Security+ Chapter 3
What can Add-ons do that Plug-ins can't?
1) Create additional web browser toolbars 2) Change browser menus 3) Be aware of other tabs open in the same browser process 4) Process the content of every webpage that is loaded
What are common web application attacks?
1) Cross-site scripting 2) SQL injection 3) XML injection 4) Command injection/directory traversal.
Name 3 types of Cookies.
1) First Party Cookie 2) Third Party Cookie 3) Session Cookie 4) Persistent Cookie 5) Locally Shared Object (LSO) aka Flash Cookie
Name 5 Common client-side attacks.
1) Header manipulation 2) Cookies 3) Attachments 4) Session hijacking 5) Malicious add-ons.
In what 3 ways can a session token be transmitted?
1) In the URL 2) in the header of the HTTP requisition 3) in the body of the HTTP requisition.
An XSS attack requires a website that meets what two criteria:
1) It accepts user input without validating it 2) and it uses that input in a response.
Name 4 of the most widely used plug-ins for web browsers.
1) Java 2) Adobe Flash player 3) Apple QuickTime 4) Adobe Acrobat Reader
Name 3 types of DOS attacks.
1) Ping flood 2) Smurf Attack 3) SYN flood attack
What are 3 examples of HTTP Header attacks?
1) Referer 2) Accept Language 3) Response Splitting
Why has the risks of plug-ins been reduced recently?
1) Some web browsers now prohibiting plug-ins 2) Some browsers use a "Click to Play" feature that enables a plug-in only after the user gives approval. 3) HTML 5 standardizes sound and video formats so that plug-ins like Flash are no longer needed.
Name two ways XML is different from HTML?
1) XML is designed to carry data instead of indicating how to display it. 2) XML does not have a predefined set of tags; instead, users define their own tags.
Impartial Overflow Attacks include what type of attacks?
1) buffer overflow attacks 2) integer overflow attacks 2) arbitrary/remote code execution attacks.
How much data can an LSO store?
100 KB of data from a website (about 25 times as much as a regular cookie)
Drive-by Download
A client-side attack resulting in a user's computer becomes compromised just by viewing a webpage and not even clicking on any content.
First Party Cookie
A cookie that is created from the website currently being viewed.
Persistent Cookie aka Tracking Cookie
A cookie that is recorded on the hard drive of the computer and does not expire when the browser closes.
Locally Shared Object (LSO) or Flash Cookie
A cookie that is significantly different in size and location from regular cookies, and can store more complex data. Also called Flash cookie.
Session Cookie
A cookie that is stored in Random Access Memory (RAM), instead of on the hard drive, and only lasts only for the duration of a visit to a website (until the browser is closed), or when the user is considered inactive.
Third Party Cookie
A cookie that was created by a third party that is different from the primary website, such as an advertiser on the webpage.
Cookie
A file on a local computer in which a web server stores user-specific information.
Attachment
A file that is coupled to an email message and often carries malware.
Session Token
A form of verification used when accessing a secure web application.
XML
A markup language that is designed to carry data, in contrast to HTML, which indicates how to display data.
Markup Language
A method for adding annotations to the text so that the additions can be distinguished from the text itself.
ActiveX
A set of rules for how applications under the Microsoft Windows operating system should share information.
ActiveX Controls a.k.a ActiveX applications
A specific way of implementing ActiveX that runs through the web browser and functions like a miniature application.
Plug-in
A third-party library that attaches to a web browser and can be embedded inside a webpage.
What is an XPath injection?
A type of XML injection attack that, attempt to exploit the XML Path Language (XPath) queries that are built from user input.
Ping
A utility that sends an ICMP echo request message to a host.
Which adds a greater degree of functionality to the entire browser? Add-ons (or) Plug-ins?
Add ons
CompTIA classifies Session Hijacking as what type of attack?
An "application attack".
Zero Pixel IFrame
An HTML element, which is invisible to the naked eye, that allows for embedding another HTML document inside the main document.
Session Hijacking
An attack in which an attacker attempts to impersonate the user by using the user's session token.
