Unit 3

Some topics for reference

Advanced Security and Ethical Hacking Concepts

Session: A session is a series of interactions that take place within a single

connection between two communication endpoints. When a user logs into an
application, a session is created on the server to ensure subsequent requests are
synchronized.
Session Hijacking: The Session Hijacking attack consists of the exploitation of
the web session control mechanism, which is normally managed for a session
token. Another type of session hijacking is known as a man-in-the-middle attack,
where the attacker, using a sniffer, can observe the communication.
A session hijacking attack happens when an attacker takes over your internet
session. Session hijacking is defined as taking over an active TCP/IP
communication session without the user’s permission. When implemented
successfully, attackers assume the identity of the compromised user, enjoying the
same access to resources as the compromised user. Identity theft, Information theft,
stealing sensitive data are some of the common impacts of session hijacking.
Types of session hijacking attacks:

There are two types of session hijacking depending on how they are done. If the
attacker directly gets involved with the target, it is called active hijacking, and if an
attacker just passively monitors the traffic, it is passive hijacking.

Difference Between Session Hijacking And Spoofing:

A spoofing attack is different from a hijack in that an attacker is not actively taking
another user offline to perform the attack. he pretends to be another user or
machine to gain access.
Spoofing attacks come in many forms, including: Email spoofing. Website and/or
URL spoofing.when someone or something pretends to be something else

Hijacking differs from spoofing in that the takeover occurs during an

authenticated session. A TCP session can be hijacked only before the hosts have
authenticated successfully. A successful hijacking takes place when a hacker
intervenes in a TCP conversation and then takes the role of either host or recipient

 Cross-site scripting session hijacking (XSS):

 When an attacker exploits vulnerabilities within a server or application, he
injects Java scripts into a user’s web page, causing the browser to run
arbitrary code.
 Moreover, injected scripts will be able to access your session key if the
server does not set HTTP. Only in session cookies, thus, giving attackers the
information required for session hijacking.
Spoofing attacks: come in many forms, including: Email spoofing. Website
and/or URL spoofing.

when someone or something pretends to be something else

Session Fixing:
Session fixation is an attack that takes advantage of poor session ID management.
The attacker is able to hijack a valid user's session by tricking the user ...

Samy XSS worm: Oct, 2005: myspace had an XSS vulnerability

 They used <script> filters, but 19-yr old Samy Kamkar found a way to
bypass all of them
 He built an AJAX app so that every view of his profile added him as a
friend and posted “…and most of all, Samy is my hero” to their page
 He also had the worm install itself so that any viewer of the page
would propagate the worm

Samy Kamkar is the person who created the first JavaScript-based worm known
as Samy Worm.Samy (also known as JS.Spacehero) is a cross-site scripting
worm (XSS worm) that was designed to propagate across the social networking
site MySpace by Samy ...

Samy Kamkar is the person who created the first JavaScript-based worm known
as Samy Worm

Buffer-overflow attack:
A buffer overflow attack works when an attacker manipulates coding errors to
overwrite computing memory. They can then carry out malicious actions like
stealing data and compromising systems.
or buffer overrun, is an anomaly where a program, while writing data to a buffer
Buffer overflow is a software coding error to gain unauthorized access to
corporate systems.
"Stack Overflow" is often used to mean the same thing as stack-based buffer
overflow
Overlong input (like buffer overflows): In a buffer-overflow attack, the extra
data sometimes holds specific instructions for actions intended by a hacker or
malicious user; for example, the data could trigger a response that damages files,
changes data or unveils private information.

There are two types of buffer overflows:

 stack-based and
 heap-based
A buffer overflow attack works when an attacker manipulates coding errors to
overwrite computing memory.

Buffer overflow is a software coding error to gain unauthorized access to

corporate systems.
"Stack Overflow" is often used to mean the same thing as stack-based buffer
overflow

• There are two types of buffer overflows: stack-based and heap-based

How to Prevent Buffer Overflows:

Address space randomization (ASLR)

Data execution prevention

Structured exception handler overwrite protection (SEHOP)

canonicalization attack: A canonicalization attack is a cyberattack method in

which the attacker substitutes various inputs for the canonical name of a path
or file.
 Input Validation: Input validation is the process of testing input received by the
application for compliance against a standard defined within the application.
 A) Prospective validation (or premarket validation)
 B) Retrospective validation.
 C) Concurrent validation.
 D) Revalidation.
Date/string/integer/float/etc.- data type

Output Encoding:
The purpose of output encoding (as it relates to Cross Site Scripting) is to
convert untrusted input into a safe form where the input is displayed as data
to the user without executing.
Output encoding can be utilized to protect against these cross-site scripting attacks.

