boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8bc99d04975dbac4ee77e45fd01c579bb1c1cbfd
G4G0-2/Penetration Testing/Week 20/Week 20 - Web Attacks.md
George Wilkinson 8bc99d0497 vault backup: 2025-01-30 09:27:31
2025-01-30 09:27:31 +00:00

3.5 KiB
Raw Blame History

Subtopics: Malicious Software, Attacks on Web Applications, Secure System Development

How Computers Get Compromised:

  • Accessing malicious or infected websites
  • Downloading and installing malware from websites
  • Executing attachments to emails containing exploits and malware
  • Plugging in external devices infected with malware
  • Installing malware/infected software from media
  • Direct attacks from the internet exploiting vulnerabilities in OS or applications
  • Through delivery chain, during assembly or shipment

Malware Types:

  • Backdoor/Trapdoor
  • Logic bomb
  • Trojan horse
  • Worm
  • Virus (polymorphic, metamorphic)
  • Stealth virus
  • Exploit

Exploits:

  • Exploit software/hardware vulnerability
  • Carried in common data formats like PDF, office documents, media files
  • Contains corrupt data types
  • Causes unintended behavior on computers

Backdoor/Trapdoor:

  • Provides remote control capabilities
  • Can reside on the system for long periods before being used
  • Installed by exploit or user (tricked into installing malicious program)
  • Can be installed during design for testing purposes, posing a threat if left in production software

The Cyber Kill Chain (Hutchins Et Al., 2011):

  • Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration
  • Timescale for each phase varies from days, months, hours to seconds.
    • Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil

Web Application Security Challenge:

  • Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code
  • Network layer and application layer security are crucial

Application Attacks

  • Application attacks bypass traditional network security measures like firewalls

SQL (Structured Query Language):

  • Interface to relational databases
  • Used for inserting, updating, deleting, and retrieving data in a database

SQL Injection:

  • Databases system misinterpretation of input data
  • Attacker disguises SQL commands as data input
  • Vulnerability exists when web application fails to sanitise data input before sending it to the database
  • Preventing SQL Injection and XSS: Validate all user-entered parameters, escape questionable characters, hide information about error handling

Broken Authentication and Session Management:

  • User authentication does not necessarily provide continuous assurance
  • Insecure implementation of session control with a static session ID passed in the URL
  • Recommendations for session IDs (OWASP)

OWASP Top-10 Web Application Risks (as of 2017):

  • Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring, Underprotected APIs

Waterfall SDLC vs. Agile Software Development vs. Secure Agile:

  • Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance)
  • Agile Software Development: Iterative sprint cycles based on user stories
  • Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation
  • Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)