Quiz 3 - Intro to Security
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/72
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
73 Terms
Cross Site Scripting (XSS) Attack
Occurs when an application takes untrusted data and sends it to a web browser without proper validation or sanitization
Allows attacker to execute JavaScript code in victims browser
Is used to steal sensitive data such as session ID
XSS Attack Category
Data neutralization issues
Same as SQL and OS command injections
STRIDE
Spoofing - Pretending to be someone your not
Tampering - Modifying data you shouldn’t be able to
Repudiation - Someone denies doing an action
Information Disclosure - Exposing data to people who shouldn’t see it
Denial of service - Making a system unavailable to valid user
Elevation of privilege - A user gains permissions they are not supposed to have
XSS Types
Reflected
Stored
DOM-Based
XSS Types - Reflected
The attack script is reflected back to the user as part of a page from the victim site
Can link in other websites and email links
XSS Types - Stored
The attacker stores the malicious code in a resource managed by the web such as a database
XSS Types - Dom-Based
Modifying the environment of the victims browser
Cross-Site Request Forgery (CSFR)
Requires user to be authenticated
Trust in user browser
Aims to take unwanted actions on a website where the victim is authenticated
Uses malicious scripts stored in the server
Involves attacking the victims browser
Tries to use session ID to get victim to take unwanted action
Sammy Worm
XSS/CSFR based worm that spread on MySpace
HTTP (Hypertext Transfer Protocol)
Stateless protocol
HTTP request
HTTP Response
HTTP response data
Stateless Protocol
Each request is independent, no memory of previous one
HTTP Request
What browser sends
HTTP Response
Info about the response
Set cookies is here
HTTP Response Data
The actual HTML content
Why do we need sessions
HTTP is stateless, web application need state to identify individual users
What is a session
A lasting connection between a user and a server involving the exchange of many requests
Session ID is exchanged between browser and server on every request
How are sessions maintained
By a server
Stored in file or database
Each session has a unique token
Methods used to track sessions
Cookies - most common
URL
Hidden forms
IP address
Web storage
Cookies
Most common method for tracking session IDs
Contains no executable code
Submitted with each request to a target website
Newer cookies will overwrite old cookies
Why do store session files on a server
Cookies files can easily be faked or modified
Attacker can create a fake cookie file or modify existing one to bypass entire authentication check
Session Hijacking
The process of taking over an established session to impersonate a user/application
Authentication has already taken place
The attacker often uses a DoS attack on victim to prevent the user from using the the server at the same time
Two Types of Session Hijacking
Active
Passive
Session Hijacking - Active
Attacker finds a session between the victim and server and takes it over
Usually begins with a passive hijacking attack
Session Hijacking - Passive
The attacker gets between the user and server and records the traffic for later use
Network-Level Hijacking
Involves the interception of packets between user and server
ARP poisoning
DNS spoofing
Attacker must be on the same network as the victim
Application-Level Hijacking
Involves gaining control of the HTTP session by obtaining the session ID
Brute force guessing the ID
Sniffing encrypted traffic for session IDs
Compromising victim machine and pulling the session ID off the computer
How session token could be compomised
Predictable / easy to crack session token
Session sniffing
Man in the middle attack
Man in the browser attack
Client side attack (XSS)
Session Prediction / Cracking Attack
Focuses on predicting / brute forcing session ID values
Session Sniffing Attack
Use of a sniffer to capture a valid session token, then uses stolen token to gain access to server
Man in the Middle Attack
Involves the attacker placing themselves between the victim and server
Data is intercepted modified then retransmitted between the source and destination
Attacker acts as a proxy
Man in the browser attack
Same approach as main in the middle but instead relies on malware to intercept and manipulate calls between the browser and user
Session Spoofing
Attacker initiates a new session by using the victims stolen credentials
Session Replay
Attacker captures session IDs then sends them to a server to use at a later time
Session sidejacking
Attack sniffs network traffic to steal session IDs
Attacker captures token while it is being transmitted
Session Fixation
Attacker passes session token to user to get authenticated
Once authenticated attacker already knows authenticated token
Session Life Cycle
User credentials
Session generation
