Unit4 - Subjective Questions

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. For penetration testers, it serves as a checklist to ensure critical vulnerabilities are not overlooked.

Selected Vulnerabilities:

1. Broken Access Control: Failures to enforce policies on what users can do (e.g., a standard user accessing admin pages).
2. Cryptographic Failures: Previously known as Sensitive Data Exposure. This involves failing to encrypt data at rest or in transit (e.g., transmitting passwords in clear text).
3. Injection: Occurs when untrusted data is sent to an interpreter as part of a command or query. SQL Injection (SQLi) is a common example where attackers execute malicious SQL statements.

Cross-Site Scripting (XSS) allows attackers to execute malicious scripts in the victim's browser.

• Reflected XSS (Non-Persistent):

  • The malicious script is reflected off the web server, such as in an error message or search result.
  • The payload is delivered via a link; it is not stored in the database.
  • Example: Clicking a link containing <script>alert(1)</script> in the URL parameters.

• Stored XSS (Persistent):

  • The malicious script is permanently stored on the target server (e.g., in a database, forum post, or comment field).
  • The victim retrieves the malicious script when they view the stored content.
  • Impact: Higher, as it affects anyone viewing the page.

• DOM-based XSS:

  • The vulnerability exists in the client-side code rather than the server-side code.
  • The attack payload is executed as a result of modifying the DOM environment in the victim's browser.

SQL Injection is a code injection technique where an attacker inserts malicious SQL statements into entry fields for execution (e.g., to dump the database contents to the attacker).

Mechanism:

It occurs when user input is not sanitized or validated and is concatenated directly into a database query. This allows the attacker to manipulate the query structure.

Authentication Bypass Example:

Consider a login query:
SELECT * FROM users WHERE username = 'pass';

If the attacker inputs admin' -- into the username field, the query becomes:
SELECT * FROM users WHERE username = 'admin' --' AND password = '...';

• The ' closes the username string.
• The -- comments out the rest of the query (ignoring the password check).
• Result: The attacker logs in as 'admin' without a password.

Session Hijacking is an attack where an intruder takes over a legitimate user's valid session. This allows the attacker to access the application as the victim without knowing their login credentials.

Differences:

• Session Sniffing:

  • The attacker uses packet sniffing tools (like Wireshark) to capture valid Session IDs transmitting over an unencrypted network (HTTP).
  • Defense: Use HTTPS/TLS.

• Session Fixation:

  • The attacker sets (fixes) a user's session ID before the user even logs in.
  • The attacker sends a link with a specific Session ID to the victim. Once the victim logs in using that ID, the attacker uses the known ID to hijack the session.
  • Defense: Regenerate Session IDs upon successful authentication.

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

Mechanism:

1. The victim logs into a trusted site (e.g., a bank).
2. The attacker tricks the victim into visiting a malicious site or clicking a link.
3. The malicious site contains a hidden request (e.g., an image tag or auto-submitting form) targeting the trusted site: <img src="http://bank.com/transfer?amount=1000&to=Attacker">.
4. The browser sends the request to the bank including the victim's session cookies.
5. The bank validates the cookies and processes the transfer, assuming the user intended it.

Enterprises use different models to manage mobile devices, each with unique security profiles:

1. BYOD (Bring Your Own Device):
   • Employees use personal devices for work.
   • Risk: High. IT lacks full control over the device health, apps, or patching.
2. COPE (Corporate-Owned, Personally Enabled):
   • The company owns the device but allows personal use.
   • Risk: Medium. IT can wipe the device but personal privacy concerns exist.
3. CYOD (Choose Your Own Device):
   • Employees choose from a pre-approved list of devices owned by the company.
   • Risk: Lower. Standardized hardware makes support and security easier.
4. COBO (Corporate-Owned, Business Only):
   • Strictly for work; no personal apps allowed.
   • Risk: Lowest. Complete lockdown and control.

Penetration testers identify SQLi by supplying input that interferes with the SQL query logic.

