Security engineering  basing on gracenolan notes. part 3

Security engineering basing on gracenolan notes. part 3

From the Oscakampala open source cyber security branch.


12 min read

  • Welcome. Today we are going to continue with gracenolan notes. Please do some further deep-diving in web application pen-testing as there are many technical details to understand and practical workouts. Am writing according to the notes. Try out labs and have fun.

Web Applications:

  • Same origin policy: This policy is a cornerstone of web security and is implemented in web browsers to prevent malicious attacks such as Cross-Site Scripting (XSS). It states that a web page loaded from one origin (e.g. cannot access resources (e.g. images, scripts, cookies) from another origin (e.g. This is to prevent sensitive information from being leaked to unauthorized domains.

  • CORS: CORS stands for Cross-Origin Resource Sharing and is a mechanism that allows a web page from one origin to make requests to another origin. This is useful for scenarios where a web page wants to access data from another domain, for example, to fetch data from a third-party API. CORS works by sending an HTTP request to the target domain with specific headers, asking the server to grant permission to access its resources. If the server allows access, it will include the necessary headers in the response to indicate that the browser can proceed with the request.

  • HSTS: HSTS stands for HTTP Strict Transport Security and is a security policy that forces web browsers to only use encrypted HTTPS connections with a website that supports it. This helps to prevent eavesdropping, tampering, and man-in-the-middle attacks, as all data transmitted between the browser and the server is encrypted. HSTS is specified by the website in the form of a header sent in the HTTP response, indicating to the browser that it should only use HTTPS for all future requests to that domain.

  • Cert transparency: Cert Transparency is a system that provides public transparency of SSL/TLS certificates issued by certificate authorities. It works by logging all SSL/TLS certificates issued by certificate authorities in publicly accessible logs, allowing anyone to verify the validity of the certificate. This helps to prevent certificate authority mis-issuance, which could result in fraudulent websites being granted valid SSL/TLS certificates. By checking the logs, users can verify that the certificate was indeed issued by a trusted certificate authority and has not been revoked or tampered with.

  • HPKP: HTTP Public Key Pinning was a security feature that allowed a web server to specify a set of trusted public keys in an HTTP header. The browser would then only accept SSL/TLS certificates signed by one of these trusted keys. However, this feature has been deprecated by Google Chrome due to several security and privacy concerns.

  • Cookies: Cookies are small text files that are stored on the client's computer by a website. They can be used to remember user preferences, store user data, or track user behavior on a website. By setting the "HttpOnly" attribute in the cookie, a website can indicate that the cookie should only be accessible by the server and not by JavaScript. This helps to prevent Cross-Site Scripting (XSS) attacks, as the attacker cannot access or steal the cookie data.

  • CSRF: Cross-Site Request Forgery (CSRF) is a type of attack that allows an attacker to perform unauthorized actions on behalf of a victim, using their existing session. This can be done by tricking the victim into visiting a malicious website that sends a request to a vulnerable website, with the victim's cookies attached. The request will be executed as if it was made by the victim, leading to unintended consequences. To prevent CSRF, websites can implement various mitigation techniques, such as checking the origin of incoming requests or requiring a unique token to be submitted with each request.

  • XSS: Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious scripts into a web page viewed by other users. XSS attacks can take various forms, such as Reflected XSS, where the attacker's payload is immediately executed by the browser in response to a request, or Persistent XSS, where the malicious script is stored on the server and executed every time the page is viewed. There are also client-side XSS attacks, also known as DOM-based XSS, where the malicious script is executed directly by the browser without requesting the server.

  • SQLi: SQL Injection (SQLi) is a type of attack that targets the database of a website by injecting malicious SQL commands into an input field, such as a search bar or a form. The attacker's goal is to manipulate the database and extract sensitive information, such as login credentials or personal data. SQLi attacks can also be performed through malicious software installed on the victim's computer, such as a person-in-the-browser (PITB) attack using a malicious Flash or Java applet. To prevent SQLi, websites must validate and sanitize user input and properly escape any special characters that might be used in an SQLi attack.

  • POST: POST is one of the two main HTTP methods (the other being GET) used to send data from a client to a server. The POST method is typically used to submit form data, as it can transmit large amounts of data and is more secure than GET, as the data is not visible in the URL.

