3.3 Attacks and Exploits Flashcards
Given a scenario, research attack vectors and perform application-based attacks.
What are some common vulnerabilities to web applications?
-Insecure data transmission
-Lack of error handling
-Missing input validation
-Lack of code signing
-Race conditions (when the resulting outcome from execution processes is directly dependent on the order and timing of certain events)
What is session hijacking?
Session hijacking is the process of stealing the session credential from a user’s browser and then using it to impersonate the user on a website
What is session fixation?
Session fixation requires the user to authenticate with a known session identifier that will then be used for impersonation. This could be done through social engineering and providing a fake login page that will use the known Session ID (SID)
What is session replay?
Session replay requires having access to the user authentication process itself, so that it can be intercepted and repeated. This could be achieved through a MITM attack
What is a Cross-Site Request Forgery (XSRF/CSRF) attack?
In an XSRF/CSRF attack, an attacker takes advantage of the trust established between an authorized user of a website and the website itself. For example, this type of attack could leverage a web browser’s trust in a user’s unexpired browser cookies. You could take advantage of the saved authentication data stored inside the cookie to gain access to a web browser’s sensitive data
What is a Server-Side Request Forgery (SSRF) attack?
In a SSRF attack an attacker takes advantage of the trust established between the server and the resources it can access, including itself.
What are Business Logic Flaws?
Business Logic Flaws are vulnerabilities that arise from implementation and design issues that lead to unintended behavior.
What is SQL Injection (SQLi)?
In a SQLi attack, you can modify one, or more, of the four basic functions of SQL querying (selecting, inserting, deleting, updating) by embedding code in some input within the web app, causing it to execute your own set of queries using SQL.
What is Blind SQLi?
Blind SQLi is injecting SQL when the web application’s response does not contain the result of the query. There’s also Boolean-based Blind SQLi and Time-based Blind SQLi.
What is Directory Traversal?
Directory Traversal is the practice of accessing a file from a location that the user is not authorized to access. You can do this by inducing a web app to backtrack through the directory path so that the app reads or executes a file in a parent directory.
What is Command Injection?
In Command Injection, you supply malicious input to the web server, which then passes this input to a system shell for execution. This way, Command Injection create new instances of execution and can leverage languages that the web app does not directly support.
What is the Lightweight Directory Access Protocol (LDAP)?
LDAP is a standard for networked devices on how to manage directory services. It can be used by web applications to perform tasks according to user input, so it is a possible location to attempt injection.
What is a Persistent XSS attack?
In a Persistent XSS attack, also called a stored attack, you inject malicious code or links into a website’s forums, databases, or other data. When a user views the stored malicious code, or clicks a malicious link on the site, the attack is perpetrated against them. As the name suggests, the injected code remains in the page because it is stored on the server.
What is a Reflected XSS attack?
In a Reflected XSS attack, you craft a form or other request to be sent to a legitimate web server. This request includes your malicious script. You then send a link to the victim with this request and when the victim clicks that link, the malicious script is sent to the legitimate server and reflected off it. The script then executes on the victim’s browser. Unlike a stored attack, the malicious code in a reflected attack does not persist on the server.
What is a Document Object Model (DOM)-based attack?
In a DOM-based attack, malicious scripts are not sent to the server at all, rather, they take advantage of a web app’s client-side implementation of JavaScript to execute the attack solely on the client.
