Ch.6 - Attacking Web Applications/SQL Injections (p.247-261)
Describe what the below SQL command is doing/saying: (p.255) SELECT * FROM Orders; SELECT OrderID, FirstName, LastName FROM Orders SELECT OrderID, FirstName, LastName FROM Orders WHERE LastName = 'Walker'; DROP TABLE Orders
"Database, pull all records from the table named Orders" "Database, pull everything from OrderID, FirstName and LastName from the table names Orders" "Pull all orders made by people with the last name Walker" "Delete the table named Orders"
What is the below SQL injection doing? (this is being done in the 'forgot your password' page, asking user to enter their email address.) anything' ; INSERT INTO cust ('cust_Email', 'cust_Password', 'cust_Userid', 'cust_FirstName', 'cust_LastName') VALUES ( '[email protected]', 'P@ssw0rd', 'Drew', 'Andrew', 'Mitchell') ; --
"Database, you have a table named cust. Enter the fields labeled email, password, userid, firstname, and lastname and input these new values into them.
What are the 3 main categories of SQL injection attacks? (p.258-259)
*In-band* SQL injection *Out-of-band* SQL injection *Blind/inferential* SQL injection
What are some key pieces of information cookies can contain for an attacker to use? (p.253) Where are cookies sent from?
-authentication details -site preferences -shopping cart contents -session details Cookies are sent from a web server in the *header of an HTTP response * (may or may not have expiration date)
While canary words are good for test purposes, what 2 mechanisms are extremely common to fight memory management (buffer overflow) attacks? (p.251)
ASLR (address space layout randomization) DEP (data execution prevention)
What category/type of SQL injection occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don't come back to the attacker for viewing? (p.259)
Blind/inferential SQL injection
What are all these SQL queries trying to accomplish? ' ) ( ' 1 ' = ' 1 ' - - admin '-- or admin ' /* ' or *|||||||* 1=1 -- (ignore *|||||||* - Quizlet will not allow this input)
Bypass authentication
What web application/server attack forces an end user to execute unwanted actions on a web application in which they're currently authenticated? (p.253) (p.254 - picture diagram) Tricks the user into submitting a malicious request.
CSRF (Cross-Site Request Forgery)
How can you see if a website is vulnerable to SQL injection attacks? (p.257)
Check target for a login page and enter a single quote ( ' ) to see if you get an error message. Also try anything' or IIIIIII 1=1 - (ignore IIIIIIII; Quizlet will not accept actual SQL injection inputs)
How can CSRF (cross-site request forgery) attacks be mitigated? (p.252)
Configure web servers to send *random challenge tokens*. If every user request includes a challenge token, it becomes easy to spot illegitimate requests not initiated by the user.
What are 2 tools used to view stored web cookies? (p.253, 254)
Cookie Editor Karen's Cookie Editor
SQL encompasses what 3 standard areas of data handling? (p.255) SQL injections are within which part one of these?
DDL - defenition DML - manipulation (SQL Injection!) DCL - control
True or False (p.254) Cookies are executable. True or False Passwords can be stored in cookies.
False Cookies are just text files, however, they can be manipulated to use as spyware (can be used to track user activity), change pricing options, and authenticate to a server. True
True or False? (p.250) SOAP (Simple Object Access Protocol) is compatible with HTTP and SMTP, and messages are typically "two-way" in nature.
False messages are typically "one-way" in nature
What involves inputting bunches of random data into a target (a site, application, anything) to see what will happen? (p.257)
Fuzz testing (fuzzing)
What web attack works by adding header response data to an input field so that the server splits the response in a couple directions? (p.259) If it works, the attacker controls the content of the second header, which can be used for redirecting the victim user to a malicious site the attacker is running.
HTTP response splitting
What tool allows enumeration, code execution on the target, file system manipulation, and other madness over SQL connections? (p.259)
Havij
What category/type of SQL injection occurs when the attacker is using the same communication channel to perform and retrieve the injection results? This is the most common type of SQL injection. (p.258)
In-band SQL injection
Injection attacks not named SQL: (p.249) An attack that exploits non-validated web input that passes LDAP queries? (aka if web application takes whatever is entered into the form field and passes it directly as an LDAP query, an attacker can inject code to do all kinds of thing).
