Summarizing Secure Application Concepts

# Analyze Indicators of Application Attacks ## Application Attacks - Attacks that target vulnerabilities in application code or architecture/design - **Privilege escalation** - Get privileges from target vulnerable process to run arbitrary code - Remote execution when code is transferred from another machine - Vertical and horizontal privilege escalation - Detect by process logging and auditing plus automated detection scanning - **Error Handling** - Identify attack from error messages - Leaking information through errors - Improper input handling ## Overflow Vulnerabilities - Buffer overflow - buffer is memory allocated to application - Overflows can allow arbitrary code to execute - data spills over to another section of memory, bad code is inserted and then the CPU processes that code - Integer overflow - Cause application to calculate values that are out of bounds - Cloud use in buffer overflow attack ## Null Pointer Dereferencing and Race Conditions ![[Pasted image 20230707091437.png]] ## Memory Leaks and Resource Exhaustion - **Memory Leaks** - process allocates memory locations, but never releases them - Can cause a host to run out of memory - Could be fault code or be malicious - **Resource exhaustion** - CPU time, system memory allocation, fixed disk capacity, and network utilization - Spawning activity to use up these resources ## DLL Injection and Driver Manipulation - Dynamic Link Library (DLL) implements some functions that multiple processes can use -> kind of like drivers. they allow programs to interact with lower-level firmware on the physical machine hardware - DLL injection forces a process to load malicious DLL - Refactoring might allow code obfuscation to elude anti-virus - Shim - Exploit application compatibility framework to allow malware to persist on host ## Pass the Hash Attack - Exploiting cached credentials to perform lateral movement - Windows hosts cache credentials in memory as NTLM hashes - Local malicious process with administrator privileges can dump these hashes - Malware executes another process on a remote host - Attacker can just pass hash without having to crack it - Remote host will accept hash as credential - Detection through security log events ![[Pasted image 20230707092857.png]] # Analyze Indicators of Web Application Attacks ## Uniform Resource Locator Analysis ![[Pasted image 20230707093601.png]] ## Application Programming Interface (API) Attacks - APIs let us automate tasks that otherwise we would need to do manually - Must only be with HTTPS encryption - Common weaknesses and vulnerabilities - Ineffective secrets management - Lack of input validation - Error messages leaking information - Denial of service ## Replay Attacks - Resubmitting or guessing authorization tokens - Session management cookies - Replay cookie to obtain authentication session - Secure cookies ## Session Hijacking and Cross-site Request Forgery - Referred to as (CSRF/XSRF) request forgery - attacker has to be sophisticated and typically requires some kind of social engineering - passes a URL to another site where the user has an authenticated session - Confused deputy - Cookie hijacking and session prediction ![[Pasted image 20230707094628.png]] - **Clickjacking** - Add invisible layer to intercept/redirect click events - SSL strip - Exploits redirect from HTTP to HTTPS - Sites should no longer be using plain HTTP - HTTP strict transport security (HSTS) ## Cross-Site Scripting (XSS) - Persistent/stored XSS - Injected into a database the site uses to server content - Server Side - Server is compromised and manipulated - Non-persistent/reflected - reflected -> put something in and reflects data/result back - Coded in a link that the user must click - Client-side scripts - Document Object Model (DOM) -> DOM is how the browser reads and does the formatting of the web page - for example changing something in the inspect portion of the browser (non-persistent) - The victims browser is manipulated NOT the server ## Structured Query Language (SQL) Injection Attacks - Inserting SQL database code into a form that is supposed to be for something else. - For example a form too look up a person, but you get all usernames with sql injection - Client-side versus server-side attacks - Injection-type attacks - Structured Query Language (SQL) statements - SELECT, INSERT, DELETE, UPDATE, WHERE - SQL injection - Pass SQL statements to the web application via user input or URL - Show or insert database records ![[Pasted image 20230707101147.png]] ## Directory