What attack type is possible when user supplied information is used in a header?
|
Hdiv Detection (IAST), an Interactive Application Security Testing (IAST) product, scored a 100 percent on the OWASP Security Benchmark. This is more efficient than SAST and DAST solutions. Accuracy score Hdiv Detection (IAST) scored a 100%, which comes from a 100% true positive rate minus a 0% false positive rate. More information CMD Injection¶Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. More Information The application takes data from the user and uses it to send headers in Http responses. HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting, session fixation via the Set-Cookie header, cross-site scripting (XSS) and malicious redirect attacks via the location header. HTTP header injection is a relatively new area for web-based attacks and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting. More Information LDAP Injection¶LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it is possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permission to unauthorized queries and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. More Information Log Injection¶Log Injection occurs when unvalidated input is stored directly in log files, which may lead to misinformation or the exploitation of other vulnerabilities. More Information NoSQL Injection¶A NoSQL injection attack consists of insertion or "injection" of a NoSQL query object via the input data from the client to the application. A successful NoSQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With NoSQL injection attacks, parts of the query object are injected into data-plane input in order to execute predefined commands. More Information Reflection Injection¶The application takes data from the user and uses it to load classes by reflection. If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner. More Information SQL Injection¶A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shut down the DBMS), recover the content of a given file present on the DBMS file system and in some cases, issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands. More Information XPath Injection¶Similarly to SQL Injection, XPath Injection attacks occur when a website uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information to the website, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the website if the XML data is being used for authentication (such as an XML-based user file). More Information Hardcoded Key¶The use of a hard-coded cryptographic key tremendously increases the possibility that encrypted data may be recovered. More Information Hardcoded Password¶The use of a hard-coded password increases the possibility of password guessing tremendously. More Information No HttpOnly Cookie¶Let's look further at the authentication cookie and assume that a XSS (cross-site scripting) vulnerability is present in the application, where the attacker can take advantage of it to steal the authentication cookie. Can we somehow prevent this from happening? It turns out that an HttpOnly flag can be used to solve this problem. When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation. More Information Session Rewriting¶URL rewriting is the technique of transporting the Session ID within a Unified Resource Locater better known as a URL. Unlike an HTTP header, which transports cookies, a session ID in a URL can be disclosed in many ways. More Information Session Timeout¶Session timeout defines the action window time for a user. Thus, this window also represents the time available in which an attacker can try to steal and use an existing user session. Therefore, the longer the session timeouts, the easier it is for cross-user web attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) to be successful. Session timeout value should not be greater than 30 minutes. Applications that handle sensitive data tend to have timeouts that are not too long, usually between 15 and 30 minutes. More Information Weak Password¶The use of a weak password increases the chance of password guessing tremendously, which makes it easier for attackers to compromise user accounts. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes. More Information Autocomplete Missing¶The application has a form that may leak potentially sensitive information. This could cause the browser to cache that information insecurely because neither the More Information Insecure Cipher¶The application uses an encryption algorithm that doesn't meet today's generally accepted standards. Cryptography is difficult and there are many minor mistakes that can cause a cryptosystem to leak information, or worse. Choosing an encryption algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow sensitive data or credentials to be hijacked during transmission or when stored. More Information Insecure Hashing¶The application uses a hashing algorithm that does not meet today's generally accepted standards. Cryptography is difficult and there are many minor mistakes which can lead to a cryptosystem leaking information, or worse. Choosing a hashing algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow credentials or data to be extracted. More Information Sensitive Data Exposure¶These types of vulnerabilities allow attackers to obtain sensitive data such as credit card details, health/personal information or usernames and passwords. More Information Weak Randomness¶Standard pseudo-random number generators cannot withstand cryptographic attacks. More Information Path Traversal¶A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access control, such as in the case of locked or in-use files on the Microsoft Windows operating system. More Information Admin Console Active¶The app server admin console is automatically installed and not removed. Default accounts are not changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords and takes over. More Information Default Html Escape Invalid¶Applications based on Spring tags do not escape by default but it is a good practice to activate it in web.xml as it reduces the likelihood of a XSS attack. More Information Directory Listing Leak¶App server configuration allows directory listing which could potentially yield sensitive information to an attacker. More Information Insecure Auth Protocol¶The application uses an authentication protocol that is not considered secure. The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form. More Information Insecure Jsp Layout¶The application has JSP files outside WEB-INF folder, which may cause their content to be leaked by an attacker. More Information Session Cookie Not HttpOnly¶According to the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client. More Information Stacktrace Leak¶App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages. More Information Client XSS¶Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. More Information XSS¶Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. More Information Untrusted Deserialization¶Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. More Information Library With Known Vulnerability¶Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors. More Information Cache Controls Missing¶The browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. When we ask for these pages again, the browser displays them from its cache. This is much faster than downloading the page from the server. Let's consider the particular scenario where a user has logged in to an application with username and password. The user browses the different pages which contain sensitive information. Let's suppose a page with the user's credit card information gets cached in the browser and the user logs out of the application. Now suppose attackers access the same machine and search through the Temporary Internet Files. They will get the credit card details. The attackers do not need to know the username and password of the user to steal the information. More Information Clickjacking Control Missing¶Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for one page and routing them to another, most likely owned by another application, domain, or both. More Information Application is not using CSP header properly. CSP stands for Content Security Policy. This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type. More Information Application is not using CSP header properly. CSP stands for Content Security Policy. This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type. More Information Format String¶The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system. More Information Application is not using HSTS header. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers. More Information Html Resource Integrity¶Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match. More Information Insecure Cookie¶Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure. More Information No Same Site Cookie¶SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against
cross-site request forgery attacks. Possible values for the flag are lax or strict. More Information Parameter Pollution¶Not setting the action field of a FORM tag may lead to parameter pollution if an attacker embeds the page inside an IFRAME. More Information PCI Clear Parameter Violation¶Credit card details should not be included as Http request parameters or as part of the URL as it greatly increases the possibility of them being leaked. More Information PCI Logging Violation¶PCI DSS standard does not allow credit card details to be leaked into log files. More Information RMI Detection¶This rule activates RMI parameter tainting so that other kinds of vulnerabilities are detected. If this rule is not active, no RMI parameter will be traced. More Information SSRF¶Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server. More Information Trust Boundary Violation¶A trust boundary can be thought of as a line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data. More Information Unvalidated Redirect¶The application is using an untrusted input to craft a redirect/forward url. More Information Verb Tampering¶HTTP specification includes request methods other than the standard GET and POST requests. A standards-compliant web server may respond to these alternative methods in ways not anticipated by developers. More Information Weak Cross Domain Policy¶Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based on returning the value of the Origin request header, "*", or "null" in the response. More Information X-Content-Type Header Missing¶The application is not using X-Content-Type-Options header. Using this header will prevent the browser from MIME-sniffing a response away from the declared content-type. More Information Application has disabled XSS protection by sending an insecure header value. More Information What makes a DDoS attack different from a DoS attack check all that apply?A DoS attack is a denial of service attack where a computer is used to flood a server with TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations. All DDoS = DoS but not all DoS = DDoS.
Which of these sends tons of packets to a system in order to crash it or prevents services from being available Check all that apply?Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.
|