  • GET: GET is the other main HTTP method used to retrieve data from a server. The GET method sends a request to the server with query parameters attached to the URL, which can be used to specify the data that should be returned. Unlike POST, the data sent with a GET request is visible in the URL and has a limit on the amount of data that can be sent.

  • Directory traversal: Directory traversal, also known as path traversal, is a type of security vulnerability that allows an attacker to access files and directories on a server that they should not be able to see. This can be done by injecting ../ or ./ into a URL or a form field, which causes the server to traverse the file system to a different directory than intended. There are various tools available that automate directory traversal attacks.

  • APIs: An API (Application Programming Interface) is a set of rules that allows different software systems to communicate with each other. APIs can return various types of information, such as data, images, or status codes, and can also receive data, such as parameters or authentication credentials. When working with APIs, it's important to understand what information they return and what data can be sent, as this can have security implications.

  • Beefhook: Beefhook is a tool used to examine the behavior of Chrome extensions, including the data they access and the requests they make. This can be useful for security purposes, as it allows researchers and developers to identify potential security vulnerabilities in extensions.

  • User agents: A user agent is a string sent by a client to a server that identifies the type of client and the software used. The user agent can be used to determine if the client is a legitimate browser or a bot, as bots typically have unique user agents that can be easily recognized.

  • Browser extension take-overs: A browser extension take-over occurs when an attacker can install a malicious extension in a browser, either by exploiting a security vulnerability or by tricking the user into installing it. Malicious extensions can perform various malicious activities, such as mining cryptocurrency, stealing login credentials, or displaying unwanted ads.

  • Local file inclusion: Local file inclusion (LFI) is a type of security vulnerability that allows an attacker to include and execute local files on the server. This can be done by injecting malicious file paths into a URL or a form field, allowing the attacker to execute arbitrary code on the server.

  • Remote file inclusion (RFI): Remote file inclusion (RFI) is a type of security vulnerability that allows an attacker to include and execute remote files on the server. This can be done by injecting a URL into a form field or a parameter, causing the server to retrieve and execute the remote file. RFI attacks are less common these days due to improved security measures and the decline in popularity of certain programming languages, such as PHP.

  • SSRF: Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send a malicious request from a vulnerable server to another server. This can be used to access restricted resources on the target server, such as internal network resources or local files.

  • Web vulnerability scanners: Web vulnerability scanners are tools that automate the process of identifying security vulnerabilities in web applications. These tools can identify a wide range of security issues, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

  • SQLmap: SQLmap is an open-source tool used to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications. It can be used to retrieve data from databases, execute arbitrary SQL commands, and even take full control of the underlying server.

  • Malicious redirects: A malicious redirect is a type of attack in which a user is redirected to a different website without their knowledge or consent. This can be done by injecting malicious code into a vulnerable website or by using a phishing technique, such as a fake login page. Malicious redirects can be used to steal sensitive information, such as login credentials, or to distribute malware.

Infrastructure (Prod / Cloud) Virtualisation:

Infrastructure (Prod / Cloud) Virtualisation is the process of creating and managing virtual versions of physical resources, such as servers, storage, and networking. This technology enables multiple virtual systems to run on a single physical host, increasing efficiency, scalability, and security.

Cloud virtualization specifically refers to virtualization in cloud computing environments, where cloud providers offer virtual resources as a service over the internet. This allows organizations to run their applications and store their data in virtual environments provided by the cloud provider, rather than on physical hardware they own and maintain.

  • Hypervisors: A hypervisor is a type of virtualization technology that allows multiple virtual machines (VMs) to run on a single physical host. The hypervisor provides a layer of abstraction between the physical host and the virtual machines, allowing each VM to run its operating system and applications independently.

  • Hyperjacking: Hyperjacking refers to the act of compromising a hypervisor and gaining unauthorized access to its virtual machines. This type of attack can allow an attacker to steal sensitive information or compromise multiple VMs at once.

  • Containers, VMs, clusters: Containers, virtual machines (VMs), and clusters are different types of virtualization technologies. Containers are a lightweight form of virtualization that provide isolation between applications without the overhead of a full virtual machine. VMs are a traditional form of virtualization that allows multiple operating systems to run on a single physical host. Clusters are a group of interconnected VMs that work together to provide high availability and scalability.