LDAP injection
Explain what's happening below: What attack? (p.250) (&(USER=Matt) (&) (PASSWORD=Anything)) Login Screen: Username: Matt*)(&)* Password: anything-you-want
LDAP injection attack *)(&)* ends the LDAP query resulting in the processing of USER=Matt only. Only "check to see whether Matt is a valid user" is processed, therefore any password will work now.
According to ECC,what is a great tool to check for missing patches on a Windows machine? (p.261)
MBSA (Microsoft Baseline Security Analyzer)
What category/type of SQL injection uses different communication channels for the attack and results? More difficult to pull off. (p.259)
Out-of-band SQL injection
What attack is designed to exchange structured information in the web services in computer networks and *uses XML to format* information? (p.250) Can inject malicious query strings (similar to SQL injection) that may allow attacker to bypass authentication and access databases behind the scenes.
SOAP injection attack (Simple Object Access Protocol)
What is a computer language designed for managing data in a relational database system? (p.255)
SQL (Structured Query Language)
What is a tool that allows an attacker to blast through predefined SQL injection queries against a target?
SQL Brute
What occurs when the attacker injects SQL queries directly into the input form? Properly constructed, the SQL command bypasses the intent of the front end and executes directly on the backend SQL database. (p.256)
SQL injection
Describe what is happening on the input form of this website: (p.257) Username: ' OR *|||||||* 1=1 -- Password: <anything>
SQL injection (ignore *|||||||* - Quizlet will not take actual SQL injection command) Username: "Database, you can compare whatever you'd like ( ' ), but True (1=1), so allow access"
What do these tools have in common/are used for? (p.259) Pangolin Absinthe BobCat Havij SQL Brute SQLExec Sqlmap sqlninja
SQL injection tools
What attack is similar to CSRF, where the attacker logs in to a legitimate site and pulls a session ID, and then sends an email with a link containing the fixed session ID? (p.253) When the user clicks it and logs in the same legitimate site, the hacker can now log in and run with the user's credentials.
Session fixation attack
What 2 tools are automated scanners designed to look specifically for SQL injection vulnerabilities? (p.259)
Sqlmap sqlninja
What type of XSS involves having the injected script remain permanently on the target server (like a database, message forum, visitor log, or comment field) (3 names)? (p.252)
Stored XSS aka Persistent XSS aka Type-I XSS
What SQL command allows you to join together SELECT queries? (p.258)
UNION Can be used in Union Query attacks
Which provides a larger attacker surface; Web 1.0 which relies on static HTML, or Web 2.0 apps which use dynamic web pages - allowing users to upload and download to a site at the same time (i.e. social media apps)? (p.248)
Web 2.0 apps
What are 3 tools that can help attackers identify entry points into a web application? (p.248)
WebScarab HTTPrint Burp Suite
What web server/application attack revolves around website design, dynamic content and invalidated input data? (p.251) This attack occurs when attackers take advantage of this type of scripting (i.e. JavaScript) and have it perform something other than the intended response.
XSS (cross-site scripting)
What is this URL an indicator of? (p.252) http://10.10.10.12/*";!- -"<XSS>=&{()}*
XXS attempt cross-site scripting attempt Instead of the URL passing to an existing page/element internally, it passes to the script behind the forward slash
When does "smashing the stack" refer to? (p.251)
buffer overflows
What do you call an attempt to write more data into an application's prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application)? (p.251)
buffer overlow
What are known values placed between the buffer and control data (these known values are used to mitigate buffer overflows)? (p.251) If a buffer overflow occurs, this known value will be altered first, triggering a halt to the system (application). What is a tool that makes use of this for stack protection?
canary words StackGuard
Injection attacks not named SQL: (p.249) Attacker injects commands into the form fields instead of the expected test entry?
command injection
What is a small text-based file that is stored on your system for use by the web server the next time you log in? (p.253) Intent is to provide a continuous, stable web view for customers and to make things easier for returning customers.
cookie
A classic attack of XXS involves getting access to what? and sending it to a remote host? (p.252) Should the app be vulnerable to XXS, the JavaScript entered will run and attacker can obtain cookies from users accessing the page later.
document.cookie
Injection attacks not named SQL: (p.249) Attacker injects a pointer in the web form input to an exploit hosted on a remote site?
file injection
What in-band SQL injection attack adds a malicious request on the back of a legitimate one? (p.259)
piggybacking
Injection attacks not named SQL: (p.249) Attacker attempts to gain shell access using Java or other functions?
shell injection