Pentest+ Practice Exam Chapter 9 Web and Database Attacks (Jonanthan Ammerman) Flashcards
Which class of attack targets relational databases and can be used to bypass authentication systems; reveal, alter, or destroy data; or even obtain system-level shell access, given the right conditions? It typically relies on a lack of filtering of escape characters in user input or a lack of sufficient control parameters applied to user input, and is best mitigated through the use of parameterized queries.
A. HTML injection
B. Code injection
C. SQL injection
D. Parameter pollution
C. SQL injection
Explanation:
The attack described is SQL injection. Note the clue in the explicit reference to relational databases, which store data in tables and rows in such a way that items can cross-reference—or relate to—each other quickly. Examples of relational databases include MariaDB, MySQL, and MSSQL. By comparison, nonrelational databases do not store data in a series of tables or rows, but rather in a collection of JSON (JavaScript Object Notation) data structures. Nonrelational databases are commonly called NoSQL databases, and the most common example of these is MongoDB.
Which category of vulnerability is present when a web application provides access to information based solely on user-provided input, as demonstrated in the following sample URL?https://127.0.0.1/salesrecords?salesreceipt=11532
A. Command injection
B. Reflected cross-site scripting
C. Insecure direct object reference
D. Clickjacking
C. Insecure direct object reference
Explanation:
The vulnerability represented best in the URL presented is insecure direct object reference. There are two clues that indicate this fairly clearly: First, the use of a query in the URL. Denoted by the use of a “?” in the URL, a query indicates that a request for information is being sent to the remote server. Second, the other clue is the use of a
simple five-digit number to determine the value of the sales receipt the user requests. The danger here is that a curious (or malicious) user could simply start plugging random numbers into the URL in the query and thus reveal sensitive or privileged information.
Which category of web vulnerability occurs when web applications accept untrusted input from users before leading them to a new page? A. Remote file inclusion B. Unvalidated redirect C. Directory traversal D. Cross-site request forgery
B. Unvalidated redirect
Explanation:
The attack described is an unvalidated redirect, which occurs when untrusted input is accepted by a web application in such a way that it can cause a visitor to be redirected to another site. If an attacker leverages this and links to a malicious site of their own creation, this attack could be a critical component of a successful phishing campaign, as phishing victims are more likely to trust a link that comes from a site they visit frequently.
Which client-side attack is part of a class of injection attack that embeds malicious code into a website, frequently one trusted by the victim? In this particular variety, user-provided data is stored on a website that then triggers the execution of code—usually a string of JavaScript. A. DOM-based XSS B. Local file inclusion C. Cookie manipulation D. Persistent XSS
D. Persistent XSS
Explanation:
The attack described is a persistent cross-site scripting (XSS) attack. The key indicator here is that the malicious code is embedded into a website that is visited by the victim. As in other varieties, XSS targets the website visitor rather than the web server itself, tricking the user into transferring information such as session tokens or other information that may be sensitive in nature.
Which of the following is best defined as a software vulnerability stemming from developer interfaces being left available to remote users, usually either unintentionally through a failure to disable the feature or intentionally as a backdoor or tool meant to make administration simpler?
A. Hard-coded authorization credentials
B. Unauthorized function or API use
C. Storage of sensitive information in the DOM
D. Unsigned code
B. Unauthorized function or API use
Explanation:
The use of interfaces or features that were not meant to be presented to end users is a clear example of the unauthorized use of functions or APIs. This coding flaw can come up for any number of reasons—oversight on the part of developers, a lack of segregation of development and production environments, or maybe the developers and administrators find it convenient enough to treat as a feature.
Consider the following scenario for the next three questions: A user has navigated to the following URL during their daily work:
HTTPS://EXAMPLE.COM/ACCOUNT.CREATE?ACCT=STEVE&CONTEXT=READONLY
An attacker with knowledge of how the web application functions chooses to trick the user into visiting the following page with a link included in a phishing e-mail: HTTPS://EXAMPLE.COM/ACCOUNT.CREATE?ACCT=ATTACKER&CONTEXT=ADMIN
- Based on the URL, what is the likely intended purpose of the page the user first visited?
A. To create a new web app account with the username Steve and read-only permissions
B. To create a new user on the underlying host with the username Steve and read-only access to the /tmp directory
C. To create a new user on the system’s database with administrative privileges under the username attacker D. To create a new web app account with the username attacker with read-only privileges
A. To create a new web app account with the username Steve and read-only permissions
Explanation:
The URL specifically references account creation, the name Steve, and a context of read-only. Given the options present, the most likely intended purpose of this URL is the creation of a new web application for a user named Steve with read-only permissions.
Based on the URL, what is the attacker’s likely intent with the second URL?
A. To create a new user on the underlying host with the username Steve and read-only access to the /tmp directory
B. To create a new user on the system’s database with administrative privileges under the username Steve C. To create a new web app account with the username Attacker and administrative privileges
D. To create a new web app account with the username Steve and read-only permissions
C. To create a new web app account with the username Attacker and administrative privileges
Explanation:
Given the differences between the first link (and its suspected function), the malicious created link, and the likely goals of a malicious attacker, it is most likely that the attacker-crafted link is intended to create a new web app account with the username “Attacker” and administrative privileges.
What vulnerabilities or attacks have been chained together to lead to the creation of the attacker’s account? (Choose two.)
A. CSRF
B. Insecure direct object reference
C. Code injection
D. Directory traversal
A. CSRF
B. Insecure direct object reference
Explanation:
The URL manipulation vulnerability is an example of insecure direct object reference. The use of a maliciously crafted URL sent in a phishing campaign to trick an authorized user into executing unintended operations is an example of CSRF (cross-site request forgery).