Traversal and Command Injection Attacks - Directory traversal - Obtain access to files outside web site root directory - Canonicalization attack and percent encoding - Command injection - Cause server to run OS shell commands ![[Pasted image 20230707101316.png]] ## Server-Side request Forgery - Cause a server to make API calls or HTTP requests with arbitrary parameters - Weak authentication/access control between internal services - Weak input validation and faults in request parsing - Variety of exploit techniques and aims - Reconnaissance - Credential stealing - Unauthorized requests - Protocol smuggling ![[Pasted image 20230707102008.png]] # Summarize Secure Coding Practices ## Secure Coding Techniques - Security development life cycles and best practice guides - **Open Web Application Security Project (OWASP)** - **Input Validation** - this is one the easiest and biggest ways to prevent xss, ssrf, directory traversal - User-generated data typed/entered via form controls - Passed by another program (URL or HTTP header) - Document and test all types of user/API input - **Normalization and output encoding** - Strip illegal characters and substrings and use a predictable format and character set for the context in which the output is used - Check all data being passed as output - Differences between character sets and encoding methods ![[Pasted image 20230707103447.png]] ## Server-side vs Client-side Validation - Server Side - Server validates/allows us to get in - Client side - Browser says we are authorized or not - Code is run my browser - DOM scripting - Might send a request to the server, but the request is constructed by the client - Client-side input validation - Code is not running in a fully trusted environment - Server-side input validation - May require complex transactions, thus slowing the process ## Web Application Security - Secure cookies - Set **HTTPOnly** attribute - Can only use cookie with HTTP cannot use with javascript - Set **SameSite** attribute - Set the secure attribute - Avoid using persistent cookies for session authentcation - Response headers - HTTP Strict Transport Security (HSTS) - Content Security Policy (CSP) - Cache-Control ![[Pasted image 20230707103929.png]] ## Data Exposure and Memory Management - Data exposure - Allowing privileged data to be read without authorization - Weak authentication/session management - Lack of encryption - Error handling - Structured exception handler (SEH) - Prevent use of error conditions for arbitrary code/injection - Prevent display of default messages - Memory management - Use of unsecure functions - **Input validation** and overflow protection ## Secure Code Usage - Code reuse - Using a block of code in a different context - create a function instead of rewriting code over and over again - Third-party libraries/DLLs - Monitor shared libraries for known vulnerabilities and patches - use vetted libraries - Software development kit (SDK) - Sample code/libraries - Stored procedures - Pre-built functions for querying databases ## Other Secure Coding Practices - Unreachable and dead code - Code that cannot be executed or does not affect program flow - no logic in program that executes the unreachable code - Dead code -> runs, but doesn't do anything, perhaps left there from a previous version - Obfuscation/camouflage - Disguise nature of code - Inhibit reverse engineering ## Static Code Analysis - Static/source code analysis - Submit code for analysis by automated software - Manual code review - Human analysis of source code ## Dynamic Code Analysis - Run application in a staging environment for testing - Fuzzing and stress testing - Application UI - Protocol - File format # Implement Secure Script Environments ## Scripting - Automation of activity through programs and scripts - QoL for administrators - Basic elements of a script - Parameters - Branching and looping statements - Validation and error handlers - Unit tests - Scripting languages - Domain-specific languages - Orchestration tools - Syntax ## Python Script Environment ![[Pasted image 20230707104744.png]] ![[Pasted image 20230707104751.png]] ## Execution Control ![[Pasted image 20230707104941.png]] ![[Pasted image 20230707105016.png]] ![[Pasted image 20230707105136.png]] ![[Pasted image 20230707105147.png]] ![[Pasted image 20230707105152.png]] ![[Pasted image 20230707105159.png]] # Summarize Deployment and Automation Concepts ![[Pasted image 20230707105710.png]] ![[Pasted image 20230707105800.png]] ![[Pasted image 20230707105839.png]] ![[Pasted image 20230707105848.png]]