CH. 10 Section 3 Web Application Attacks
Important facts about buffer overflow
A buffer is a temporary data storage area with limited space Overflows occur when more data is attempting to be stored than the program was written for Can allow hackers to cause data to flow to other memory areas that may not be protected Attackers may now access database files or system files and can replace executable code with malicious code. ——This is called arbitrary code execution. Can cause DoS attacks by crashing the program Can occur in routers, IoT devices, and firewalls
Memory leak
A leak that happens when dynamic memory is allocated in a program, but no pointers are connected to it causing it to never be returned when requested
API attacks
A malicious use of an API (application programming interface).
Add- on is also known as
A plug in or extension
Important facts about pointer/object Dereference
A pointer stores a memory address All operating systems embed the kernel in the user's workspace The kernel is the operating system's core program that controls everything in the system Page protections protect the kernel from user access but can be exploited through by a DoS attack through a NULL pointer dereference If a DMA driver module doesn't have enough security protections in place, it can release user pages that are pinned to a pointer with a NULL value. This happens when: An app dereferences an object that comes back NULL instead of valid Null is exploited as a constant built in to evaluate to 0 in the C language An x86 system has a valid 0 address in the kernel address space
Race conditions
A sequence of events with dependencies that a system is programmed to run in a certain order which can lead to a time-of-check to time-of-use bug vulnerability.
What might indicate an unsecured connection or an attack on a browser
A web document with a URL that contains a new or different domain name than the site you intended to visit. A menu bar that includes new commands or is missing common commands. The status line of the browser displays an unlocked symbol when SSL should be in use.
What are the four most important GENERAL web browser practices
Always ask where to save files Block pop up windows Remember search and form history Accept third party cookies and ask me every time
Pass the hash
An attack in which an attacker obtains a hashed password and uses it to gain unauthorized access
Buffer overflow
An attack that exploits an operating system or an application that does not properly enforce boundaries for inputting data such as the amount of data or the type of data
Resource exhaustion
An attack that focuses on depleting the resources of a network to create a denial of service to legitimate users
Driver manipulation
An attack that focuses on device drivers. ——The attack uses refactoring or shimming
SSL stripping
An attack that focuses on stripping the security from HTTPS-enabled websites.
Replay attack
An attack that happens when network traffic is intercepted by an unauthorized person who then delays or replays the communication to its original receiver, acting as the original sender. The original sender is unaware of this occurrence
Pointer/object dereferencing
An attack that retrieves a value stored in memory that can be exploited through a NULL pointer dereference
How does pass the hash work
An attacker gains access to an individual computer through malware or other techniques The attacker accesses the memory in the workstation to find stored hashes of other users that have used the workstation The attacker uses the stored hashes to gain access to other workstations in search of a station that grants privilege escalation
Two examples of error handling
An attacker may use a SQL injection attack that fails initially. ——But the error message discloses the malformed query, which could show the query logic or other sensitive data, like passwords. The attacker can use the new information from the error message to gain access to the system. The disclosure of the full pathname in an error message that is generated from a path-transversal weakness exploit attempt.
Shimming
As operating systems and other software libraries are updated, their application programming interface (API) may change. The API specifies how other programs should interact with the software library or operating system. If the API is updated with new specification, other programs using older API specifications may not work. To remedy this, a shim can be used. A shim is software that is placed between the newer API and software that conforms to the older API. The shim intercepts calls to the older API, translate them, and pass them to the newer API. In some cases, they can redirect the API calls elsewhere to complete the expected operation called for in the older API. Attackers can modify existing shims by injecting malicious code. They can also create a shim that intercepts valid API calls. However, the shim executes malicious code before it passes the valid calls through to the API.