Techniques:

1. Single Quote Test ('):
   • Input a single quote into a form field or URL parameter. If the application returns a database syntax error (e.g., "You have an error in your SQL syntax"), it is likely vulnerable.
2. Boolean Inference (True/False):
   • Inject conditions like OR 1=1 (True) vs OR 1=0 (False).
   • If the page content differs significantly (e.g., showing all records vs no records), the application is interpreting the injected SQL.
3. Timing Attacks (Blind SQLi):
   • Inject a command to pause the database, such as WAITFOR DELAY '0:0:5' (SQL Server) or SLEEP(5) (MySQL).
   • If the web page takes 5 seconds longer to load, the vulnerability is confirmed.

Blind SQL Injection occurs when an application is vulnerable to SQLi but does not return the results of the SQL query or database errors to the user's screen. The attacker must infer the data by asking the database True/False questions.

• In-band SQLi (Classic): The attacker uses the same communication channel to launch the attack and gather results (e.g., seeing data dumped on the webpage or viewing error messages).
• Blind SQLi (Inferential): The attacker cannot see data directly. They reconstruct data character by character based on:
  • Boolean-based: Changes in page content.
  • Time-based: Delays in server response time.

These are attacks targeting Bluetooth-enabled devices:

1. Bluejacking:
   • Sending unsolicited messages (e.g., vCards or images) to nearby Bluetooth devices.
   • Severity: Low. It is mostly annoying but does not steal data.
2. Bluesnarfing:
   • The unauthorized theft of information from a Bluetooth device.
   • Impact: Attackers can access contact lists, emails, and text messages without the user's knowledge.
3. Bluebugging:
   • A more advanced attack where the attacker takes full control of the phone.
   • Impact: The attacker can make calls, send SMS, listen to phone conversations, and connect to the internet via the victim's device.

Rooting (Android) or Jailbreaking (iOS) involves removing manufacturer-imposed software restrictions to gain privileged control (root access).

Security Risks:

• Bypassing the Sandbox: Apps can access data belonging to other apps (e.g., a rogue game reading banking app data).
• Malware Susceptibility: Users can install apps from unofficial stores (sideloading) which often contain malware.
• Disabled Security Updates: Rooted devices often cannot receive official OTA (Over-The-Air) security patches.
• MDM Failure: Mobile Device Management (MDM) solutions may fail to enforce policies or wipe data on compromised devices.

Social Engineering relies on manipulating human psychology rather than technical hacking to gain access to systems or data.

1. Phishing:
   • Sending fraudulent emails appearing to be from reputable sources to induce individuals to reveal personal information (passwords, credit cards).
2. Vishing (Voice Phishing):
   • Using telephone scams to trick victims. Attackers may impersonate bank officials or tech support to extract credentials or OTPs.
3. Smishing (SMS Phishing):
   • Using text messages (SMS) to lure victims into clicking malicious links or calling fraudulent numbers.

Browser exploitation targets vulnerabilities in the web browser software or its plugins (Flash, Java, PDF readers) to execute code on the client machine.

Methodology:

1. Fingerprinting: Identify the victim's browser type, version, OS, and installed plugins.
2. Hooking: Trick the victim into visiting a malicious page containing a "hook" script.
3. Command Execution: Once hooked, the attacker sends commands to the browser.

BeEF (Browser Exploitation Framework):

BeEF is a penetration testing tool that focuses on the web browser. It uses a client-side JavaScript hook (hook.js) to turn the victim's browser into a "zombie." It allows testers to launch attacks, scan the internal network from the browser, and steal cookies.

IDOR is an access control vulnerability that occurs when an application exposes a reference to an internal implementation object (like a file or database key) without validating the user's authorization to access it.

Example:

• Scenario: A user accesses their profile via the URL: https://example.com/profile?user_id=100.
• Exploit: The user changes the parameter to user_id=101.
• Result: If the server does not verify that the currently logged-in user actually owns account 101, the attacker views another user's private data.
• Remediation: Implement proper access control checks and use indirect references (like session-based lookups) instead of direct database IDs.