In this first screenshot, a drop-down box is used to select a user ID number for which the user’s first and last names are displayed.
With some modifications to the POST request, the output shown here is obtained.
What method of web application attack was leveraged here?
A. XSS
B. Session hijacking
C. SQL injection
D. Clickjacking
C. SQL injection
Explanation:
The exploit demonstrated by the output is a clear example of SQL injection—a number of clues in the images presented make this clear. The first is the use numeric indices to represent user IDs in the first screenshot—this is a typical means of data reference when dealing with relational databases. The next clue is found in the second screenshot, where all user IDs are presented as 2 OR 1=1;. The use of the OR 1=1; operator is a common test query to attempt SQL injection, and it’s frequently used to attempt to bypass authentication mechanisms. Its usefulness is tied to the fact that adding OR 1=1; to the end of a SQL query will always return true without input control such as query parameterization.
In the manual browser-based attack shown here on the popular
DVWA (available at http://dvwa.co.uk under GPL), any attempt at uploading malicious JavaScript to the server is met with an HTTP 400 error. After modifying the URL directly however, an attacker is able to trick the browser into directly executing JavaScript code without the server being aware. What type of attack is being executed here?
A. Reflected XSS
B. DOM-based XSS
C. HTML injection
D. HTTP parameter pollution
B. DOM-based XSS
Explanation:
The use of a URI fragment (indicated by a #) after an HTTP query (indicated by a ?) that contains executable code is a good example of DOM-based XSS. By crafting a malicious URL and tricking a user into visiting it (perhaps with a phishing campaign), a victim can be tricked into tampering with HTTP parameters that are not properly defined or controlled. By adding snippets of JavaScript, the victim browser will be tricked into executing whatever arbitrary code an attacker desires—frequently, theft of session cookies or other sensitive data, as in other XSS methods. The use of URI fragments is particularly sinister here, as when the link is clicked by the victim, the data following the hash operator (#) is not sent to the remote server, meaning system administrators will have no way of knowing the attack took place.
Consider the following screenshot from the DVWA. After execution, the page reveals the user context under which the web application is running. What type of attack has been executed here? A. HTML injection B. Command injection C. Persistent XSS D. Session hijacking
B. Command injection
Explanation:
The screenshot shows a staged example of a command injection attempt. To unpack the specific command string used, it helps to understand a little bit about *nix shell operators, exit codes, and command flow. In this case, the shell operator is ||, which is a logical operator meaning “OR.” What this operator does is ensure successful execution of one of two commands; if the first command is successful (that is, has an exit code of 0), then command execution stops. If the first command fails (that is, has a
nonzero exit code), then the second command gets sent in turn. In this example, the application is asking for an IP address to ping. The staged command therefore is effectively telling the web application to “ping foo” (which is almost guaranteed to not be a pingable short hostname) or run the command id -a if the ping fails. Since foo is not a valid IP address, the command fails, leading to the execution of id -a, which would reveal that the web server is running as user www-data. A similar logical operator in many *nix shell environments is &&, which means “AND.” That is, run the first command. If it exits successfully (that is, with an exit code of 0), then also run the second command. How could a penetration tester use this command operator to force command injection?
Consider the modified HTTP request shown in the following illustration. What type of attack is being attempted? A. Local file inclusion B. Certificate pinning C. CSRF D. Remote file inclusion
D. Remote file inclusion
Explanation:
The screenshot presented shows an example of a remote file inclusion attempt. The key indicator of this is an attempt to redefine a query value as the contents of a text file found on a remote system (as demonstrated by the use of an http:// tag within the query).
While browsing PHP files via a local file inclusion (LFI)
vulnerability you’ve discovered, you see the following lines in a function that appears to handle database queries: define(‘DB_USERNAME’, ‘seth’); define(‘DB_PASSWORD’, ‘GoCubs21!@’); This information disclosure is an example of what insecure coding practice?
A. Hard-coded credentials
B. Comments in source code
C. Race condition
D. Verbose error handling
A. Hard-coded credentials
Explanation:
The presence of a username and password in plaintext in a PHP file is a clear example of hard-coded credentials, immediately threatening the confidentiality, integrity, and availability of at least the account in question, if not the entire system.
Of the choices given, what vulnerability in this component of the DVWA is being exploited? A. XSS B. Local file inclusion C. Code injection D. Cookie manipulation
B. Local file inclusion
Explanation:
The use of directory traversal paired with an attempt to access a file that should be inaccessible to the web application (/etc/passwd) makes clear that this is a local file inclusion effort that succeeded.
Consider the information revealed. How could this help an attacker expand their access to the system? (Choose two.)
A. The contents of the /etc/passwd file identify potential phishing target e-mail addresses.
B. Knowing the shells of user accounts will make it easier to crack their passwords.
C. Revealing the list of users in /etc/passwd could allow an attacker to identify standard user accounts in addition to the many nologin shell system accounts, making it possible to target them for brute forcing or other means of compromise.
D. The URL string also demonstrates directory traversal, allowing the attacker to read any file on the system that can be read in the context of the user running the web server.
C. Revealing the list of users in /etc/passwd could allow an attacker to identify standard user accounts in addition to the many nologin shell system accounts, making it possible to target them for brute forcing or other means of compromise.
D. The URL string also demonstrates directory traversal, allowing the attacker to read any file on the system that can be read in the context of the user running the web server.
Explanation:
Knowledge of the actual user accounts on a system gives a penetration tester a much stronger lead on where to focus efforts for further exploitation and lateral movement, and directory traversal paired with local file inclusion means the attacker effectively has eyes on everything happening on the system in question from the context of the user running the web server.
