SY0-601 14 Summarizing Secure Application Concepts

Ace your homework & exams now with Quizwiz!

Automation

Using scripts and APIs to provision and deprovision systems without manual intervention.

Vertical privilege escalation

When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.

Document Object Model (DOM)

When attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client.

command injection

Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.

Block list

A security configuration where access is generally permitted to any entity (software process, IP/domain, and so on) unless the entity appears on a list.

Agile development

A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.

waterfall model

A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.

stress testing

A software testing method that evaluates how software performs under extreme load.

DLL injection

A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a Dynamic Link Library (DLL) in memory that could cause the victim application to experience instability or leak sensitive information.

pointer dereference

A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null.

Memory leaks

A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.

Race conditions

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.

Data exposure

A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

Extensible Markup Language (XML)

A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.

Clickjacking

A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

session hijacking

A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.

arbitrary code execution

A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability

remote code execution

A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.

Test/integration

in this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.

Visual Basic for Applications (VBA)

Programming languages used to implement macros and scripting in Office document automation.

continuous delivery

Software development method in which app and platform requirements are frequently tested and validated for immediate availability.

continuous deployment

Software development method in which app and platform updates are commited to production rapidly.

Continuous integration (CI)

Software development method in which code updates are tested and commited to a development or build server/code repository rapidly.

client-side or cross-site request forgery (CSRF or XSRF)

A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.

canonicalization attack

Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures

compiled code

Code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.

Output encoding

Coding methods to sanitize output created from user input.

Python

High-level programming language that is widely used for automation.

quality assurance (QA)

Policies, procedures, and tools designed to ensure defect-free development and delivery.

code review

The process of peer review of uncompiled source code by other developers.

Horizontal privilege escalation

When a user accesses or modifies specific resources that they are not entitled to.

server-side request forgery (SSRF)

causes the server application to process an arbitrary request that targets another service, either on the same host or a different one. exploits both the lack of authentication between the internal servers and services (implicit trust) and weak input validation, allowing the attacker to submit unsanitized requests or API parameters.

Staging

this is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.

Structured Query Language (SQL)

A programming and query language common to many largescale database systems. SQL

input validation

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.

uniform resource locator (URL)

Application-level addressing scheme for TCP/IP, allowing for human-readable resource addressing. For example: protocol://server/file, where "protocol" is the type of resource (HTTP, FTP), "server" is the name of the computer (www.microsoft.com), and "file" is the name of the resource you wish to access.

Percent encoding

Mechanism for encoding characters as hexadecimal values delimited by the percent sign.

Deprovisioning

The process of removing an application from packages or instances.

Software Restriction Policies (SRP)

available for most versions and editions of Windows, SRP can be configured as group policy objects (GPOs) to passlist file system locations from which executables and scripts can launch. Rules can also be configured by publisher signature or by file hash. There is also support for creating blocklist-based rules.

Credential dumping

the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process (attack.mitre.org/tactics/TA0006).

Software development kit (SDK)

using sample code or libraries of pre-built functions from the programming environment used to create the software or interact with a third party API. As with other third party libraries or code, it is imperative to monitor for vulnerabilities.

Normalization

A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

Allow list

A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the list.

PowerShell

A command shell and scripting language built on the .NET Framework.

Bourne Again Shell (Bash)

A command shell and scripting language for Unix-like systems.

Fuzzing

A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

cross-site scripting (XSS)

A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.

reverse shell

A maliciously spawned remote command shell where the victim host opens the connection to the attacking host.

structured exception handler (SEH)

A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.

pass the hash (PtH)

A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.

Directory traversal

An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.

Lightweight Directory Access Protocol (LDAP) Injection

An application attack that targets webbased applications by fabricating LDAP statements that are typically created by user input.

exceptions

An application vulnerability defined by how an application responds to unexpected errors that can lead to holes in the security of an app.

integer overflow

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.

buffer overflow

An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.

SQL injection

An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

man-in-the-browser (MitB)

An attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs.

replay attack

An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.

Dead code

Code in an application that is redundant because it will never be called within the logic of the program flow.

error handling

Coding methods to anticipate and deal with exceptions thrown during execution of a process.

server-side

In a web application, input data that is executed or validated as part of a script or process running on the server.

time of check to time of use (TOCTTOU)

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Version control

The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.

privilege escalation

The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.

Provisioning

The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.

Execution control

The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

shim

The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

Refactoring

The process of restructuring application code in such a way that the same functionality is provided by different programming methods. Refactoring is often used to improve an application's design without affecting the external behavior of the application, or to enable it to handle particular situations.

Static code analysis

The process of reviewing uncompiled source code either manually or using automated tools.

software development life cycle (SDLC)

The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.

Elasticity

The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.

Scalability

The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

continuous monitoring

The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

macro

a sequence of actions performed in the context of a word processor, spreadsheet, or presentation file

HTTP Strict Transport Security (HSTS)

forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.

Windows Defender Application Control (WDAC)

formerly Device Guard, this can be used to create Code Integrity (CI) policies, which can be used on their own or in conjunction with AppLocker. CI policies apply to the computer and affect all users. CI policies can be based on version-aware and publisher digital signatures, as well as image hashes and/or file paths. WDAC is a useful option for preventing administrator accounts from disabling execution control options

AppLocker

improves configuration options and default usage of SRP. Notably AppLocker policies can be applied to user and group accounts rather than just computer accounts. However, AppLocker GPOs can only be configured for Enterprise and Ultimate editions of Windows 7 and later.

Content Security Policy (CSP)

mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.

Cache-Control

sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.

Production

the application is released to end users.

Development

the code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.

Lateral movement/insider attack

the general procedure is to use the foothold to execute a process remotely, using a tool such as psexec (docs.microsoft.com/en-us/sysinternals/downloads/psexec) or PowerShell (attack.mitre.org/tactics/TA0008). The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.

Persistence

this is a mechanism that allows the threat actor's backdoor is restarted if the host reboots or the user logs off (attack.mitre.org/tactics/TA0003). Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.

Shellcode

this is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan (attack.mitre.org/tactics/TA0002). Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.

Third-party library

using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.

Code reuse

using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context).

Stored procedures

using a pre-built function to perform a database query. A stored procedure is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a predefined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.


Related study sets

Set Four: Vents, Shock, Respiratory Failure

View Set

Short Story #1 Who is this person?

View Set

Maternity Exam #3: Contraception, Infertility and Abortion

View Set

APUSH Test - 1960-1990 - 5.16.16

View Set

Benchmark Fractions, Decimals, and Percents Models

View Set