1.3 Potential Indicators - Application Attacks

Privilege Escalation

Privilege escalation is a cybersecurity threat and technique where an attacker attempts to gain unauthorized access to higher levels of privilege or permissions within a computer system, network, or application. The goal is to obtain increased access rights, often with the intention of compromising the security of the system or stealing sensitive data.

Gaining higher privilege access to a system allows to access more capabilities within that system. - horizontal priv esc = attacker with certain level of privilege tries to gain same level of privilege as another user - vertical priv esc = lower-level privilege attempting to gain higher-level privilege within an application

Mitigation Priv Esc - patch and fix the vulnerability | anti-malware software | data execution prevention (only data in executable areas can run) | address space layout randomization (prevent buffer overrun at a known memory address)

Cross-Site Scripting (XSS)

XSS is a web security vulnerability that allows attackers to inject malicious scripts (typically in the form of JavaScript) into web applications. Malicious scripts can execute in the context of a victim's browser, potentially stealing sensitive information, hijacking user sessions, or delivering malware.

Non-Persistent (Reflected) XSS Attack

• the malicious script is embedded in a URL or input field and is reflected off a web server to the victim's browser. This usually happens when a victim clicks on a malicious link or submits a form with the injected scripts.

• attackers use it to steal credentials/session IDs/cookies without victim's knowledge

Persistent (Stored) XSS Attack

• the malicious script is permanently stored on a target server, such as in database or a comment field on a website. When other users access the compromised page or content, the script executes itself again in the browser.

• this type of attack usually have no target, it effects all viewers in the page.

DOM-based XSS Attack

• involves manipulating the Document Object Model (DOM) of a web page through the injection of malicious scripts. the attack targets the client-side scripts in the browser rather than the server.

Injection Attacks

Injection attacks are a category of cybersecurity threats where an attacker injects malicious data or code into a target system, often to exploit vulnerabilities and gain unauthorized access or manipulate the system's behavior. These attacks typically involve injecting untrusted input into a system's data or command execution flow.

Code injection allows you to add your own information into a data stream. It is enabled because of bad programming practices. Normally, an application should sanitize user input. - never trust user input!

SQL injection allows you to craft SQL queries and modify the requests. Applications that use common Relational Database Management System (RDBMS) languages shouldn't allow users to input SQL queries.

XML injection and LDAP injection - Extensible Markup Language - a set of rules for data transfer and storage. - Attackers aim to exploit vulnerabilities in XML parsers, potentially leading to data disclosure or denial-of-service attacks. - modify LDAP requests to manipulate application results, gain unauthorized access, extract information, or perform other malicious actions.

Buffer Overflows

Buffer overflow occurs when one section of memory overwrites other section of the memory. This is a security issue that occurs when a program or process attempts to store more data in a buffer (temporary data storage) than it can handle. - This can lead to the excess data overwriting adjacent memory locations, which can have serious consequences, including system crashes and potential security breaches. - Developers need to implement bounds checking in order to avoid overflows and ensure that data is within the expected range before writing it to a buffer.

Buffer = a region of memory allocated to temporarily store data. It has a fixed size, and programs use buffers to hold data that may be read from or written to, such as input from a user or data from a network connection.

Replay Attacks

An attacker intercepts and later retransmits data or transactions, usually without any modification. The goal of a replay attack is to impersonate a legitimate user or entity by replaying previously captured data or commands. In a replay attack, the attacker captures data or network traffic that contains critical information, such as authentication tokens, passwords, or command sequences. Instead of attempting to crack encryption or modify the data, the attacker simply resends the captured data or traffic at a later time.

Request Forgeries

Attackers trick a user into making an unwanted and unauthorized requests to a web application on which the user is authenticated. This type of attack usually occurs when an attacker can manipulate a user's web browser to perform actions without the user's consent.

