Web Attack Investigation Part 2

00:01

Hey, everyone, welcome back to the course. So in the last video, we talked about Web application forensics

00:06

in this video, where to start our discussion on the old lost top 10.

00:11

So the whole list top 10 we have injection, broken authentication, sensitive data exposure, XML, external entities or X X e Broken access, control, security, Miss Configuration, cross site scripting, insecurity serialization using components with known vulnerabilities. And then, of course, it's insufficient logging in monitoring.

00:32

So injection flaws. So things like, you know, your sequel l dap injections, etcetera, etcetera. Basically, this is when an untrusted data sent is gonna be untrusted. Data is sent to the interpreter assed part of a commander query. So, for example, I'm trying to log into a web page with the user name and password. An attacker then uses those fields instead

00:51

to run a sequel injection attack.

00:53

So they put a sequel command string in the like user name field, for example, and they try to pass that to the actual database.

01:02

So the goal is is to again try toe trick. So to speak the interpreter into executing that command on down from there, you know, potentially giving information back to the attacker about, you know, tables or even everything in the database, for that matter. Um, so it just kind of depends on how

01:19

ah, how vulnerable the Web application is to that type of attack.

01:23

So some prevention methods, they're just, you know, number one using a safe A p I right, which, which, excuse me, avoids the use of the interpreter entirely, or, you know, provides, you know, some kind of parameters that you know the command has to fall into for the interpreters, actually, you know, executed.

01:42

Why? Listing on the server side, you know, for input validation. So you know, again, just making sure that the attacker can't use whatever input they want. We we kind of white list things and say, OK, we'll only these types of things are allowed through.

01:57

And then using a sequel control scene also, for example, like the limit command to prevent the mass disclosure of records again, that's one of the goals of Attackers is to get all the data

02:08

broken. Authentication. So here the application functions are related to authentication. Session management are often implemented incorrectly. Right? So, uh, you know, generally, maybe a *** miss configuration type thing just kind of depends.

02:23

So this allows Attackers to compromise things like passwords, session tokens, you know, or even other implementation flaws, too. That way they can assume you know, someone else's identity, you know, either on a temporary basis or permanently, right. So they can either steal my banking website information and they pretend they're me and just keep accessing my account.

02:42

Or maybe just a temporary thing for that particular session.

02:46

Prevention here is gonna be things like multi factor authentication. So instead of just using, like, a user name and password, you know also like, for example, your bank might send you a code to your your cellphone. So things like that

02:59

not using default credentials. So that's kind of an obvious one, right? If you gotta set up their worth and admin panel on your website sees me on your Web server, then you're not gonna use the default user name and password. At least Please don't didn't do that. Um, checking for weak passwords, right. We want to make sure our passwords or complex. So that way, if the attacker is just using a password cracker,

03:17

you know, through, like, brute force or something like that.

03:21

Then you know, we would just want to make sure that they can't actually

03:24

having easy time, so to speak, of getting our password.

03:28

Ah, and under that, aligning with that, you know, just follow like mist 863 regarding password guidelines or some other areas as well. Like PC Idea says would have good information there

03:39

hardening against the enumeration of accounts and then also limiting the number of filled log in attempts, Obvious reasons They're right, the Attackers doing a brute force than if we limit them. After three attempts, it locks out the account, then they can't do anything right.

03:54

Sensitive data exposure. Eso This could lead identity theft. So basically

04:00

a lot of different Web applications and and even AP, eyes don't properly protect sensitive data. So things like your financial, you know, data or, you know, even like in a healthcare situation like you're protected information. So essentially the Attackers, my stealer, modify

04:16

that protected data to conduct things like, you know, identity theft, credit card car fraud,

04:21

you know, even other crimes. So, you know, the main thing here is maybe using, like, encryption at restaurant transit. You know, we wanna make sure we protect that data. So if they do get the data, they really can't do anything with it.

04:36

And then also, you know, we can classify the data, you know, again, you know, based on how it's being processed, stored and transmitted, we could say, Hey, this is really sensitive, you know? Go ahead and encrypt it. But again, we generally want encrypt all that type of information, anything sensitive and then applying appropriate controls as well,

04:55

XXI or XML. External entity.

04:59

So here, you know, some older or poorly configured XML processors evaluate external entity references within the XML documents, so this could be used to disclose internal files that are using the file. Your eye handler, maternal file shares port scanning internally remote code execution

05:17

on the NASA could be used in denial of service attacks as well.