One technique that can be utilized in implementing output encoding is HTML

encoding.
For example, if a malicious attacker created the script, no HTML encoding was
implemented, the malicious attacker would have been successful in their cross-site
scripting attack.

What is a security misconfiguration?

Security misconfigurations are security controls that are inaccurately

configured or left insecure, putting your systems and data at risk. Basically,
any poorly documented configuration changes, default settings, or a
technical issue across any component in your endpoints could lead to a
misconfiguration.

How to prevent security misconfigurations?

• If vulnerabilities are the gateway to the network, it's the

misconfigurations that attackers leverage to worm their way to the
intended targets. Security misconfigurations are not hard to fix, but
they are unavoidable in an enterprise operating at scale.
 • Restrict access using firewalls
• Enable Network Level Authentication

types of XXE attacks

• Exploiting XXE to retrieve files, where an external entity is defined

containing the contents of a file, and returned in the application's
response.
• Exploiting XXE to perform SSRF attacks, where an external entity is
defined based on a URL to a back-end system.
• Exploiting blind XXE exfiltrate data out-of-band, where sensitive data
is transmitted from the application server to a system that the attacker
controls.
• Exploiting blind XXE to retrieve data via error messages, where the
attacker can trigger a parsing error message containing sensitive data.

How secure is Windows Remote Desktop?

Remote Desktop sessions operate over an encrypted channel, preventing
anyone from viewing your session by listening on the network. However, there
is a vulnerability in the method used to encrypt sessions in earlier versions of
RDP. This vulnerability can allow unauthorized access to your session using
a man-in-the-middle attack.

SecurityEmerging Trends in Mobile :

1. Mobile Malware Is On The Rise
Check Point’s “Mobile Security Report 2021” lists a 15% increase in banking
Trojan activity in 2020, threats that put mobile users’ banking credentials at
risk. The company reports that threat actors have been using mobile remote
access Trojans (MRATs), banking Trojans, and premium dialers often hidden
within apps claiming to offer COVID-19-related information.
2. Continuous Smartphone Authentication Is Becoming More Common
Authentication ensures that mobile users are who they say they are — that’s
why so many organizations use authentication tools as part of their mobile
security strategy. However, some authentication techniques like one-time
passwords delivered via authenticator apps or SMS have emerged as easy
targets for would-be hackers.

Geolocation: Geolocation is a technology that uses data acquired from an

individual’s computer or mobile device to identify or describe the user’s actual
physical location.
Geolocation refers to the identification of the geographic location of a user or
computing device via a variety of data collection mechanisms.

Geolocation refers to the use of location technologies such as GPS or IP

addresses to identify and track the whereabouts of connected electronic
devices. Because these devices are often carried on an individual's person,
geolocation is often used to track the movements and location of people and
surveillance.

How do you get geolocation?

The Geolocation API is accessed via a call to navigator. geolocation ; this will
cause the user's browser to ask them for permission to access their location data.
If they accept, then the browser will use the best available functionality on the
device to access this information (for example, GPS)

What is the difference between location and geolocation?

Geolocation also reveals more specific data relating to their location, such as
their current city or state, which is highly valuable to digital marketers.
While geolocation uses a variety of different information sources to identify
a user's location, geolocation by IP is much more specific.

What are geolocation used for?

Geolocation makes it possible, from any device connected to the Internet, to
obtain all types of information in real time and locate the user with
pinpoint accuracy at a given point in time. Geolocation technology is the
foundation for location-positioning services and location-aware applications
(apps).

