3.4 Attacks & exploits: Application vulnerabilities

Question 1

What is Server-Side Request Forgery (SSRF)?

Answer 1

▪ A type of attack that takes advantage of the trust relationship between the server and the other resources it can access
▪ Occurs when a web app fetches a remote resource without validating the URL

Question 2

How to prevent from a Server-Side Request Forgery (SSRF)?

Answer 2

● Segment remote resource access functionality into separate networks
● Enforce a deny by default firewall or ACL policy
● Ensure web apps sanitize and validate any client-supplied input data

Question 3

Race Conditions: what is it and explain how it technically occurs?

Answer 3

▪ Occurs when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, which then failed to execute in the order and timing intended by the developer
▪ Occurs when a computer tries to race itself in the processing of certain data
▪ Found where multiple threads attempt to write to a variable or object at the same memory location
▪ Race conditions often happen outside the normally logged processes in a system

Question 4

Race Conditions: what is Dereferencing?

Answer 4

Occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Question 5

Race Conditions: what is TOCTOU?

Answer 5

Occurs when there is a change between when an app checks a resource and when the app uses the resource

Question 6

Race Conditions: what is Mutually Exclusive Flag (Mutex)?

Answer 6

Acts as a gatekeeper to a section of code so that only one thread can be processed at a time

Question 7

Race Conditions: what is Deadlock?

Answer 7

Occurs when a lock cannot be removed from the resource

Question 8

Race Conditions: how to prevent from mutexes and locks?

Answer 8

Properly design and test any locks or mutexes

Question 9

Buffer Overflows: what is it?

Answer 9

▪ Occurs when a process stores data outside the memory range allocated by the developer
▪ Over 85% of data breaches were caused by a buffer overflow

Question 10

Buffer Overflows: what is a Buffer?

Answer 10

A temporary storage area that a program uses to store data

Question 11

Buffer Overflows: what is a stack?

Answer 11

Reserved area of memory where the program saves the return address when a function call instruction is received

Question 12

Buffer Overflows: what “Smashing the Stack” means?

Answer 12

Occurs when an attacker fills up the buffer with NOP instructions

Question 13

Buffer Overflows: what is Non-Operation (NOP) Instruction?

Answer 13

Tells the system to do nothing and simply go to the next instruction

Question 14

Buffer Overflows: how to prevent from overflows attacks (4)?

Answer 14

▪ Maintain a good patch management program
▪ Always use secure coding practices: Boundary checking & Input validation
▪ Use Address Space Layout Randomization (ASLR): Prevents an attacker’s ability to guess where the return pointer for a non-malicious program has been set to call back to
▪ Use Data Execution Protection (DEP): Blocks applications that attempt to run from protected memory locations so executable code stored in the user data location will be marked as non-executable

Question 15

Buffer Overflows: what is an Integer Overflow and what are its consequences?

Answer 15

▪ Occurs when a computed result from an operation is too large to fit into its assigned variable type for storage
▪ Integer overflows and buffer overflows can lead to arbitrary code execution, and in turn, privilege escalations

Question 16

Authentication and References: what is Broken Authentication in OWASP?

Answer 16

Insecure authentication mechanisms that can allow an attacker to gain entry

Question 17

Authentication and References: how to prevent from Broken Authentication attacks (7)?

Answer 17

▪ Utilize multi-factor authentication
▪ Never use default credentials
▪ Verify passwords are strong and not found on published password exploitation lists
▪ Use limits or delays to slow failed login attempts and brute force attempts
▪ Use server-side session management and long and randomized session identifiers
▪ Never pass a session identifier as a URL parameter
▪ Implement session timeouts and expiring session identifications

Question 18

Authentication and References: what is Insecure Direct Object Reference?

Answer 18

Used to manipulate URLs to gain access to a resource without requiring proper authentication

Question 19

Authentication and References: how to prevent from Insecure Direct Object Reference (2)?

Answer 19

● Always use secure coding practices
● Always implement proper access control techniques to verify a user’s authorization

Question 20

Improper Headers: what HTTP Response Headers are used for and from what attacks are they helping to protect (6)?

Answer 20

Used to control how web servers operate to increase security during operations. It protects against:
● Cross site request forgery
● Cross site scripting
● Downgrade attack
● Cookie hijacking
● User impersonation
● Clickjacking

Question 21

Improper Headers: what is HTTP Strict Transport Security (HSTS) for when it is set in HTTP Response Headers?

Answer 21

Allows a web server to notify web browsers to only request using HTTPS and not HTTP

Question 22

Improper Headers: what is HTTP Public Key Pinning (HPKP) for when it is set in HTTP Response Headers?

Answer 22

Allows HTTPS websites to resist impersonation by attackers using mis-issued or fraudulent certificates

Question 23

Improper Headers: what is X-Frame-Options for when it is set in HTTP Response Headers?

Answer 23

Prevents clickjacking from occurring

Question 24

Improper Headers: what is X-XSS-Protection for when it is set in HTTP Response Headers?

Answer 24

Enables cross site scripting filter in the web browser

Question 25

Improper Headers: what is X-Content-Type-Options for when it is set in HTTP Response Headers?

Answer 25

Prevents the browser from interpreting files as something other than what they are

Question 26

Improper Headers: what is Content-Security-Policy (CSP) for when it is set in HTTP Response Headers?

Answer 26

Impacts how web browsers render pages

Question 27

Improper Headers: what is X-Permitted-Cross-Domain-Policies for when it is set in HTTP Response Headers?

