vault backup: 2025-01-30 17:33:17

Penetration Testing/Week 20/Week 20 - Web Attacks.md

@@ -2,48 +2,48 @@ Subtopics: Malicious Software, Attacks on Web Applications, Secure System Develo
 
 # How Computers Get Compromised:
 
-  - Accessing malicious or infected websites
-  - Downloading and installing malware from websites
-  - Executing attachments to emails containing exploits and malware
-  - Plugging in external devices infected with malware
-  - Installing malware/infected software from media
-  - Direct attacks from the internet exploiting vulnerabilities in OS or applications
-  - Through delivery chain, during assembly or shipment
+- Accessing malicious or infected websites
+- Downloading and installing malware from websites
+- Executing attachments to emails containing exploits and malware
+- Plugging in external devices infected with malware
+- Installing malware/infected software from media
+- Direct attacks from the internet exploiting vulnerabilities in OS or applications
+- Through delivery chain, during assembly or shipment
 
 ## Malware Types:
 
-  - Backdoor/Trapdoor
-  - Logic bomb
-  - Trojan horse
-  - Worm
-  - Virus (polymorphic, metamorphic)
-  - Stealth virus
-  - Exploit
+- Backdoor/Trapdoor
+- Logic bomb
+- Trojan horse
+- Worm
+- Virus (polymorphic, metamorphic)
+- Stealth virus
+- Exploit
 
 ## Exploits:
 
-  - Exploit software/hardware vulnerability
-  - Carried in common data formats like PDF, office documents, media files
-  - Contains corrupt data types
-  - Causes unintended behavior on computers
+- Exploit software/hardware vulnerability
+- Carried in common data formats like PDF, office documents, media files
+- Contains corrupt data types
+- Causes unintended behavior on computers
 
 ## Backdoor/Trapdoor:
 
-  - Provides remote control capabilities
-  - Can reside on the system for long periods before being used
-  - Installed by exploit or user (tricked into installing malicious program)
-  - Can be installed during design for testing purposes, posing a threat if left in production software
+- Provides remote control capabilities
+- Can reside on the system for long periods before being used
+- Installed by exploit or user (tricked into installing malicious program)
+- Can be installed during design for testing purposes, posing a threat if left in production software
 
 # The Cyber Kill Chain (Hutchins Et Al., 2011):
 
-  - Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration
-  - Timescale for each phase varies from days, months, hours to seconds.
-	  - Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil
+- Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration
+- Timescale for each phase varies from days, months, hours to seconds.
+	- Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil
 
 ## Web Application Security Challenge:
 
-  - Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code
-  - Network layer and application layer security are crucial
+- Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code
+- Network layer and application layer security are crucial
 
 # Application Attacks
 
@@ -51,29 +51,62 @@ Subtopics: Malicious Software, Attacks on Web Applications, Secure System Develo
 
 ## SQL (Structured Query Language):
 
-  - Interface to relational databases
-  - Used for inserting, updating, deleting, and retrieving data in a database
+- Interface to relational databases
+- Used for inserting, updating, deleting, and retrieving data in a database
 
 ### SQL Injection:
 
-  - Databases system misinterpretation of input data
-  - Attacker disguises SQL commands as data input
-  - Vulnerability exists when web application fails to sanitise data input before sending it to the database
-  - Preventing SQL Injection and XSS: Validate all user-entered parameters, escape questionable characters, hide information about error handling
+- Databases system misinterpretation of input data
+- Attacker disguises SQL commands as data input
+- Vulnerability exists when web application fails to sanitise data input before sending it to the database
+
+### Preventing SQL Injection and XSS
+
+- Validate all user-entered parameters (data types and lengths)
+- Disallow unwanted data (html tags, JS, SQL commands)
+- Escape questionable characters (ticks, --, semicolons, quotes, etc)
+- Hide information about error handling
+
+#### Stored XSS
+
+Input script to website disguised as user content
+Store and display script on page
+User accesses page
+Malicious script sent to user
 
 ## Broken Authentication and Session Management:
 
-  - User authentication does not necessarily provide continuous assurance
-  - Insecure implementation of session control with a static session ID passed in the URL
-  - Recommendations for session IDs (OWASP)
+- User authentication does not necessarily provide continuous assurance
+- Insecure implementation of session control with a static session ID passed in the URL
+- Recommendations for session IDs (OWASP)
 
-## OWASP Top-10 Web Application Risks (as of 2017):
+### Method
+Log in to application
+Provide service, user stays logged in
+Email info about session ID
+Other user can access website as first user
 
-  - Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring, Underprotected APIs
+### Fixes
+- Authentication linked to time
+- OWASP recommendations followed
+- Link session ID to IP address, TLS session, etc.
+Reconnaissance Assignment
+## [OWASP Top-10](https://owasp.org/Top10/) Web Application Risks (as of 2017):
+
+- Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring
 
 ## Waterfall SDLC vs. Agile Software Development vs. Secure Agile:
 
-  - Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance)
-  - Agile Software Development: Iterative sprint cycles based on user stories
-  - Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation
-  - Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
+- Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance)
+- Agile Software Development: Iterative sprint cycles based on user stories
+- Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation
+- Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
+
+### STRIDE
+
+Spoofing - Can an attacker gain access with a false identity?
+Tampering - Can an attacker modify data as an application runs?
+Repudiation - If an attacker denies interaction, can we prove it?
+Information Disclosure - Can an attacker gain PII?
+Denial of Service - Can an attacker crash or reduce availability?
+Elevation of Privilege - Can an attacker assume the identity of a privileged user?