6.13.3 Quiz – Performing Post-Exploitation Techniques Answers

Explanation: HTTP proxies act as both servers and clients. Proxies make requests to web servers on behalf of other web clients. Proxies enable HTTP transfers across firewalls and support the caching of HTTP messages.

Explanation: Place the options in the following order:

codes in the 200 range: related to successful transactions
codes in the 300 range: related to HTTP redirections
codes in the 400 range: related to client errors
codes in the 500 range: related to server errors
codes in the 100 range: informational

Explanation: Place the options in the following order:

Explanation: HTTP 1.1 loads resources one at a time in each GET and RESPOND cycle. If one resource cannot be loaded, the rest of the resources cannot be loaded. HTTP 2.0 multiplexes the GET/RESPOND process so that a web client can send multiple GET messages simultaneously. This multiplexing contributes to performance improvement. Both HTTP 1.1 and 2.0 use TCP, compress HTTP messages and use tokens as a mechanism to track web sessions.

Explanation: The session ID names used by the most common web application development frameworks can be easily fingerprinted. Some examples include PHPSESSID (PHP), JSESSIONID (J2EE), CFID and CFTOKEN (ColdFusion), and ASP.NET_SessionId (ASP .NET). These session ID names may indicate what framework and programming languages the web application uses. Changing the default session ID name of the web development framework to a generic name is recommended.

Explanation: Web applications can create sessions to track users after the first user request. For example, a web application uses a session after the user has authenticated. This allows the application to identify the user on any subsequent requests, apply security access controls, and increase the usability of the application. After an authenticated session has been established, the session ID is temporarily equivalent to the strongest authentication method used by the application, such as usernames and passwords, one-time passwords, and client-based digital certificates.

Explanation: It is critical to encrypt an entire web session, not only for the authentication process of exchanging user credentials but also to ensure that the session ID is exchanged only through an encrypted channel. Using an encrypted communication channel also protects the session against some session fixation attacks, in which the attacker can intercept and manipulate the web traffic to inject (or fix) the session ID on the web browser used by the user.

Explanation: Session management mechanisms based on cookies can use two types of cookies: non-persistent (or session) cookies and persistent cookies. If a cookie has a Max-Age or Expires attribute, it is considered a persistent cookie and is stored on a disk by the web browser until the expiration time.

Explanation: The Open Web Application Security Project (OWASP) is an international organization dedicated to educating industry professionals, creating tools, and evangelizing best practices for securing web applications and underlying systems. The Institute of Electrical and Electronics Engineers (IEEE) is a professional association for electronics engineering, electrical engineering, and other related disciplines. The SANS Institute is a private company specializing in information security, cybersecurity training, and selling certificates. Common Vulnerabilities and Exposures (CVE) is an effort that reaches across international cybersecurity communities to consolidate cybersecurity tools and databases.

Explanation: In a SQL statement, the LIKE operator is used in a WHERE clause to search for a specified pattern in a field (column). The percent sign (%) is a wildcard that represents zero, one, or multiple characters. In this example, it searches for any string with the first 4 characters being ping in the a-type column.

Explanation: In an out-of-band SQL injection, the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the query results.

Explanation: With a blind (or inferential) SQL injection, the attacker does not make the application display or transfer any data; rather, the attacker can reconstruct the information by sending specific statements and discerning the behavior of the application and database.

Explanation: There are essentially five techniques that can be used to exploit SQL injection vulnerabilities:

– Union operator – Typically used when an SQL injection vulnerability allows a SELECT statement to combine two queries into a single result or a set of results.
– Boolean – Used to verify whether certain conditions are true or false.
– Error-based – Used to force the database to generate an error to enhance and refine an attack (injection).
– Out-of-band – Used to obtain records from the database by using a different channel.
– Time delay – It is possible to use database commands to delay answers.

Explanation: The best mitigation for SQL injection vulnerabilities is to use immutable queries, including:
– Static queries
– Parameterized queries
– Stored procedures (if they do not generate dynamic SQL)
Immutable queries do not contain data that could be interpreted. Sometimes, they process the data as a single entity bound to a column without interpretation. In this case, it is an example of static queries.

Explanation: Microsoft Active Directory service uses LDAP to enable services for authenticating and accessing the directory server. LDAP injection vulnerabilities are input validation vulnerabilities that attackers use to inject and execute queries to LDAP servers.

Explanation: Including the session ID in the URL could be a dangerous practice that can lead to manipulating the ID or session fixation attacks. A mitigation measure is to encrypt an entire web session with HTTPS—not only for the authentication process where the user credentials are exchanged but also to ensure that the session ID is exchanged only through an encrypted channel.

Explanation: Configuring a cookie with the HTTPOnly flag forces the web browser to have this cookie processed only by the server, and any attempt to access the cookie from client-based code or scripts is strictly forbidden.

Explanation: Attackers can easily identify and access systems that use shared default passwords. Changing default manufacturer passwords and restricting network access to critical systems is extremely important.

Explanation: HTTP parameter pollution (HPP) vulnerabilities can be introduced if multiple HTTP parameters have the same name. This issue may cause an application to interpret values incorrectly. An attacker may use HPP vulnerabilities to bypass input validation, trigger application errors, or modify internal variable values.

Explanation: Cross-site scripting (XSS) vulnerabilities are achieved in different ways:
The example below shows an XSS test that can be performed from the address bar of a browser:

javascript:alert("Omar_s_XSS test");
javascript:alert(document.cookie);

The example below shows an XSS test that can be performed in a user input field in a web form:

Explanation: According to OWASP, the general rules for preventing XSS attacks include:

– Use an auto-escaping template system.
– Never insert untrusted data except in allowed locations.
– Use HTML escape before inserting untrusted data into HTML element content.
– Use attribute escape before inserting untrusted data into HTML common attributes.
– Use JavaScript escape before inserting untrusted data into JavaScript data values.
– Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.
– Use URL escape before inserting untrusted data into HTML URL parameter values.
– Sanitize HTML markup with a library such as ESAPI to protect the underlying application.
– Use the HTTPOnly cookie flag.
– Implement content security policy.
– Use the X-XSS-Protection response header.

Explanation: A directory traversal vulnerability (often called path traversal) can allow attackers to access files and directories stored outside the web root folder. It is possible to exploit path traversal vulnerabilities by manipulating variables that reference files with the dot-dot-slash (../) sequence and its variations or by using absolute file paths to access files on the vulnerable system. In this example, the attacker is trying to view the web server configuration file.

Explanation: A remote file inclusion (RFI) vulnerability occurs when a web application allows a user to execute code hosted on the attacking system. In this case, the attacker tried to run the web content on the attacker site.

Explanation: Hard-coded credentials are catastrophic flaws that attackers can leverage to completely compromise an application or the underlying system.

Explanation: Improper error handling is a weakness and security malpractice that can provide information to help an attacker perform additional attacks on the targeted system. A best practice is to handle error messages according to a well-thought-out scheme that provides a meaningful error message to the user, diagnostic information to developers and support staff, and no useful information to an attacker.