Answer 27

Sends a cross-domain policy file to the web client and specifies if the browser has permission to handle data across domains

Question 28

Improper Headers: what is Referrer-Policy for when it is set in HTTP Response Headers?

Answer 28

Governs which referrer information should be included with requests made

Question 29

Improper Headers: what is Expect-CT for when it is set in HTTP Response Headers?

Answer 29

Indicates browsers to evaluate connections to the host emitting the header for Certificate Transparency compliance

Question 30

Improper Headers: what is Feature-Policy for when it is set in HTTP Response Headers?

Answer 30

Allows developers to selectively enable and disable use of various browser features and APIs

Question 31

Code Signing: what is it?

Answer 31

Digitally signing executables and scripts to confirm the software author and guarantee code has not been altered. Code signing just validates that the code is ready for distribution

Question 32

Vulnerable Components: list the vulnerable component in web applications (9):

Answer 32

o Client-Side Processing
o Server-Side Processing
o JavaScript Object Notation/Representational State Transfer (JSON REST)
o SOAP and XML
o Browser Extension
o Hypertext Markup Language (HTML5)
o Asynchronous JavaScript and XML (AJAX)
o Machine Code
o Bytecode

Question 33

Vulnerable Components: what is Client-Side Processing vulnerable component in web applications?

Answer 33

Puts the load on the end user’s machine instead of the server

Question 34

Vulnerable Components: what is Server-Side Processing vulnerable component in web applications?

Answer 34

Considered to be more secure and trustworthy for most use cases

Question 35

Vulnerable Components: explain JavaScript Object Notation/Representational State Transfer (JSON REST) vulnerable component in web applications?

Answer 35

▪ Representational State Transfer (REST): A client/server model for interacting with content on remote systems over HTTP
▪ JavaScript Object Notation (JSON): A text-based message format used with RESTful web service
▪ REST and JSON: Mobile devices
▪ SOAP and XML: Security/transactional services

Question 36

Vulnerable Components: explain SOAP and XML vulnerable component in web applications?

Answer 36

Simple Object Access Protocol (SOAP):
● Used for exchanging structural information for web services
● Conduct inspection and sanitization of inputs and outputs to the application

Question 37

Vulnerable Components: explain Browser Extension vulnerable component in web applications?

Answer 37

▪ Provides expanded functionality or features to a web browser
▪ Flash, ActiveX, JavaScript: Remove Adobe Flash installations on your network’s clients
▪ COM: Communication
▪ DCOM: Distribution
▪ Only install extensions from trusted vendors

Question 38

Vulnerable Components: explain Hypertext Markup Language (HTML5) vulnerable component in web applications and what it is vulnerable to (10)?

Answer 38

A powerful web application programing language that enables feature-rich applications. It is vulnerable to:
● Cross-domain messaging
● Cross-origin resource sharing
● Web sockets
● Server sent events
● Local, offline, and web storage
● Client-side databases
● Geolocation requests
● Web workers
● Tabnabbing
● Sandbox frames

Question 39

Vulnerable Components: explain Asynchronous JavaScript and XML (AJAX) vulnerable component in web applications?

Answer 39

▪ A grouping of related technologies used on the client side to create asynchronous web applications
▪ Same-origin policy
▪ AJAX is considered more secure than some other methods

Question 40

Vulnerable Components: explain Machine Code vulnerable component in web applications?

Answer 40

▪ Basic instructions written in machine language that can be directly executed by the CPU
▪ Specific to a type of processor and can only be run on the processor where it was compiled

Question 41

Vulnerable Components: explain Bytecode vulnerable component in web applications?

Answer 41

An intermediate form of code produced by a compiler that can be translated into machine code

Question 42

Software Composition: what is Software Composition Analysis and why is it related to security?

Answer 42

A process by which software can be analyzed for open-source component.
A vulnerability in a third-party dependency becomes a vulnerability in your application

Question 43

Software Composition: what frameworks can you use to build your software (8)?

Answer 43

▪ Apache Struts
▪ Microsoft .NET
▪ Ruby on Rails
▪ Ramaze
▪ Hibernate
▪ Django
▪ Twisted
▪ web.py

Question 44

Software Composition: what is Poor Exception Handling vulnerability in a software?

Answer 44

Occurs when a program is not written to anticipate problems or errors

Question 45

Software Composition: what is Security Misconfiguration vulnerability in a software?

Answer 45

Any issue related to poorly implemented or documented security controls

Question 46

Software Composition: what is Weak Cryptography Implementation vulnerability in a software?

Answer 46

▪ Occurs when an out-of-date algorithm or cipher is being used in a modern system
▪ Utilize a well-known and documented encryption standard

Question 47

Software Composition: what is Information Disclosure vulnerability in a software?

Answer 47

The act of stealing information from an application or during the communication process between two applications

Question 48

Software Composition: what is End of Support/End of Life Issues vulnerability in a software?

Answer 48

▪ End of Life: No longer sold
▪ End of Support: No longer updated

Question 49

Software Composition: what is Code Injection Issues vulnerability in a software?

Answer 49

▪ An exploitation technique that runs malicious code with identification of a legitimate process
▪ Ensure applications provide input and output validation

Question 50

Software Composition: what is Regression Issues Issues vulnerability in a software?

Answer 50

Occur when a source code is changed which may have introduced a new vulnerability or have broken some existing functionality

Question 51

Software Composition: what is Regression Testing Issues vulnerability in a software?

Answer 51

Validates any software change does not produce any unintended consequences