15.2 Exploitation and Mitigation

Question 1

What is the top web vulnerability according to OWASP?

Answer 1

**injection**

According to OWASP, “injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

Question 2

What does SQL stand for?

Answer 2

SQL (Structured Query Language) is a language used for programming and managing databases.

Question 3

What does SQLi refer to?

Answer 3

SQL injections

SQLi attacks inject malicious SQL code through a client-side application such as a browser, revealing private data within the database. This flaw is easily detectable and exploitable. Any website, no matter how many users it has, may experience these types of attacks.

Question 4

Criminal adversaries use SQLi as a technique to perform the following:

Answer 4

• Violate authentication by spoofing a user’s identity.
• Cause repudiation issues.
• Violate data integrity by modifying existing data.

Question 5

SQLi attacks mainly affects what part of the CIA? Explain how it affects each pillar:

Answer 5

SQLi attacks mainly affects the confidentiality pillar of the CIA triad by revealing private and sensitive data. However, loss of integrity and availability are also risks.

• Confidentiality: SQLi leverages the leak of sensitive data in SQL databases, directly impacting confidentiality.
• Authentication: SQL commands can be manipulated to scan, modify, and extract usernames and passwords, allowing an attacker to connect as an authorized user.
• Integrity: Attackers can potentially read sensitive information, allowing them to modify or delete critical information.

Question 6

Explain SQLMap:

Answer 6

SQLMap is an open-source command-line tool that automates the process of detecting and exploiting SQL injection flaws in order to take control of database servers.

Question 7

What does SQLMap allow attackers to do?

Answer 7

SQLMap contains a powerful detection engine with many features that enable attackers to access an underlying database file system.

Question 8

With SQLMap, attackers can execute commands on the database server using _______ connections, meaning that an attacker can remotely control a back-end database using a backdoor connection, such as an RAT (Remote Access Trojan).

Answer 8

With SQLMap, attackers can execute commands on the database server using **out-of-band** connections, meaning that an attacker can remotely control a back-end database using a backdoor connection, such as an RAT (Remote Access Trojan).

Question 9

Explain this command:

sqlmap -u “http://172.16.203.141/owaspbricks/login-1/”

Answer 9

• sqlmap: Detects SQL injection vulnerabilities.
• -u: Indicates a URL for SQLMap to scan.
• "http://172.16.203.141/owaspbricks/login-1/" is the website we are attacking.

Question 10

Explain this command:

sqlmap -u http://172.16.203.141/owaspbricks/login-1/ –dbms=mysql –forms –users

Answer 10

• sqlmap: Detects SQL injection vulnerabilities.
• -u: Indicates a URL for SQLMap to scan.
• --dbms=mysql: Specifies which database management system to exploit.
• --forms: Parses and tests forms on the target URL.
• --users: Enumerates database users.

Question 11

Once we run the command, SQLmap will prompt us every time about:(3)

Answer 11

1. Do we want to test additional forms that SQLmap detects?
2. Do we want to fill blank fields with random values?
3. Do we want to have SQLmap try to inject with random integer values?

Question 12

After learning about SQLMap, what are the key takeaways?

Answer 12

1. Back-end database systems are a valuable source of information for criminal hackers.
2. Complacency can cause significant harm. We need to remember that just because back-end databases are buried deep within the web server architecture and protected by firewalls doesn’t mean they are safe from attackers.
3. As proven in this demonstration, the URL can be manipulated in various ways to circumvent layered defense mechanisms contained within web infrastructure. This is accomplished by exploiting existing trust-based systems that are public-facing, such as HTTP port 80 and the URL.

Question 13

What does BeEF stand for?

Answer 13

The **Browser Exploitation Framework** (BeEF) is a practical client-side attack tool that exploits vulnerabilities of web browsers to assess the security posture of a target.

Question 14

Ture or False:

While BeEF was developed for lawful research and penetration testing, criminal hackers have started using it as an attack tool.

Answer 14

True

Question 15

BeEF uses ______” to activate a simple but powerful API, which takes remote control of client-based web browsers.

Answer 15

BeEF uses “hooks” to activate a simple but powerful API, which takes remote control of client-based web browsers.

Question 16

Once a browser has been “hooked,” it becomes ______ which awaits instructions from the BeEF control station.

Answer 16

Once a browser has been “hooked,” it becomes a zombie which awaits instructions from the BeEF control station.