Arbitrary code Execution
Attackers access database files or system files and can replace executable code with malicious code
EX. Of 3rd party cookies
Banner ads
Why is pass the hash so dangerous
Bc once an attack gains access, the whole organization can be compromised very quickly
Most browsers let you clear what kind of data
Browsing history Download history Cookies and other site data Cached images and files Passwords Autofill form data Site permissions Hosted app data
Which type of attack is the act of exploiting a software program's free acceptance of input in order to execute arbitrary code on a target
Buffer overflow attack
Processing of untrustworthy input data can lead to
Buffer overflows XSS Directory transversal NULL byte injections SQL injection Uncontrolled format string DoS OS commanding
What are the two input validations that should be used within using programming services
Client Side Validation -should first be used on the local system to identify input errors before the data is ever sent to the server. For example, if the user enters an invalid value in an email address field, the error can be detected before the data is submitted. & Server Side Validation - should be used for error detection after the data is sent to the server. Experienced attackers can circumvent client-side validation techniques to send malicious information to the server. For example, an attacker could send data to the server from outside the application's standard user interface, bypassing any input validation measures that may have been implemented on the client. It is unwise to rely solely on client-side input validation techniques.
What are some security browser settings available
Cookies Cache Security Add-on General
Third Party Cookies are the
Cookies placed by sites linked to the site you are visiting
How to mitigate memory leaks
Delete unneeded memory allocations when finished with a project Ensure that pointers are properly connected to memory values
DNSSEC
Domain Name System Security Extensions
How to mitigate SSL stripping
Encrypt all elements of your site with an SSL certificate. Add your domain to the HSTS preload list. This lets browsers know that your site is secure
How to mitigate race conditions 3
Ensure your operating system's file system state is not allowed to change between two system calls Use file system calls that run on file handles instead of file names when possible Lock single files before the check
How to mitigate API problems
Implement rate limiting. This limits the number of calls from a client within a time limit Use security logs to detect and analyze unauthorized access attempts Look for SQL injections. These happen when a SQL statement is entered in a data field and gets executed in the database Make sure that program notifications are sent when there is an excess of error messages
An attacker inserts SQL database commands into a data input field of an order form used by a web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious user's web browser. Which practice would have prevented this exploit?
Implementing client-side validation -should have been used on the local system to identify input errors in the order form before the data was ever sent to the server
While using a web-based order form, an attacker enters an unusually large value in the Quantity field. The value he or she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the web application processes the order as a return instead of a purchase, and the attacker's account is credited with a large sum of money. Which practices would have prevented this exploit? (Select two.)
In this example, if the user entered an invalid quantity in an order form field, client-side validation would have detected and blocked the error before the data was submitted to the server. Server-side validation should have also been used after the data was sent to the server to detect errors. Experienced attackers can circumvent client-side validation techniques by sending data to the server from outside the application's standard user interface, bypassing any input validation measures that may have been implemented on the client.
Which of the following functions does a single quote (') perform in an SQL injection?
Indicates that data has ended and a command is beginning
Which of the following is specifically meant to ensure that a program operates on clean, correct, and useful data
Input validation
Which locations can resource exhaustion attacks can occur
Memory, file system storage , database connection pool entries , or the CPU
What add on should be used to increase the security of browsing activities s
Noscript: blocks all active content except from the sites you trust Adblock Plus: blocks advertisements and ad banners on the internet
As you browse the internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for products that are inappropriate for your family to view. Which tool can you implement to prevent these windows from showing?
Pop up Blocker
Why do memory leaks occur?