Arbitrary/remote code execution
An attack that allows an attacker to run programs and execute commands on a different computer.
Denial of Service (DOS) attack
An attack that attempts to prevent a system from performing its normal functions by overwhelming the system with requests.
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
Cross-site scripting
An attack that injects scripts into a web application server to direct attacks at clients.
Integer Overflow Attack
An attack that is the result of an attacker changing the value of a variable to something outside the range that the programmer had intended.
Buffer Overflow Attack
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
Directory Traversal Attack
An attack that takes advantage of a vulnerability so that a user can move from the root directory to restricted directories, and potentially display the contents of a document.
SYN Flood Attack
An attack that takes advantage of the procedures for initiating a TCP/IP session.
SQL Injection
An attack that targets SQL servers by injecting commands to be manipulated by the database.
Client-side attacks
An attack that targets vulnerabilities in client applications that interact with a compromised server or process malicious data.
Distributed Denial of Service (DDoS) attack
An attack that uses many computers to perform a DoS attack.
Ping Flood
An attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets.
How is an SQL injection and XML injection attack similar?
An attacker who discovers a website that does not filter input user data can inject XML tags and data into the database, same as an SQL injection.
What attack often take advantage of malicious attachments, such as Visio or PDF, to gain the same user rights as the logged in user?
Arbitrary/remote code execution
Zero Day Attacks
Attack that exploits previously unknown vulnerabilities, so victims have no time (zero days) to prepare for or defend against the attack.
Why do add-ons provide more of a security risk?
Attackers can create malicious add-ons to launch attacks against the user's computer
What does HTTP Header attack "Referer" do?
Because some websites check the Referer field to ensure that the request came from a page generated by that site, an attacker bypasses that security by modifying the Referer field to hide the fact that it came from another site.
Drive-by Downloads typically target old browsers because why?
Because their attacks often are not as effective against newer browsers.
How does an attacker check an SQL database for vulnerability to an SQL injection?
By entering a fictitious email address on a webpage (log-in screen) that included a single quotation mark as part of the data, such as [email protected]'. This if the error message Server Failure is displayed, the attacker knows that input is being sent unfiltered to the database.
How are plug-ins added to a webpage?
By using the HTML <embed> tag or an <object> tag.
What type of attack use the web server as a platform to launch attacks on other computers that access it?
Cross-site scripting
Which attack is like a phishing attack but without needing to trick the user into visiting a malicious website?
Cross-site scripting
XXS represents what?
Cross-site scripting
SQL INJECTION STATEMENT: whatever' AND email IS NULL; --
Determine the names of different fields in the database
THE INPUT: http://www.server.net/dynamic.asp?view=../../../../../TopSecret.docx looks like what type of attack?
Directory Traversal Attack
SQL INJECTION STATEMENT: whatever' AND 1=(SELECT COUNT(*) FROM tabname); --
Discover the name of the table
SQL INJECTION STATEMENT: whatever'; DROP TABLE members; --
Erase the database table
What does XML stand for?
Extensible Markup Language
TRUE OR FALSE: Client Side Server attacks are limited to the web.
FALSE. They can occur on any client/server pair, such as email, File Transfer Protocol (FTP), instant messaging (IM), or multimedia streaming.
True or False: The malicious content of an XSS URL is confined to material posted on a website.
FALSE: It can be embedded into virtually any hyperlink, such as one in an email or instant message. That is why users should not blindly click on a URL that they receive
SQL INJECTION STATEMENT: whatever' OR full_name LIKE '%Mia%'
Find specific users. (In this case "Mia")
How can ActiveX Controls be envoked?
From webpages through the use of a scripting language or directly by an HTML command.
How is HTML used?
HTML is designed to display data, with the primary focus on how the data looks.
How does HTTP Header Manipulation work?
HTTP header manipulation allows an attacker to pass malicious instructions from her own malicious website or through an infected site to the web browser via HTTP headers
Spoofing
Impersonating another computer or device.
Command Injections
Injecting and executing commands to execute on a server.
What does IETF stand for?