Zombies that have been hooked by BeEF send out periodic **polls** to the BeEF control center. These are **keep alive** signals, and indicate that the zombie connection is running and awaiting further instructions from BeEF.

Question 17

The majority of BeEF exploits occur as the result of an ______, however, they can also be facilitated by______ campaigns and _______attacks.

Answer 17

The majority of BeEF exploits occur as the result of an XSS attack, however, they can also be facilitated by social engineering campaigns and man-in-the-middle attacks.

Question 18

True or False:

The BeEF framework also allows for the integration of custom scripts, which more experienced criminal hackers can use.

Answer 18

True

Question 19

BeEF exploits what pillar of the CIA?

Answer 19

BeEF exploits compromise the integrity of hooked machines.

A breach can also cause loss of confidentiality and availability, depending on the motives of the attackers.

Question 20

What was BeEF originally intended for?

Answer 20

BeEF was originally intended for pentesting. In addition to being an exploitation tool, BeEF acts as an information gathering tool by providing additional details about the victim’s computer, revealing other types of attacks that can be performed.

Question 21

BeEF uses an ____ through JavaScript to hook vulnerable web browsers of unsuspecting clients.

Answer 21

BeEF uses an API through JavaScript to hook vulnerable web browsers of unsuspecting clients.

Question 22

Mitigation strategies against BeEF hooks include: (3)

Answer 22

• Use the Vegan Chrome browser extension. This extension detects BeEF hooks and blocks offending domains, preventing the attack.
• Create a Snort rule. You can add an emerging threats Snort rule to the company’s IDS, such as:
• alert tcp $HOME_NET any -\> $EXTERNAL_NET $HTTP_PORTS (flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION=";)
• Implement a Content Security Policy (CSP). A CSP is an added layer of network security that detects and mitigates specific types of attacks, such as XSS and injection attacks.

Question 23

Just as each piece of hardware and software becomes a possible attack surface, various parts of the web can also become targets. These include:(4)

Answer 23

1. Environment variables
2. Parameters
3. Internal and external web services
4. All types of users

Question 24

Injection flaws are most common in older code and modern code with weak ______ practices.

Answer 24

Injection flaws are most common in older code and modern code with weak SDLC practices.

Question 25

Injection flaws often reside within:

Answer 25

1. SQL 2. NoSQL 3. LDAP 4. SMTP headers 5. XML parsers 6. OS commands.

Question 26

Injection flaws are relatively easy to detect when examining code with _____ or \_\_\_\_\_, which are also used by hackers to discover injection flaws.

Answer 26

Injection flaws are relatively easy to detect when examining code with fuzzers or scanners, which are also used by hackers to discover injection flaws.

Question 27

What aspect of the CIA triad is most directly affected by command injections

Answer 27

Command injection exploits affect confidentiality: * Command injection attacks can result in data loss/corruption, unauthorized disclosure, loss of accountability, and/or loss of availability. * Command injection attacks can also lead to a complete takeover, where the degree of impact depends on the business needs of the data and the application it runs on.

Question 28

(Windows) How to you search for a file located on the c:\ drive

Answer 28

**dir c:\filename /s`: Returns the location of a file called `filename`** ## Footnote - `dir`: Lists the directory. - `c:\filename`: The argument that the command is run against. - `/s`: Lists the file if included in a subdirectory.

Question 29

You can inject code into files by outputting strings of characters into an argument with commands like \_\_\_\_\_\_.

Answer 29

**'echo'**

Question 30

Explain this command:

Answer 30

'&& echo This\_is\_a\_test \> "c:\filename" ## Footnote - `&&`: Links this command to the previous `dir c:\filename /s` command. - `echo`: Directs content into an argument. - `This_is_a_test`: The string that will be injected. - `\> "c:\filename"`: The file that will be injected with code (the argument).

Question 31

What is command injection chaining?

Answer 31

Similar to its use in bash scripting, chaining allows us to link a series of commands.

Question 32

True or False: As a method of code injection, chaining limits the number of commands that can be run and the amount of work that can be done on the site

Question 33

Attackers can use a _________ to establish a reverse shell from the infected web server back to the attacker's machine, where a listener waits to complete the connection.

Answer 33

attackers can use a **command injection shell** to establish a reverse shell from the infected web server back to the attacker's machine, where a listener waits to complete the connection.