Session hijacking
Session termination
User credentials —> Session generation Attacks
Man in the middle attack
Password brute force attack
Password dictionary attack
Network sniffing
Session generation —> Session handling Attacks
Session fixation
Cross site scripting
Session replay
Session spoofing
Session handling —> Session termination
Session leakage
CSFR
Session sidejacking
Set Cookie Flags
HTTP Only
Secure
Set Cookie Flag - HTTP Only
Prevents the risk of a client side script accessing the protected cookie
Protects against XSS, CSFR
Denies use of document.cookie
Set Cookie Flag - Secure
Ensures cookies are only sent over HTTPS not HTTP
Session Hijacking and Spoofing Prevention
Educate user
Use cryptology and random sessions IDs
Limit concurrent sessions IDs
Time out expire or regenerate sessions IDs
Input Validation - protects against XSS and CSRF
Force/use SSL for all communication - protects against session sidejacking
Encrypt session and cookies data - protects against session sidejacking
Force re-authentication and set up authentication - Protects against session fixation
Use context data and secondary check for session - Protects against session fixation
Destroy invalidated session IDs - Protects against session fixation
Session Timeout and Expiration Methods
Browser close
Fixed time after authentication
Idle session
High risk action
Browser Close
Session stay open until the user closes the browser
Fixed time after authentication
Session expires after set duration
Idle Session
Session expires if the user is going to perform a high risk action, re-authentication is needed
Data Neutralization Issues
The creation or neutralization of data using an incorrect format
OS Command Injection
When an application builds and runs an OS command using untrusted input
Can give attacker access to data on computer
Attackers us ‘;’ on windows to run multiple commands, and ‘&&’ on Linux to run multiple commands
Passes user input to shell
SQL Injection
When an application builds and runs SQL query from untrusted input in a database
Can give attacker access to database
Passes user input to database
Uses single quotes
Power of Single Quotes
Gives syntax error that can reveal info such as actual SQL query
Linux Bash Shell Command Subsitution
Attacker uses $(command) to run commands inside echo statements
‘$(which java)‘ - doesn’t work, output what is inside quotes
“$(which java)“ - works, output which java they are using
`which java` - works, same as “$()“
Encrypted Bloated Ballots
Uses bash shell command substitution
When encrypting a file using gpg attacker get os to run command
How Common is SQL Injection
Most common vulnerability today
Flaw from application development
Is a input validation problem
Typical SQL Attack Hazards
Bypass login
Manipulate database data
Create database backdoor
Read files
Distribution of trojan and malware
Execute system commands
Three Classes of SQL Injection Attacks
Inband
Out of band
Blind
SQL Injection Classes - Inband
Data is extracted using the same channel that is used to inject the SQL code
SQL Injection Classes - Out of band
Data is retrieved using a different channel
SQL Injection Classes - Blind
No transfer of data
Exploit Techniques of SQL Injection
Union operator
Boolean
Error based
Time delay
Exploit Techniques - Union operator
Can happen when the flaw happens in a SELECT statement
Makes it possible to combine two queries
Exploit Techniques - Boolean
Used to verify whether certain conditions are true or false
Used in blind attacks
Exploit Techniques - Error based
Forces database to generate an error giving the attacker information about the code structure
Exploit Techniques - Time delay
Uses database commands to delay answer
Used in blind
Xp_cmdshell
Lets you run system commands
Spawns a command shell and passes in a string for execution
Intrusion Detection System (IDS)
A device or software application that monitors a network system for malicious activity
Intrusion Detection System Evasion Techniques
Modifications made in order to prevent detection
Obfuscation - encode or hide payload so the end host decodes it but the IDS doesn’t
Evasion
Defending Against Injection Flaws
Follow and enforce best programming principles
Harden OS, servers and 3rd part application
Never build SQL/SHELL commands yourself
Parameterized (Prepared) SQL
Allows you to pass in query separately from arguments
Object Relational Mapper (ORM)
Provide an interface between native objects and relational databases
SQL Injection best programming practices
Strong design
Define an easy secure path to querying data
Validate input through generic routine
Sanitize user input
Seperate application code and SQL code
Website audit
Monitor database and website activity
Check logs
Be proactive
JavaScript Injection
Subset of injections attacks
JavaScript code is injected into browser or server
Happens in XSS attack
Happens in CSFR attacks
Proxy
Forwards and filters internet traffic