Mobile exploitation via malware involves infecting the device to steal data, track users, or incur charges.

Common Types:

1. Trojans: Apps that look legitimate (e.g., a flashlight app) but perform malicious activity in the background.
2. Spyware: Software that secretly monitors usage, GPS location, and intercepts SMS/Calls.
3. Ransomware: Locks the mobile device or encrypts files (photos/contacts) demanding payment.

Infection Vectors:

• Repackaging: Attackers download popular apps, inject malicious code, and upload them to third-party stores.
• Drive-by Downloads: Malware installs automatically when visiting a malicious mobile website.
• SMS/MMS: Malicious links sent via text.

UNION-based SQLi is an in-band injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result set which is then returned to the HTTP response.

Requirements:

1. Same number of columns: The injected query must have the same number of columns as the original query.
2. Data types: The data types in the corresponding columns must be compatible.

Example:

Original: SELECT name, description FROM products WHERE id=1
Injection: 1 UNION SELECT username, password FROM users
Result: The application displays product details followed immediately by the usernames and passwords from the database.

Security Misconfiguration is a broad category of vulnerabilities arising from insecure default settings, incomplete configurations, or verbose error messages.

Examples aiding attackers:

• Default Accounts: Leaving default admin/password combinations active (e.g., Tomcat, WordPress).
• Directory Listing: If disabled, attackers can see all files in a directory, potentially finding backup files or config files.
• Verbose Error Messages: Displaying full stack traces to users reveals the underlying technology, framework versions, and sometimes code snippets, helping attackers tailor their exploits.
• Unpatched Services: Running outdated software with known vulnerabilities.

Man-in-the-Browser (MitB) is a specific type of attack where a Trojan infects the web browser itself.

Mechanism:

It modifies web pages and transaction content strictly within the browser, in real-time, after SSL/TLS decryption has occurred but before the user sees it (or before the browser sends it).

Difference from MitM:

• MitM: Intercepts traffic on the network (between the user and server). It struggles with encrypted traffic (HTTPS) unless SSL stripping is used.
• MitB: Resides inside the browser/OS. It can read data in clear text because the browser has already decrypted the SSL traffic. It can manipulate banking transactions even if the connection is perfectly secure.

1. Mobile Device Management (MDM): Centralized software to enforce security policies (passcodes, encryption) and remote wipe capabilities.
2. Containerization: Separating corporate data from personal data within the device using encrypted containers.
3. App Whitelisting: allowing only approved applications to be installed on corporate devices.
4. Strong Authentication: Enforcing Biometrics (Fingerprint/FaceID) or Multi-Factor Authentication (MFA) to access corporate resources.
5. OS Updates: Mandating that devices run the latest OS versions to ensure security patches are applied.

Broken Authentication allows attackers to compromise passwords, keys, or session tokens to assume the identities of other users.

Exploitation:

• Credential Stuffing: Using lists of compromised username/passwords from other breaches.
• Brute Force: Automated guessing of passwords.
• Session ID URL Rewriting: Exposing session IDs in the URL.

Prevention:

• Implement Multi-Factor Authentication (MFA).
• Do not allow weak passwords (enforce complexity).
• Limit failed login attempts (account lockout).
• Use standard, secure session management (do not write custom session code).

In Boolean-based Blind SQLi, the attacker asks the database True/False questions and observes the application's response (e.g., "Login Failed" vs. a generic error, or slight changes in page size).

Scenario:

Attacker wants to find the length of the database version string.

Logic:

1. Hypothesis: Is the length of the version string greater than 5?
   • Injection: id=1 AND LENGTH(@@version) > 5
   • Result: If the page loads normally (True), the length is > 5.
2. Refinement: Is it greater than 10?
   • Injection: id=1 AND LENGTH(@@version) > 10
   • Result: If page loads empty/error (False), the length is between 6 and 10.
3. Conclusion: The attacker iterates (binary search) until the exact character or length is found, extracting data one bit at a time without ever seeing the data displayed.