Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security + 601 > Lesson 14 - Analyze Indicators of Application Attacks > Flashcards

Lesson 14 - Analyze Indicators of Application Attacks Flashcards

1
Q

arbitrary code execution

A

arbitrary code execution

allow the threat actor to run his or her own code on the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

remote code execution

A

code is transmitted from one machine to another

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Vertical privilege escalation (or elevation)

A

Vertical privilege escalation (or elevation)

user or application can access functionality or data that should not be available to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Horizontal privilege escalation

A

Horizontal privilege escalation

user accesses functionality or data that is intended for another user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

buffer

A

buffer

area of memory that the application reserves to store expected data.

To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

integer overflow attack

A

integer overflow attack

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

pointer dereferencing

A

when code attempts to read a memory location specified by a pointer, but the memory location is null.

Also known as dereferencing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

race condition

A

Race conditions occur when the outcome from an execution process is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.

race condition is one means of engineering a null pointer dereference exception.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

time of check to time of use (TOCTTOU) race condition

A

time of check to time of use (TOCTTOU) race condition

when there is a change between when an app checked a resource and when the app used the resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Memory leaks

A

Memory leaks - serious in service/background applications.

they will continue to consume memory over an extended period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

dynamic link library (DLL)

A

DLL - is a binary package that implements some sort of standard functionality, such as establishing a network connection or performing cryptography.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DLL injection

A

DLL injection is a vulnerability in the way the operating system allows one process to attach to another. This functionality can be abused by malware to force a legitimate process to load a malicious link library.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Refactoring

A

Refactoring - code performs the same function by using different methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

shim

A

Shim - code library that intercepts and redirects calls to enable legacy mode functionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

pass the hash (PtH)

A

pass the hash (PtH) - credential exploit technique for lateral movement.

Process of harvesting an account’s cached credentials when the user is logged into a single sign-on (SSO) system so the attacker can use the credentials on other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HTTP

A

HTTP: The principal method is GET, used to retrieve a resource. Other methods include:

  • POST—send data to the server for processing by the requested resource.
  • PUT—create or replace the resource. DELETE can be used to remove the resource.
  • HEAD—retrieve the headers for a resource only (not the body).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Percent encoding

A

Percent encoding allows a user-agent to submit any safe or unsafe character (or binary data) to the server within the URL.

Percent encoding can be misused to obfuscate the nature of a URL and submit malicious input.

Percent encoding can exploit weaknesses in the way the server application performs decoding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

replay attack

A

replay attack - sniffing or guessing the token value and then submitting it to re-establish the session illegitimately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Session Hijacking (in a web application)

A

session hijacking - replaying a cookie in some way.

Attackers can sniff network traffic to obtain session cookies sent over an unsecured network, like a public Wi-Fi hotspot.

To counter cookie hijacking, you can encrypt cookies during transmission, delete cookies from the client’s browser cache when the client terminates the session

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

client-side or cross-site request forgery (CSRF or XSRF)

A

client-side or cross-site request forgery (CSRF or XSRF)

  • exploit applications that use cookies to authenticate users and track sessions.

To work, the attacker must convince the victim to start a session with the target site. The attacker must then pass an HTTP request to the victim’s browser that spoofs an action on the target site, such as changing a password or an email address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Clickjacking

A

Clickjacking

  • an attack where what the user sees and trusts as a web application with some sort of login page or form.

Contains a malicious layer or invisible iFrame that allows an attacker to intercept or redirect user input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Secure Sockets Layer (SSL) strip attack

A

Secure Sockets Layer (SSL) strip attack - launched against clients on a local network as they try to make connections to websites.

The threat actor must first perform a Man-in-the-Middle attack via ARP poisoning to masquerade as the default gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

cross-site scripting (XSS) attack

A

cross-site scripting (XSS) attack

  • exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.

XSS inserts a malicious script that appears to be part of the trusted site.

Attacks such as session replay, CSRF, and DOM-based XSS are client-side attacks. This means that they execute arbitrary code on the browser

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

server-side attack

A

server-side attack causes the server to do some processing or run a script or query in a way that is not authorized by the application design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

SQL injection attack,

A

A web application is likely to use SQL to read and write information from a database

SQL injection attack, the threat actor modifies one or more of these four basic functions (SELECT, INSERT, DELETE, UPDATE) by adding code to some input accepted by the app, causing it to execute the attacker’s own set of SQL queries or parameters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Extensible Markup Language (XML)

A

Extensible Markup Language (XML)

  • used by apps for authentication and authorizations, and for other types of data exchange and uploading.

Data submitted via XML with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

LDAP attack

A

LDAP is specifically used to read and write network directory databases.
A threat actor could exploit either unauthenticated access or a vulnerability in a client app to submit arbitrary LDAP queries. This could allow accounts to be created or deleted, or for the attacker to change authorizations and privileges

28
Q

Directory traversal

A

Directory traversal - injection attack performed against a web server.

The threat actor submits a request for a file outside the web server’s root directory by submitting a path to navigate to the parent directory (../).

29
Q

canonicalization attack

A

canonicalization attack - to disguise the nature of the malicious input.

Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input.

30
Q

command injection attack

A

command injection attack attempts to cause the server to run OS shell commands and return the output to the browser

31
Q

A server-side request forgery (SSRF)

A

A server-side request forgery (SSRF) causes the server application to process an arbitrary request that targets another service, either on the same host or a different one.

SSRF attacks are often targeted against cloud infrastructure where the web server is only the public-facing component of a deeper processing chain

SSRF encompasses a very wide range of potential exploits and targets, some of which include:
• Reconnaissance
• Credential stealing
• Unauthorized requests
• Protocol smuggling
32
Q

Normalization

A

Normalization - a string is stripped of illegal characters or substrings and converted to the accepted character set.

