Chapter 51 Β· Flashcards

Application Attacks Flashcards

Click any card to reveal its definition.

0 / 10 flipped
SQL Injection β€” Bypass Mechanism
Tap to reveal
An attacker enters admin' -- as a username. The single quote closes the string literal in the SQL query; the double-dash begins a SQL comment, discarding everything that follows β€” including the password check. The query becomes: SELECT * FROM users WHERE username='admin' --' AND password='anything'. The password clause is gone. The database returns the admin record; authentication succeeds with no password. Root cause: user input concatenated directly into the SQL string. Primary defense: parameterized queries β€” user input is always treated as a data value, never as SQL syntax.
Parameterized Query β€” Why It Prevents SQLi
Tap to reveal
A parameterized query sends the query structure and user-supplied values as separate elements to the database engine. The ? placeholder is always interpreted as a data slot β€” never as SQL syntax. If an attacker supplies admin' --, the database searches for a user whose username is literally the string admin' --. No SQL command injection is possible. This is architectural prevention, not a filter that might be bypassed. Input validation and WAFs are secondary layers β€” only parameterized queries eliminate the injection vector completely. Also called prepared statements.
Buffer Overflow β€” How Code Execution Happens
Tap to reveal
A function allocates a fixed-size buffer for input. If the program writes more bytes than the buffer holds β€” and performs no bounds checking β€” excess bytes overwrite adjacent memory, including the return address the CPU will jump to when the function ends. A random overflow overwrites the return address with garbage and the application crashes. An exploitable overflow requires the attacker to: (1) know the exact offset from buffer start to return address; (2) place shellcode at a known address; (3) overwrite the return address with precisely that address. When the function returns, the CPU jumps to the shellcode. Arbitrary code execution is achieved with the application's privileges.
DEP β€” Data Execution Prevention
Tap to reveal
An OS and CPU-level feature that marks memory regions as either executable (code) or non-executable (data). Code in a non-executable region is rejected by the CPU. DEP directly addresses shellcode-in-buffer exploitation: even if an attacker overflows a buffer and redirects execution into the buffer, the CPU refuses to run code there because that memory is flagged as data. Hardware implementation: NX (AMD) / XD (Intel) bit on modern CPUs. Bypass technique: Return-Oriented Programming (ROP) β€” attacker chains small snippets of existing executable code (gadgets) rather than injecting new shellcode. DEP is a critical mitigation but not an absolute barrier against sophisticated attackers.
ASLR β€” Address Space Layout Randomization
Tap to reveal
An OS security feature that randomizes the base addresses of the stack, heap, and loaded libraries each time a program runs. Without ASLR, memory layout is predictable β€” an attacker can hardcode the target address for a buffer overflow exploit. With ASLR, the address that worked in the attacker's test environment is invalid during the next execution. Effect: forces attackers to leak addresses dynamically rather than hardcoding them. Bypass techniques: information disclosure vulnerabilities that leak memory addresses at runtime; brute force (practical only on 32-bit systems where the address space is small). Most effective when combined with DEP β€” DEP prevents code injection, ASLR prevents code reuse at known addresses.
Privilege Escalation β€” Vertical vs. Horizontal
Tap to reveal
Vertical escalation: gains a higher privilege level than legitimately assigned β€” a standard user exploits a vulnerability to obtain administrator or SYSTEM rights. CVE-2023-29336 is a vertical escalation: user account β†’ SYSTEM. Detection clue: process spawning with higher privileges than its parent. Horizontal escalation: stays at the same privilege level but accesses a different account's resources β€” User A reads User B's files or account data by exploiting broken access controls. Also called IDOR (Insecure Direct Object Reference) when a URL parameter like ?id=1042 exposes another user's records. Detection clue: access logs showing Account A reading resources owned by Account B.
CVE-2023-29336 β€” Key Facts
Tap to reveal
Win32k Elevation of Privilege Vulnerability β€” disclosed May 2023 (Patch Tuesday). Targeted the Win32k kernel driver (Windows graphics subsystem). Affected: Windows Server 2008/2008 R2/2012/2012 R2/2016 and Windows 10. A locally authenticated attacker with any user account could exploit the flaw to gain SYSTEM-level privileges β€” Windows' highest privilege. Was being actively exploited in the wild at disclosure. Classic attack chain: phishing β†’ RAT (low-privilege shell) β†’ CVE-2023-29336 exploit β†’ SYSTEM β†’ Mimikatz credential dump β†’ lateral movement. The privilege escalation step is what converts a limited foothold into full system compromise. Defense: patch promptly; least privilege limits blast radius pre-escalation.
CSRF β€” Cross-Site Request Forgery
Tap to reveal
Also called XSRF, session riding, one-click attack, or "sea surf." Exploits the fact that browsers automatically include session cookies with every request to a domain, regardless of which page triggered the request. Attack flow: (1) victim logs into a trusted site; (2) attacker crafts a link or hidden form that causes the victim's browser to submit a request to the trusted site; (3) victim clicks the link or visits the attacker's page; (4) browser sends the request with the valid session cookie; (5) server sees a valid authenticated request and processes it β€” fund transfer, email change, password reset β€” without the victim's knowledge. The application trusted the browser's cookie; it had no way to tell whether the user intended the action.
Anti-CSRF Token β€” Why It Works
Tap to reveal
When the server delivers a form to the user, it embeds a unique, unpredictable cryptographic token as a hidden field. On submission, the server validates that the token matches the expected value for that session. A forged cross-site request cannot include a valid token because the browser's same-origin policy prevents an attacker's page from reading another origin's page content β€” the attacker cannot see the token the server embedded for the victim's session. Requests without a valid token are rejected. Why session cookies alone are insufficient: a cookie proves identity but not intent. The token proves the specific request originated from the page the server delivered β€” not from a forged cross-site link. Also called a synchronizer token.
Directory Traversal β€” Mechanism and Indicators
Tap to reveal
Also called path traversal or dot-dot-slash attack. Web applications that construct file paths from user-supplied parameters without validation allow attackers to insert ../ sequences that navigate upward in the directory tree, escaping the web root. Each ../ moves one level up. Example: GET /show.asp?file=../../windows/system.ini navigates two levels above the web root and serves a Windows system file. Evasion variant: URL-encoded form %2e%2e%2f bypasses simple string filters that block literal ../. Log indicators: ../ or %2e%2e%2f in parameter values; sequential requests with incrementing traversal depth; requests for etc/passwd, win.ini, system.ini, SAM via URL parameter. Defense: canonical path validation that verifies the resolved path begins with the expected web root before serving the file.