Cross-Site Request Forgery (CSRF) Occurs when an attacker tricks a user into performing an unwanted action on a web application where the user is authenticated. The attack leverages the user's existing session or authentication to make unauthorized requests. - Prevent CSRF attacks by using anti-CSRF tokens in web forms or links to verify the authenticity of requests. Implement strict Same-Origin Policy (SOP) and check the Referer header.

Server-Side Request Forgery (SSRF) Allows an attacker to manipulate a web application into making unintended requests to internal or external resources. The attacker can potentially access sensitive data or services hosted on the server. - Validating and Sanitizing user-provided URLs | use whitelists of allowed domains | implement network-level controls like firewalls and proxies.

Key differences between SSRF and CSRF:

• Target: CSRF targets the user's actions, exploiting their authenticated state to perform actions without their consent. SSRF targets the server, exploiting its ability to make network requests to access or interact with internal systems.

• Execution Context: CSRF is executed in the user's browser context, while SSRF is executed in the server's context.

• Mitigation Strategies: CSRF is typically mitigated with tokens and same-origin policies, while SSRF requires input validation, network restrictions, and sometimes architectural changes.

Driver Manipulation

Driver manipulation refers to the practice of modifying device drivers in a computing system to achieve various goals. Device drivers are software components that allow operating systems to communicate with and control hardware devices such as graphics card and network adapters.

Shimming refers to a technique used to provide backwards compatibility for older applications on newer platforms or to make piece of software or a driver work with an operating system it was not originally designed for. Attackers can manipulate the shimming functionality in Windows and gain higher privilege within the system.

Refactoring - Metamorphic Malware This type of approach allows to execute different program each time it's downloaded, so the signature becomes different. Attackers add NOP instructions or pointless code strings in order to avoid signature-based detection systems. Metamorphic malware is a type of self-altering malicious software that constantly changes its appearance and code structure, making it challenging to identify and analyze. - Metamorphic malware is generally more complex and sophisticated than polymorphic malware. It doesn't just encrypt or obfuscate its code; it rewrites it, which can make it more difficult to detect and analyze.

SSL Stripping

Also known as HTTPS Stripping. It's an attack that targets the security of web communications by downgrading a secure HTTPS connection to a non-secure HTTP connection. Attacker intercepts the traffic between a user's web browser and website, removing the encryption layer and exposing sensitive data. - this is a client and server problem - works on SSL and TLS

Race Conditions

A race condition is a software vulnerability that occurs when multiple threads or processes in a concurrent system access shared resources or variables in an unpredictable order, potentially leading to unexpected and undesirable behavior. - multiple threads or processes execute simultaneously and may interact with shared resources or data. - two threads writing to the same variable simultaneously may result in data corruption or loss.

Other Application Attacks

Memory Vulnerabilities - memory vulnerabilities refers to buffer overflows, null pointer dereferences, and memory leaks (unused memory is not properly released | begins to slowly grow in size eventually using all available memory). These vulnerabilities can lead to crashes, data corruption, or remote code execution.

Directory Traversal (path traversal or dot-dot-slash attack) - read file from a web server that are outside of the website's file directory - attacker manipulates input to navigate through file system directories and access files or directories they shouldn't have access to. This can lead to unauthorized data disclosure or code execution.

Improper Error Handling - instead of providing meaningful error messages, the application may reveal sensitive information or crash, which can be exploited by attackers to gain insights into the system's configuration or trigger denial-of-service (DoS) conditions.

Improper Input Handling - input from users or external sources is not properly validated, sanitized, or escaped. Attackers can inject malicious input (e.g. SQL injection, XSS) to manipulate or corrupt data, steal information, or execute arbitrary code. - check all input | trust nobody

API Attacks - API attacks target the exposed endpoints and functionality of an application's API. Common API vulnerabilities include authentication bypass, broken access control, and excessive data exposure.

Resource Exhaustion - this type of attack, such as denial-of-service (DoS) and distributed denial-of-service (DDoS), overwhelm a system with excessive requests, causing it to become slow or unavailable. - attackers use these attacks to disrupt services, making them unavailable to legitimate users.