33
Q

Output encoding

A

Output encoding - string is re-encoded safely for the context in which it is being used.

34
Q

Response Headers:

Some of the most important security-relevant header:

A
  • HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
  • Content Security Policy (CSP)—mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.
  • Cache-Control—sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.
35
Q

Data exposure

A

Data exposure - a fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls.

Applications must only transmit such data between authenticated hosts, using cryptography to protect the session.

36
Q

Code reuse

A

Code reuse—using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function)

37
Q

Third-party library

A

Third-party library—using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography

38
Q

Software development kit (SDK)

A

Software development kit (SDK)—using sample code or libraries of pre-built functions from the programming environment used to create the software or interact with a third party API

39
Q

Stored procedures

A

Stored procedures—using a pre-built function to perform a database query.
A stored procedure is a part of a database that executes a custom query.

40
Q

Unreachable code

A

Unreachable code - part of application source code that can never be executed.

41
Q

Dead code

A

Dead code is executed but has no effect on the program flow

42
Q

Static code analysis (or source code analysis)

A

Static code analysis (or source code analysis) is performed against the application code before it is packaged as an executable process.

43
Q

manual code review

A

manual code review - Human analysis of software source code

44
Q

Dynamic analysis

A

Dynamic analysis - application is tested under “real world” conditions using a staging environment.

45
Q

Fuzzing

A

Fuzzing - testing that an application’s input validation routines work well.

Fuzzing - the test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application.

There are generally three types of fuzzers, representing different ways of injecting manipulated input into the application:

  • Application UI—identify input streams accepted by the application, such as input boxes, command line switches, or import/export functions.
  • Protocol—transmit manipulated packets to the application, perhaps using unexpected values in the headers or payload.
  • File format—attempt to open files whose format has been manipulated, perhaps manipulating specific features of the file.
46
Q

OS-Based Execution Control:

A
  • Software Restriction Policies (SRP)— SRP can be configured as GPOs to passlist file system locations from which executables and scripts can launch.
  • AppLocker—improves configuration options and default usage of SRP. Notably AppLocker policies can be applied to user and group accounts rather than just computer accounts.
  • Windows Defender Application Control (WDAC)— this can be used to create Code Integrity (CI) policies, which can be used on their own or in conjunction with AppLocker. CI policies apply to the computer and affect all users.
47
Q

Malicious Code Indicators:

• Shellcode

A

• Shellcode— minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan

48
Q

Malicious Code Indicators:

• Credential dumping

A

• Credential dumping—the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process

49
Q

Malicious Code Indicators:

• Lateral movement/insider attack

A

• Lateral movement/insider attack—the general procedure is to use the foothold to execute a process remotely, using a tool such as psexec or PowerShell.

50
Q

Malicious Code Indicators:

• Persistence

A

• Persistence— mechanism that the threat actor’s backdoor is restarted if the host reboots or the user logs off

51
Q

document macro

A

document macro is a sequence of actions performed in the context of a word .processor, spreadsheet, or presentation file.

macros are coded in a scripting language

52
Q

man-in-the-browser (MitB) attack

A

man-in-the-browser (MitB) attack - a specific type of on-path attack where the web browser is compromised.

Depending on the level of privilege obtained, the attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code

53
Q

Scalability

A

Scalability - costs involved in supplying the service to more users are linear.

54
Q

Elasticity

A

Elasticity - system’s ability to handle changes on-demand in real-time.

A system with high elasticity will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples).

55
Q

software development life cycle (SDLC)

A

software development life cycle (SDLC) - divides the creation and maintenance of software into discrete phases

56
Q

Quality Assurance (QA):

A

Quality Assurance (QA): Quality processes are how an organization tests a system to identify whether it complies with a set of requirements and expectations.

These requirements and expectations can be driven by risk-based assessments, or they can be driven by internal and external compliance factors, such as industry regulations and company-defined quality standards

57
Q

Quality control (QC)

A

Quality control (QC) - determining whether a system is free from defects or deficiencies.

QC procedures are defined by a quality assurance (QA) process, which analyzes what constitutes “quality” and how it can be measured and checked.

58
Q

Development Environments STAGES:

A

Development Environments STAGES:

  • Development—the code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing.
  • Test/integration—in this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.
  • Staging—this is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.
  • Production—the application is released to end users.
59
Q

Provisioning

A

Provisioning - process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.

The provisioning process must account for changes to any of these applications so that packages or instances are updated with the latest version

60
Q

Deprovisioning

A

Deprovisioning - process of removing an application from packages or instances.

It is also important to make appropriate environmental changes to remove any configurations (such as open firewall ports) that were made just to support that application.

61
Q

Version control

A

Version control - ID system for each iteration of a software product. Most version control numbers represent both the version, and internal build numbers for use in the development process.

62
Q

Continuous integration (CI)

A

Continuous integration (CI) - the principle that developers should commit and test updates often—every day or sometimes even more frequently.

This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another.

CI aims to detect and resolve these conflicts early, as it is easier to diagnose one or two conflicts or build errors than it is to diagnose the causes of tens of them

63
Q

continuous deployment

A

continuous deployment - separate process of actually making changes to the production environment to support the new app version.

64
Q

automation solution

A

An automation solution will have a system of continuous monitoring to detect service failures and security incidents.

65
Q

Verification (Software/Application)

A

Verification - compliance testing process to ensure that the product or system meets its design goals.

66
Q

Validation (Software/Application)

A

Validation - process of determining whether the application is fit-for-purpose

Security + 601 (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions