Udemy Quiz - Chapter #25

Q: Jason, a cybersecurity analyst at Dion Training, is reviewing the log from a web application firewall and believes an attack was attempted by a threat actor. Here is the log snippet used during the review:

Time | Source IP | Request URL | Status | Action

----------------------------------------------------------------------------------------------------

12:30:15 | 203.0.113.5 | /products?category=' OR '1'='1 | 200 | Allowed

12:30:16 | 203.0.113.5 | /login?username=admin'-- | 200 | Allowed

12:30:17 | 203.0.113.5 | /search?query=laptops | 200 | Allowed

12:30:18 | 203.0.113.5 | /products?category='; DROP TABLE users; -- | 403 | Blocked

Based on the log entries above, which of the following types of attacks was most likely being attempted by the attacker?

Answer: SQL injection

Exp: The log indicates that requests containing malicious payloads, such as ' OR '1'=11 and "; DROP TABLE users; --, are being sent to the server. These payloads are attempting to manipulate the SQL queries executed by the application, which is an indication of an SQL Injection attack. The web application firewall, in this example, has correctly blocked the last attempt, which directly tries to drop a table from the database.

Q: Tony, a cybersecurity analyst at Dion Training, is examining the following snippet from an authentication log:

15:32:01 | 203.0.113.7 | Admin | Authentication Attempt | Xyz@123

15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | qwertyABCD!

15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | 1Adm!nP@ss

15:32:03 | 203.0.113.7 | Admin | Authentication Attempt | $ecUr3P@55

Based on the log snippet above, which type of attack is most likely being attempted?

Answer: Hybrid password attack

Exp: The log shows multiple authentication attempts from the same source IP for the same username with various complex and random passwords in a very short time frame. The attempts combine dictionary words with variations that include numbers and special characters so that they adhere to complexity requirements. This combination is typical of a hybrid password attack.

Q: Mateo, a cybersecurity analyst at Dion Training, is reviewing the following snippet from a web server access log:

:Time | Source IP | Request URL | HTTP Status

----------------------------------------------------------------------------------------

18:02:00 | 198.51.100.2 | /images/logo.png | 200

18:02:10 | 198.51.100.2 | /css/style.css | 200

18:02:15 | 198.51.100.2 | /api/products | 200

18:02:20 | 198.51.100.2 | /../../../etc/passwd | 404

18:02:25 | 198.51.100.2 | /images/../../../../etc/shadow | 404

Based on the log snippet above, which type of attack was most likely being attempted by the computer located at 198.51.100.2?

Answer: Directory Traversal

Exp: The log entries indicate attempts to access files (/...../etc/passwd and

/images/.....etc/shadow) outside of the web server's root directory using relative paths, which is characteristic of a Directory Traversal attack. This attack aims to access sensitive files and directories that are stored outside the web root folder by manipulating a URL or injecting malicious code.

Q: Reed, a network administrator at Dion Training, has noticed a large number of simultaneous connections are being attempted from various IP addresses towards the company's web server. According to the log, several hundred concurrent connections are all being attempted within just a few seconds.

Time | Source IP | Destination IP | Destination Port | Protocol | Event | Packets

20:00:00 | 192.0.2.10 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

20:00:01 | 192.0.2.11 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

20:00:01 | 192.0.2.12 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

20:00:01 | 192.0.2.13 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

20:00:01 | 192.0.2.14 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

...

20:00:02 | 192.0.2.250 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

Based on the log snippet above, which of the following types of attacks are most likely being attempted by the threat actors?

Answer: Distributed Denial Of Service

Exp: The log shows a large number of connection attempts to the same destination IP and port from multiple source IPs in a very short time frame. This pattern is indicative of a Distributed Denial of Service DDoS) attack, where an attacker attempts to overwhelm a system's resources to disrupt its normal functioning and deny service to legitimate users.

Q: Jackie, a cybersecurity analyst at Dion Training, is reviewing the following snippet from a web server log:

1. Time | Source IP | Request URL | HTTP Status | Payload

21:45:00 | 203.0.113.4 | /api/createUser | 200 | <user><name>John</name><password>abc123</password></user>

21:45:05 | 203.0.113.4 | /api/createUser | 200 | <user><name>Jane</name><password>xyz789</password></user>

21:45:10 | 203.0.113.4 | /api/createUser | 400 | <user><name>Bob</name><password>123&<isAdmin>1</isAdmin></password></user>

21:45:15 | 203.0.113.4 | /api/createUser | 400 | <user><name>Alice</name><password>456<!-- injected --></password></user>

Based on this log snippet, which of the following types of attacks is the threat actor attempting to perform?

Answer: XML injection

Exp: The log shows malformed XML payloads in the request URLs, specifically at 21:45:10 and 21:45:15, indicating an attempt to inject malicious XML content (1 and <!-- injected -- s). This pattern is indicative of an XML Injection attack, where an attacker tries to manipulate the logic of the application by injecting malicious XML data.