  • Escaping techniques: Escaping techniques refer to methods used by attackers to escape from a virtualized environment and access the underlying physical host. This can be used to steal sensitive information or compromise the host system.

  • Lateral movement and privilege escalation techniques: Lateral movement and privilege escalation are tactics used by attackers to move from one system to another and gain elevated privileges. In cloud environments, cloud service accounts can be used for lateral movement and privilege escalation. GCPloit is a tool for exploiting vulnerabilities in Google Cloud Projects.

  • Site isolation: Site isolation is a security technique that separates different parts of a website into separate sandboxes. This helps to prevent cross-site scripting (XSS) and other types of attacks that could allow an attacker to access sensitive information.

  • Side-channel attacks: Side-channel attacks refer to attacks that exploit information that is leaked through the side channels of a system, such as power consumption or electromagnetic radiation. Spectre and Meltdown are examples of side-channel attacks that exploit weaknesses in modern processors.

  • BeyondCorp: BeyondCorp is a security model that is designed to trust the device (such as a laptop or smartphone) but not the network. This allows organizations to provide secure access to resources from anywhere, without the need for a traditional VPN.

  • Log4j vulnerability: The Log4j vulnerability is a security vulnerability in the Log4j logging framework that can be exploited by attackers to inject malicious code into Java applications. This vulnerability can lead to remote code execution, data theft, and other types of attacks.

OS Implementation and Systems:

  • OS Implementation and Systems refer to how an operating system is implemented and the various systems and components that make it up.

    Privilege escalation techniques: Techniques used by attackers to increase their level of access and control over a system, such as exploiting vulnerabilities, misconfigurations, or weak passwords.

    Buffer Overflows: A type of software vulnerability where an attacker can cause a program to crash or execute unintended code by sending more data to a buffer than it can handle.

    Directory traversal: An attack where an attacker manipulates file paths in a request to access files and directories that are outside of the intended directory structure.

    Remote Code Execution: A type of attack where an attacker can execute arbitrary code on a remote system. This is often achieved through exploiting software vulnerabilities or weak configurations.

    Local databases: Databases that are stored locally on a device, rather than on a remote server. For example, some messaging apps use SQLite for storing messages.

    Windows: A popular operating system used by many organizations and individuals.

    Windows registry: A database that stores configuration settings and options for the Windows operating system and its applications.

    Group Policy: A feature in Windows that allows administrators to set policies for users and computers in an Active Directory environment.

    Active Directory (AD): A centralized database used by Windows to store user, computer, and network information.

    Bloodhound tool: A tool used to visualize and analyze the relationships and privileges within an Active Directory environment.

    Kerberos authentication with AD: A network authentication protocol used by Windows to provide secure authentication over unsecured networks.

    Windows SMB: The Server Message Block protocol used by Windows for file and print sharing.

    Samba: A free, open-source implementation of the SMB protocol that allows non-Windows systems to share files and printers with Windows systems.

    ROP: Return-Oriented Programming, a type of attack that exploits buffer overflows by chaining together small fragments of code, rather than injecting new code into a buffer.

  • *nix refers to Unix-like operating systems, including Linux and Unix.

    SELinux is a security extension for Linux, which provides mandatory access control policies to the operating system.

    The kernel in nix operating systems is the central component of the operating system that manages system resources and communicates with the hardware. Userspace is the portion of the operating system where applications and user-level processes run. Permissions are used to control access to resources in nix systems, such as files and directories.

    MAC (Mandatory Access Control) is a type of access control where the system enforces rules for accessing resources, whereas DAC (Discretionary Access Control) allows users to set their own access rules for resources.

    /proc is a virtual file system in nix operating systems, which provides information about system processes. /tmp is a directory in the nix operating system used for the temporary storage of files, and code can be saved and executed from there. /shadow contains encrypted passwords for user accounts.

    LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory information services over an Internet Protocol network. It allows users to have a single password for multiple services, similar to Active Directory in Windows.

    MacOS is an operating system for Apple Macintosh computers. The Gotofail error was a bug in the SSL/TLS cryptographic software library in MacOS, which allowed attackers to intercept secure communications between two parties. MacSweeper was a software tool used for cleaning up junk files on MacOS. Researching Mac vulnerabilities involves identifying security weaknesses and flaws in the MacOS operating system and finding ways to fix them.