 VoIP: VoIP encryption is the process of scrambling voice data packets into
unreadable jumbles while they are in transit, preventing them from being int
 Even if a hacker somehow intercepts the call, encryption ensures they won’t
be able to make sense of anything they discover.
 To understand how encryption works, we need to take a closer look at the
transmission process.
 When voice data packets are transferred from the sender to the recipient,
they use an IP transport protocol called the SRTP (Secure Real-Time
Transport Protocol.) SRTP is a cryptographic protocol that applies the
Advanced Encryption Standard (AES) to data packets, provides message
authentication, and offers additional protection against potential replay
attacks.
 In addition to SRTP, VoIP providers use another form of encryption called
Transport Layer Security (TLS) or SIP over TLS to protect additional call
information.
  TLS scrambles data like phone numbers, the names of callers, usernames,
and more. It also works to stop message tampering and call eavesdropping.
Top VoIP security threats:
 You’re probably curious about the types of VoIP security issues that are out
there. Here’s a rundown of what you’ll need to fend against.
 Denial of Service (DoS) – This attack starves the network of resources to
interrupt phone service and drop phone calls. For a call center, this can
degrade call quality, latency, and uptime.
 War dialing – This type of attack involves controlling your PBX to “scan”
other telephone networks. It works by dialing numbers to connect to
modems or other interesting extensions.
 Toll fraud – Like war dialing, this requires access to make calls to an
outside line from your phone system. Attackers can dial expensive
international numbers that rack up expensive toll charges.
 Phishing – This type of attack preys on unsuspecting users that trust their
caller ID. Victims divulge details about the internal IP network, passwords,
or other sensitive data.
 Call interception – Attackers use unsecured networks to intercept
unencrypted SIP traffic. To make matters worse, this can include video as
well.
 Spam – It should come as no surprise the voicemail box is a common target
for robocalls and other phone scams. Many use restricted or “Private” caller
ID.
Malware – Attackers use different malicious software to phone or email
credentials. This can open up more opportunities to infiltrate your network
and exfiltrate sensitive business data.

input injection, external entity injection, and XPath injection:

XPath Injection: XPath Injection attacks occur when a web site uses user-
supplied information to construct an XPath query for XML data. By sending
intentionally malformed information into the web site, an attacker can find out how
the XML data is structured, or access data that they may not normally have access
to. They may even be able to elevate their privileges on the web site if the XML
data is being used for authentication (such as an XML based user file).
Querying XML is done with XPath, a type of simple descriptive statement that
allows the XML query to locate a piece of information. Like SQL, you can specify
certain attributes to find, and patterns to match. When using XML for a web site it
is common to accept some form of input on the query string to identify the content
to locate and display on the page. This input must be sanitized to verify that it
doesn’t mess up the XPath query and return the wrong data.
XPath Injection: XPath injection is a type of attack where a malicious input
can lead to un-authorised access or exposure of sensitive information such as
structure and content of XML document. It occurs when user’s input is used
in the construction of the query string.
XPath Injection attacks occur when a web site uses user-supplied information to
construct an XPath query for XML data. By sending intentionally malformed
information into the web site, an attacker can find out how the XML data is
structured, or access data that they may not normally have access to. They may
even be able to elevate their privileges on the web site if the XML data is being
used for authentication (such as an XML based user file).

Meta Characters:
For many types of data, a program also maintains metadata (or meta-information)
that it tracks alongside the main data; metadata is simply information that
describes or augments the main data. It might include details on how to format
data for display, processing instructions, or information on how pieces of the
data are stored in memory. There are two basic strategies for representing
program data alongside its associated metadata: embedding the metadata in-
band or storing the metadata separately, out-of-band.
In-band representation embeds metadata in the data itself. When embedding
metadata in textual data, you indicate this information by using special
characters called metacharacters or metacharacter sequences. One of the
simplest examples of in-band representation is the NUL character terminator in
a C string.
Out-of-band representation keeps metadata separate from data and associates the
two through some external mechanism. String data types in other languages
provide a simple example of out-of-band data. Many programming languages
(such as C++, Java, PHP, Python, and Pascal) do not have a string terminator
character; instead these languages store the string's length in an out-of-band
variable.
  external entity injection: XML external entity injection (also known as
XXE) is a web security vulnerability that allows an attacker to interfere with
an application's processing of XML data. It often allows an attacker to view
files on the application server filesystem, and to interact with any back-end
or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the
underlying server or other back-end infrastructure, by leveraging the XXE
vulnerability to perform server-side request forgery (SSRF) attacks.

How can browser exploits be prevented:

1. Install firewall software and other security software

Firewall software acts as an extra barrier between the Internet and the web
browser, which can block suspicious websites, and catch known threats before
they breach web security
2. Be careful when browsing the web, especially when downloading files

If a website looks suspicious, it probably is. Keep to well-known URLs and safe
websites. It’s very important that users only download files from trusted sources,
especially when it comes to downloading software applications or browser
extensions, which could easily be infected with an exploit
3. Keep all software up to date

Web browser software, and any applications that access the web, must be kept
up to date. This is because when a vulnerability in software is found, the
software vendor often releases a patch to fix the issue causing it, so that browser
exploits relying on the vulnerability cannot cause any harm. Regularly updating
software provides protection against more recent exploits.