Internet Engineering Task Force
Root Directory
Is a specific directory on a web server's file system. (not to be confused with the root user account, root password, rootkits, or root user's home directory)
HTML
Is such a markup language that uses specific words (tags) embedded in brackets (< >) that a web browser then uses to display text in a specific format.
Heap Spray
Is targeted and inserts data only in certain parts of memory. A heap spray is often used in an arbitrary/remote code execution attack.
What type of Cookie can be used to reinstate regular cookies that a user has deleted or blocked?
LSO or Flash Cookie
What does this reference? HTML FIELD NAME: Accept-Language
Lists of acceptable languages for content
SQL INJECTION STATEMENT: whatever'; UPDATE members SET email = '[email protected]' WHERE email = '[email protected]';
Mail password to attacker's email account
HTTP Header Manipulation
Modifying HTTP headers to create an attack.
Can LSO's be deleted through the browser configuration settings?
No, since they are saved in multiple locations on the hard drive. In mid-2011, Adobe released an online tool to delete LSOs.
What does this reference? HTML FIELD NAME: Set-Cookie
Parameters for setting a cookie on the local computer
HTTP Header
Part of HTTP that is comprised of fields that contain the different characteristics of the data that is being transmitted.
Add ons
Program that provides additional functionality to web browsers. Also called extension.
What is one of the most common HTTP header manipulations?
Response Splitting
What does HTTP Header attack "Accept Language" do?
Some web applications pass the contents of the Accept Language field directly to the database. An attacker can inject an SQL command by modifying this header. In addition, if the web application used the Accept-Language field contents to build a filename from which to look up the correct language text, an attacker could generate a directory traversal attack.
What does SQL mean?
Structured Query Language
TRUE OR FALSE: Anything a user can do on a computer, an ActiveX control can do, such as deleting files or reformatting a hard drive.
TRUE
TRUE OR FALSE: Once a cookie is created on a client computer, only the website that created that cookie can read it.
TRUE
What is one of the most common elements that can be altered in a buffer overflow attack?
The "return address" is not the only element that can be altered in a buffer overflow attack, but it is one of the most commonly.
What does this reference? HTML FIELD NAME: Referer or Referrer
The address of the previous webpage from which a link to the currently requested page was followed
What does HTTP Header attack "Response Splitting" do?
The application on the client computer must allow input that contains carriage return (CR) and line feed (LF) characters in the header. By inserting a CRLF in an HTTP header (%0d%0a), these characters can not only give attackers control of the remaining HTTP headers and body of the response but also allow them to create additional responses via HTTP headers that are entirely under their control.
Integer Overflow (related to Computers)
The condition that occurs when the result of an arithmetic operation—like addition or multiplication—exceeds the maximum size of the integer type used to store it.
What happens when an integer overflow occurs?
The interpreted value then wraps around from the maximum value to the minimum value.
What happens if a user visits a webpage with a zero pixel IFrame injected by an attacker?
Their browsers download the initial exploit script that targets a vulnerability in the browser through an IFrame. If the script can run successfully on the user's computer, it will instruct the browser to connect to the attacker's web server to download malware, which is then automatically installed and executed on the client.
How is a Directory Traversal Attack launched?
This attack is launched through a vulnerability in the web application program that accepts user input, a vulnerability in the web server operating system software, or a security misconfiguration on the server itself.
How can First-Party cookies pose security risk?
This type of Cookie can be stolen and used to impersonate the user
How can Third-Party cookies pose a security risk?
This type of cookie can be used to track the browsing or buying habits of a user.
What does this reference? HTML FIELD NAME: Server
Type of web server
How is XML used?
XML is for the transport and storage of data, with the focus on what the data is.
What type of attack is common for an attacker to steal the session token cookie from the victim's computer and then use it to impersonate the victim?
XSS
Arbitrary/remote code execution gives the attacker what kind of power over the victims computer?
allows an attacker to run programs and execute commands on a different computer, turning the victims computer into his own remote computer.
Cross-site scripting
it refers to an attack using scripting that originates on one site (the web server) to impact another site (the user's computer).