Programmers often create temp memory allocations and aren't deleted after use
When do replay attacks occur
Replay attacks happen when network traffic is intercepted by an unauthorized person who then delays or replays the communication to its original receiver, acting as the original sender. ——-The original sender is unaware of this occurrence. They are a type of man-in-the-middle attack
Whether unintentionally leftover from a project or intentionally created by an attacker, memory leaks can result in 3
Resource exhaustion DoS Exploitation of other areas affected by low-memory conditions
Slow post attack
Send HTTP POST body very slowly. This is done through forms, logins, and feedback input fields Can be prevented by setting a maximum body size for each form and setting the web server setting with a max total transfer time
Slow header attack
Send HTTP headers so slowly it prevents other users from accessing the site Can be prevented with HTTP header timeouts
How to mitigate improper input handling
Set specific parameters for acceptable data forms and types Accurately define data restrictions Sanitizing, validate, and filter properly
Resource exhaustion attack can be done through 2
Slow header attacks and slow post attacks
Refactoring
Software or code refactoring is usually considered a beneficial practice. The external behavior of refactored software code does not change. Internally, the code is modified to improve readability, reduce complexity, or improve efficiency. Attackers refactor device drivers so that their external behavior does not change. The printer, keyboard, network card, or hardware controlled by the driver still function properly. This makes it hard to detect any problems. Internally, the refactored driver now has hidden functions that benefit the attacker
How to mitigate replay attack
Strong digital signatures with timestamps Session keys that are time-bound and process-bound Sequence numbers Program authentication systems to accept network packets that have valid timestamps and sequence numbers
Privilege escalation
The exploitation of a misconfiguration, a bug, or design flaw to gain unauthorized access to resources.
Improper input handling
The lack of validation, sanitization, filtering, decoding, or encoding of input data
Error handling
The procedures in a program that respond to irregular input or conditions
horizontal privilege escalation
This is when an attacker gains data that belongs to another user with the same privilege level as themselves (like a co-worker)
vertical privilege escalation
This is when an attacker uses a system vulnerabilities to escalate privileges to gain administrative access
Race Conditions (web application vulnerability)
Time of check to time of use bug (TOCTTOU) This happens when a system is programmed to run with certain processes dependent on a sequence of events or race conditions. Can happen when an attacker schedules an execution of operation between a time of check and a time of use and forces the user's process to pause or send an error. For example, in the moment between authenticating to a system and utilizing the system, the attacker can jump into the process and act as the authenticated user, leading to privilege escalation.
T or F the best practice is to always enter passwords and not to have the browser remember them ?
True
How to mitigate against pass the hash
Use direct networking to prevent standard users and local admin users from having access to other user's workstations Use Group Policy Object (GPO) Editor to disable Remote Desktop Connections in an Active Directory network Limit domain admins access to only workstations with the same level of privileges Create separate standard user level accounts for admins to use when accessing lower-level privilege machines
How to mitigate driver manipulations
Use the latest browser version and patch level. Verify that the operating system is at the latest patch level. Install antivirus, anti-spyware, pop-up blocking, and firewall software. Use input validation when programming services. Implement DNS Security Extensions, or DNSSEC. This is a security measure that only allows connection to your computer from servers that have previously been given a digital certificate. Use HTTPS. This transfer protocol encrypts the HTTP over Transport Layer Security (TLS) or over Secure Socket Layer (SSL), protecting your browser against threats. Use add-ons to increase the security of browsing activities Train users to log out of websites when finished. Users should never allow applications to remember their authentication information.
First Party Cookies are
Used by the site you are visiting
Which of the following is an attack that injects malicious scripts into web pages to redirect users to fake websites to gather personal information?
XSS - cross scripting
Web browser
application for retrieving and displaying information on the internet
Cookies
are text files that save information about preferences, browser settings, and web page preferences. They identify you (or your browser) to websites
How do driver manipulations occur
as a result of a web application attack such as a drive-by download or through social engineering or phishing
How to mitigate error handling
be sure to program the error message with minimal information that's only useful to the intended audience
What is a device driver
is a small piece of software that provides an interface between the operating system and a hardware device such as a printer, keyboard, or network card
The double dashes (--) indicate that code
is ending and a comment is being entered
What is importer input handing referring to
lack of validation, sanitization, filtering, decoding input data, or encoding input data.
Replay attacks are also known as
session replay attacks
Cache
storage location for information that will be used again, such as images, sounds, web pages, and even usernames and passwords used on websites. In addition to taking up space, data in the cache could be retrieved by someone with access to the computer. To provide some level of protection, you should clear the web browser cache whenever you use a public computer to access the internet, especially when you have accessed sites for retrieving personal data.
