, and sanitize data
Limitations of Dynamic Code Analysis
- automated tools provide false sense of security - automated tools provide false positives, false negatives - only as good as the rules given - not enough trained professionals - difficult to trace vulnerability back to exact location, makes fixing the problem take longer
Successful Security Test Execution Includes?
- baseline and benchmark tests have been performed - automated test scripts have been validated as correct - re-benchmarking testing has been conducted after tuning - a basis for future test comparison has been created - test results of the security test case execution have been analyzed
When to Validate Data?
- before data is used - when data moves
Which three QA security-specific test type categories must be performed on software?
- benchmark - scheduled - exploratory
Which attribute provides a dictionary of breakpoint instances?
- bplist - maintains a (file, line) tuple of breakpoints
A security analyst has noticed a vulnerability in which an attacker took over multiple user's accounts. Which vulnerability did the security analyst encounter?
- broken access control
Types of Vulnerabilities found by Dynamic Analysis
- buffer overflow - SQLi - XSS - memory leaks - weak ciphers - DOES NOT find runtime vulns
Secure Unit Testing
- check for bad input - bypass security - inject bad data
What are two common defensive coding techniques?
- check functional preconditions and postconditions - develop code with exceptions to find errors
Cross-site Request Forgery
- client-side technique used to attack other users of a web application - attackers send HTTP requests that pretend to come from the victim - attackers then carry out unwanted actions such as changing a password or transferring money from a bank account
Which three data types are considered user-provided?
- cookies - POST data payloads - URL parameters
What should be checking for when checking Parameters?
- data type - data size - data format
PDB
- debugger built into the Python standard library
Six Sigma DMADV
- define - measure - analyze - design - verify
Six Sigma DMAIC
- define - measure - analyze - improve - control
Causes of Vulnerabilities?
- design and development errors - poor system configuration - human errors - connectivity - complexity - password - user input - management - lack of training to staff - communication
What are limitations of Static Code Analysis?
- does not account for runtime vulnerabilities - requires the tester to posses both testing and software development skills - tools would have to be language specific
Unit Testing
- done as early as possible - completed by developer before checked into repository - informal
Disadvantages of Unit Testing
- done by the person that programmed it - informal - may not be thorough and might miss something
Advantages of Unit Testing
- done early on - before integration with other code
Criteria for selecting the best penetration tool?
- easy to deploy, configure, and use - scan your system easily - categorize vulnerabilities based on severity - automate the verification of vulnerabilities - re-verify the exploits - generate detailed vulnerability reports and logs
Which three actions are supported by the Python Debugger (PDB)? (Choose 3 answers.)
- establishing breakpoints - code step throughs - stack tracing
Which Python function is prone to a potential code injection attack?
- eval( ) - exec ( )
An attacker exploits a cross-site scripting vulnerability.
- execute a shell command or script
Which method is used for a SQL injection attack?
- exploiting query parameters
What are limitations of Dynamic Code Analysis?
- false negatives and false positives - dependent on the correctness of the rules - false sense of security
What are advantages of Static Code Analysis?
- fast turnaround time, especially when tools are used
What should you do when you have UDI?
- filter anything unexpected
What are basic concepts in secure testing?
- finding vulnerabilities - finding variance from policy
What Parameters should be checked?
- function parameters - constructor parameters - data parameters
Which function can be used to return all set breakpoints?
- get_all_breaks( ) - returns a string with all set breakpoints
Which SDL phase uses static code analysis?
- implementation - white box testing during the implementation phase
What does CRITICAL indicate?
- indicates catastrophic code malfunction
What does ERROR indicate?
- indicates code malfunction
What is a Session?
- interactive - temporary - connection between 2 or more devices - necessary for stateless communication
Advantages of Dynamic Code Analysis
- limited scope - no access to actual instructions being executed - requires only a running system to perform the test - no requirement to have access to source code - no need to understand how to write software - tests specific operational deployment - identifies vulnerabilities at runtime - automated tools provide flexibility on what to scan - identifies false negatives from static code analysis - validates static code analysis findings - can be conducted on any application
What does the following in a penetration test mean to find? try:transport_security = req.headers['Strict-Transport-Security']except:print ('HSTS header not set properly')
- man-in-the-middle
Benefits of CDI
- more secure - more user friendly - starts data validation
How should Loggers be instantiated?
- never instantiated directly - always through the module-level function - logging.getLogger(name)
SSRF Mitigation
- never make outbound requests based on user input - validate external addresses before initiating any outbound requests
What are the 3 tenants of Defensive Programming?