Explain remote server security attacks? Explain all methods? Explain

mitigations.
 Secure remote access is not a single technology, but rather a collection of
technologies that together provide the security that organizations need when
users are working from home or other remote locations. They include:
  Endpoint Security – This includes software such as antivirus for endpoint
machines as well as policies that define how remote devices are to be used in
the organization’s systems. This can include patch management and the
prevention of downloading or caching business-critical information to
remote devices.
 Virtual Private Network (VPN) – VPNs are extremely popular for remote
access, since they allow remote users connected via insecure remote Wi-Fi
(Starbucks, bookshops) to connect to a private network through an encrypted
tunnel.
 Zero Trust Network Access (ZTNA) – As the name
implies, ZTNA solutions make no assumptions about the security of a
connection and require re-authentication before every transaction. This
offers higher levels of security for the organization’s data and applications.
 Network access control (NAC) – Network access is managed via a
combination of tools such as two factor authentication (2FA), endpoint
security tools, and policy education and enforcement.

How SQL injection is performed? Explain methods,types and solutions

Code injections are the oldest known web application attack vectors, with
successful hacks leading to a denial of service, loss of data integrity, data
loss, and the compromise of entire networks. They allow attackers to
apply malicious code to information systems through user input interfaces. One
such mechanism is a SQL Injection attack that involves the insertion of SQL
queries to client input to access and manage backend databases.
SQL Injection attacks are mostly carried out on web applications that rely on
dynamic databases but lack sufficient input validation.

Types of SQL Injection Attacks

SQLi is a common and well-documented attack strategy whose success has far-
reaching business consequences such as unauthorized viewing of credentials and
gaining administrative access to the application’s database. SQLi attacks are
categorized based on the following methods used to gain database access:
In-band SQLi

The attacker gathers their results using the communication channel they use to
launch attacks. This code injection technique is common since it offers a simple,
efficient way to access the database server. There are several types of in-band
SQLi, including:

Error-based SQLi

The attacker relies on error messages relayed by the database server to learn about
the database structure. Sometimes the error messages can provide sufficient data to
enumerate the entire database.

Union-based SQLi

In this case, the malicious payload uses SQL’s UNION operator to combine the
results of several SELECT statements to one output, which is returned along with
the HTTP response.

Content-based SQLi

Content/Boolean-based SQLi attacks force the web application to return different

results depending on whether the malicious SQL query returns a TRUE or FALSE
result. The query result determines whether the content in the HTTP response stays
the same or changes.

Best Practices to Prevent SQLi Vulnerabilities:

Some strategic principles and practices to keep web applications safe from SQLi
attacks include:
 Regular Scanning

Training & Awareness

Filter User Input

Use Whitelist-based Filters

Use Updated Web Technologies

Elaborate the countermeasures or mitigations for SQL INJECTION attack.

How to Prevent SQL Injection
 Use Stored Procedure, Not Dynamic SQL. Consider our earlier dynamic SQL
example. ...
 Use Prepared Statements. ...
 Use Object Relational Mapping (ORM) Framework. ...
 Least Privilege. ...
 Input Validation. ...
 Character Escaping. ...
 Vulnerability Scanners. ...
 Use Web Application Firewall.

Developers can prevent SQL Injection vulnerabilities in web applications by

utilizing parameterized database queries with bound, typed parameters and
careful use of parameterized stored procedures in the database.
This can be accomplished in a variety of programming languages including Java,
.NET, PHP, and more.

1. Keep all web application software components including libraries, plug-ins,

frameworks, web server software, and database server software up to date
with the latest security patches available from vendors.
2. Utilize the principle of least privilege(link is external) when provisioning
accounts used to connect to the SQL database. For example, if a web site
only needs to retrieve web content from a database using SELECT
statements, do not give the web site's database connection credentials other
 privileges such as INSERT, UPDATE, or DELETE privileges. In many
cases, these privileges can be managed using appropriate database roles for
accounts. Never allow your web application to connect to the database with
Administrator privileges (the "sa" account on Microsoft SQL Server, for
instance).
3. Do not use shared database accounts between different web sites or
applications.
4. Validate user-supplied input for expected data types, including input fields
like drop-down menus or radio buttons, not just fields that allow users to
type in input.
5. Configure proper error reporting and handling on the web server and in the
code so that database error messages are never sent to the client web
browser. Attackers can leverage technical details in verbose error messages
to adjust their queries for successful exploitation.