Web Security - Threats & Security Controls for web-based applications

Why web applications and databases are very vulnerable ?

Because they have access to a lot of information including usernames and passwords

Why websites use SQL databases ?

Information are stored in an (SQL) database and a web application constructs SQL queries to this database

What is a SQL injection ? Give an example if the web application asks for a username and a password

Attacker injects SQL code into the user input of a web application. An example of attacker’s input can be : username = Alice and password = 1’ = ‘1

What is the kill chain for a SQL injection ?

Reconnaissance = find a vulnerable wep application on a server with access to an interesting DB and discovers vulnerabilities.
Weaponization = crafts input that achieves those capabilities.
Delivery = enters that input in the vulnerable web applications input fields.
Exploitation/Installation/C&C/Actions on Objective = Achieve the intended action on the object or use the new capabilities to perform further actions

What can we do against SQL injection ?

We can filter input (sanitation) for example by checking size of input or disallow special characters
We can also sue result verification or use parameterized queries

What does XSS stands for ?

Cross Site Scripting

What is the goal of the attacker in a XSS attack ?

The goal of the attacker is ton inject code intro a trusted webpage and when it is viewed by another user (victim) it runs code on victim machine as if it comes from trusted site

What are the potential goals of an XSS attacks ?

Have added rights on victim’s machine
Escalate privileges through local vulnerability
Steal information, cookies
Other MITM activities

How a XSS can be deployed ?

It can be done by posting malicious code in comments of (unchecked) website or e-mail and the user may run this code or follow the malformed link
It can also be done by using request parameters. It uses the url with arguments and the attacker can inject code this way

Why us it hard to protect clients from an XSS attack ?

The code comes from trusted websites so protection mechanisms do not work. Moreover, for the client it is difficult to distinguish malicious code and genuine code as both come from a trusted server

How can we counter XSS ?

On the client side, it is difficult but user education : do not follow weird links
On the server side, we can filter input data and convert it to safe strings but it can be difficult for e-mail services which do have to allow HTML code in their input

What is the Kill Chain of XSS injection ?

Reconnaissance = find a vulnerable website
Weaponization = craft a user post or url that exploits the vulnerability found
Delivery = post to the user comment section or send e-mail
Exploitation/Installation/C&C/Action on Objective = attacker’s script runs on the victim machine as a script from the legitimate website. The attacker can then utilize the added capabilities to perform actions

How a XSRF attack words ? Givr

What DDoS stands for ?

Distributed Denial of Service

What is the goal of DDoS and DoS ?

The goal of DDoS is to overload the service with requests. The goal of DoS is to send more messages than the target can handle

What protocol features may be used for DDoS attacks ?

Send TCP syn (with spoof IP so we do not get the response) but not third message so the server needs to keep stat for some time so higher resource cost for the target than the attacker
We can also use pings with ICMP or echo requests

What can we do to counter Dos ? (attack prevention and preemption so before the attack without denying access to legitimate clients)

Enforcing policies for resource consumption and providing backup resources available on demand
Modify systems/protocols to limit (D)DoS potential
Configure only servers to respond to ping and disable access to broadcast address

What can we do to counter Dos ? (attack detection and filtering so during the attack)

Attempt to detect the attack as it begins and respond immediately to minimize impact either by detecting suspicious patterns or filtering packets likely to be part of the attack

What can we do to counter Dos ? (attack source so after the attack)

Attempt to identify source of the attack as first step in preventing future attacks

What is a DNS used for ?

DNS is used to find an IP address for a given URL on the Internet

What is DNS spoofing / poisoning ?

It is an attack in which malicious and altered data are introduced into a DNS. This tricks a systelm into resolving website URLs into incorrect, attacker-controlled IP addresses

Explain the main difference between a static web page and a dynamic web application in terms of vulnerability exposure.

Static web pages consist of fixed HTML code and because they do not store user inputs, their vulnerability is very low
Dynamic web applications generate pages on-the-fly, interacts with databases based on user input so it expands their attack surface (SQLi, XSS)

What is the main difference between XSS and SQLi in terms of attacker goals and impact?

XSS target the application’s users (browsers) and the impact is stolen session cookies, redirecting users to phishing sites or added rights
SQLi target the application’s backend database and the impact is stolen/modified/deleted sensitive data and potentially gained admin control

Explain how a Cross-Site Request Forgery (XSRF) attack works.

XSRF exploits the trust a web application has in a user's browser. It tricks a user's browser into sending an unauthorized, malicious HTTP request to a vulnerable site where the user is currently authenticated

Which of the following best mitigates XSRF attacks? (A. Filtering HTML tags, B. Using HTTPS, C. Including CSRF tokens in forms, D. SQL parameterization)

C. Including CSRF tokens in forms

What is amplification in the context of a DDoS attack?

This allows the attacker to multiply their available bandwidth and overwhelm the victim’s network capacity

What does DNSSEC ? What is his advantage and limitation ?

It adds cryptographic digital signatures to existing DNS record to verify data integrity and origin authenticity. Thus it ensures that the DNS record you receive have not been tampered. However, it does not provide privacy or confidentiality

What does DNS-over-TLS ? What is his advantage and limitation ?

It encrypts standard DNS queries and responses. Thus it provides complete privacy. However, it only secures the transit path to the DNS resolver and it does not guarantee data authenticity at the source