- never trust data - validate everything - robust error handling
Sensitive Data Leaks
- occurs when an application fails to properly protect sensitive information - this typically occurs through descriptive response headers, descriptive error messages with stack traces or database error messages, or revealing comments in HTML files
What does DEBUG indicate?
- only used when diagnosing software problems
What are some Python debugging tools?
- pdb: most commonly used - Web-PDB - wdb - Pyflame - objgraph
Static Analysis
- performed without actually executed programs - performed by automated software tool - SAST - provides line-of-code-level detection - allows for vulnerabilities to be remediated quickly - can be used by software developers before checking in code
Log Injection Attack Mitigation
- prefixing log entries with meta-data (i.e. timestamp) - validate the entry before accessing or opening
What are some common debugging techniques?
- printing out values of variables - changing the state ("path") of the program to make it do different things - stepping through the execution of a program line by line - breakpoints - trace points - stopping the program at certain events - viewing the output of a program in a debugger window
Regression Testing Issues
- prioritization - how much is enough - test selection - who should do the test
3 Steps to Evaluate Web Application?
- recon - discovery - exploit
Security Logs
- record access to resources such as files, folders, printers
Attributes of Constrained Data Interfaces?
- reduced text fields - constrained flow - easy to follow for end user
Which software testing method relies on using old test cases?
- regression testing
Limitations of Static Code Analysis
- requires access to the source code - requires proficiency in running software builds - will not find issues related to deployment environments - time consuming - automated programs do not support all languages - lots of false positives and false negatives - not enough trained personnel - false sense of security - automated tools are only as good as the rules give - does not find vulnerabilities in the runtime environment
Resiliency
- resistant to failure - handles unexpected situations - stable operations
Which response method, when sent a request, returns information about the server's response and is delivered back to the console?
- response.content
3 Phase Approach that optimizes the use of Static Analysis Tools?
- run all available code analysis tools - look for common vulnerability patterns - dig deep into risky code
Insecure Deserialization
- serialization is the conversion of an object in a programming language is saved into a format that can be saved to a database - DEserialization is when a serialized object is read from a file or the network and converted back into an object - INSECURE DESERIALIZATION occurs when an attacker can manipulate the serialized object and achieve authentication bypass, DOS, or arbitrary code execution
What Logger method sets the threshold for the logger instance? How does it work?
- setLevel(level) - logging messages which are less severe than "level" will be ignored - logging messages which have severity "level" or higher will be emitted by whichever handle or handlers service this logger
Unit Test
- smallest, testable pieces of code called units - verifies that each part of the code works correctly and as intended
What makes a good test case?
- specific - measurable - testable
Manual Code Review Process Steps
1. identify security code review objectives 2. perform preliminary scan 3. review code for security issues 4. review for security issues unique to the architecture
4 Step Code Review Cycle
1. identify security code review objectives 2. perform preliminary scan 3. review code for security issues 4. review the security issues unique to the architecture
What is required for Secure Sessions?
- HTTPS - tokens (invalidate on the server) - expiration of session
What is the primary defense against log injection attacks?
- strictly sanitize outbound log messages by implementing an allow list of characters- this may include the limitation of alphanumeric characters and spaces in all logs
Which package is meant for internal use by Python for regression testing?
- test
What happens when assertion condition result is false?
- the program will stop and given an error message
Unconstrained Input
- the user can input as much data as they want
What are advantages of Dynamic Code Analysis?
- there is no need to understand how to write software
What are true about assertions?
- they are conditional Boolean expressions - they have an optional message part - they are used to check the types or values of arguments
What is the central concept for the Flaw Hypothesis Method?
- to test hypothetical flaws based on priority
Which three debugging techniques require the use of a debugger? (Choose 3 answers.)
- trace points - breakpoints - code step through
User Acceptance Testing Issues
- training - focus; need the end user to prioritize testing - bias
Exception Handling
- trap all errors - specific error handling - trap on site (where it occurred)
Reliability
- uptime - responsiveness - accurate
SQL Injection Attack Mitigation
- use parameterized statements
What are two techniques of defensive programming?
- value substitution - exception handling
Standard Defect descriptions and attributes?
- what - where - how - severity - status
Injection Attacks
- when an application cannot properly distinguish between untrusted user data and code - typically allows for arbitrary code execution
A successful security test execution plan assumes?
- you have done a detailed risk analysis - test assets have been developed as part of the risk management plan
CERT Top 10 Secure Coding Practices
1. validate input 2. heed compiler warning 3. architect/design for security 4. keep it simple 5. default deny 6. least privileges 7. sanitize data 8. defense in depth 9. QA 10. standards