05:21

So, you know, essentially here the goal was to try to get, you know, either either to to run a dollar store de dos or also to get data extraction

05:31

so we could prevent this by using, you know, less complex formats. You know, some things like your Jason, Um, you know, also patching and upgrading so again, that kind of you know, reverts back to the old school like a patch. Everything. You know, Patrick systems, patchouli applications, etcetera, etcetera. You know. So, for example, like updating soap, you know, the latest version of so

05:53

and the disabling XML External entity processing in the partners of the application eso eso if you go ah to the OS top 10. You know, they've got some different cheat sheets for these types of attacks on, so that in these types of ah, excuse me, vulnerabilities and weaknesses. So, um,

06:13

you'll find some different cheapseats preventing these as well as some good information. So definitely visit the old lost website

06:23

Broken access control pretty much as the name implies restrictions on what authenticated users were allowed to do. Um, and that's not properly enforced generally. So that way, Attackers can then exploit those flaws to gain unauthorized access, you know, to data or different functionality,

06:39

you know? So, for example, just accessing like someone else's account, right? Do you know? So,

06:43

um, the attacker comes in, they get one account, and then they you know, basically, it's the admin account, and now they can do terrible things to our servers,

06:51

and that allows them to also view, like, sensitive files, you know, modified data so they can change passwords, even change, like, you know, access rights for the user account.

07:01

So how can we prevent against this stuff? Well, you know, of course we can. Ah, you know, with exception of like, you know, resource is that we're leaving out there publicly we can deny by default, Right? So that way, all our private resource is internally are, you know, denied from access from an external account.

07:18

We could also disabled the Web server directory listing so that we the attacker, compromises something they can't see all the listing there,

07:27

implementing access control mechanisms, you know, and ah, basically Ah, you know, again going back to that, you know, multi factor authentication aspect of making sure that it's actually you know, you are I and not the attacker accessing things.

07:43

We could also log access control failures, you know, and and with that, you know, alerting administrators that Hey, there's, you know, x number of attempts here

07:53

and then also, you know, rate limit. The ap, I and controller access. So basically that with there's an automated attacking a tool that will help minimize the harm found from that

08:03

security. Miss Configuration s O. This is probably one of the most common things here. So think about it. You know, like when you when you see on the news like, hey, they miss configured in a W s bucket. And now, you know, classified information is lost Remotely sensitive information is lost. That's what we're talking about here.

08:20

So again, you know, this this is related to, you know, insecure defaults configurations, you know, are incomplete configurations. Or, you know, you kind of just rigged it up, so to speak. Um, also, Ah, you know, Miss Configured 83 headers, you know, air messages that are, you know, pretty ver boasts, you know? So if you're

08:37

if you're given, like, all sorts of data, back about the particular error, you know, like, Hey, it's in, You know, these different database tables.

08:45

Ah, we're not finding that that information, you know, we want to limit the information back to say, you know, like, air like, Oh, it didn't work or something like that, right? Obviously different Burbage. But, you know, you get the idea.

08:56

We just don't want the attacker to know basically what we've got going on. We want them the half kind of general error that they don't really understand what the information back is.

09:09

You know, it's so again here, you know, one of the main things is ah, you know, patching a ce faras prevention. We we just want to make sure we patch as well as you know, hardening the system,

09:20

you know, And with that, with that Harding, we want to make sure we have some type of key way process in place to make sure that we're continuously checking to make sure the system is still hard against threats,

09:31

making sure the platform doesn't have any unnecessary features turned on. So just making sure it's a minimalistic approach there.

09:39

And the segmenting our application architecture, right? So we just want to make sure that we separate between different components and different tenants, you know, So containers using containers are, you know, our cloud security groups.

09:52

And then finally, we have a cross site scripting, at least in this video, and then we'll cover the last few in the next video. So cross site scripting or excess s a CZ. You'll probably see it on the exam itself.

10:05

This is basically when the application includes untrusted data in a new Web page without proper proper validation of that data. So that could lead to things like remote code execution on the victim's browser. You know, stealing of credentials, deliver malware to victim, etcetera. Etcetera basically allows that attacker to execute the scripts, right?

10:24

Um,

10:26

and so different ways we can prevent against it s so we can use. You know, we could separate untrusted data from the active browser content. We can, you know, escape interested. Http. Request data. We could enable CSP or content security policy.

10:43

You know? So, uh, as I mentioned, you know, using frameworks that automatically escape cross site scripting. So things like, you know, the latest version of Ruby on rails react JavaScript, you know, things like that. But basically, we're just trying to limit the ability of the attacker to actually execute the code on the system.

11:01

So in this video, we cover the first portion of the lost top tens. We've covered the 1st 7 aspect. So injection, broken authentication, sensitive data exposure, XXI or XML, External entities, broken access control, security, Miss Configurations, cross site scripting.

11:18

So the next video, We'll cover the last tree. So insecurity serialization,