Are you familiar with various types of application attacks? If you’re planning to take the Security+ exam, you should have a basic understanding of several common types of attacks launched against systems and networks.
For example, can you answer this question?
Q. An attacker recently attacked a web server hosted by your company. After investigation, security professionals determined that the attacker used a previously unknown application exploit. Which of the following BEST identifies this attack?
A. Buffer overflow
B. Zero-day attack
C. Fuzzing
D. Session hijacking
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Zero-Day Attacks
A zero-day attack is one that exploits an undocumented vulnerability. Many times, the vendor isn’t aware of the issue. At some point, the vendor learns of the vulnerability and begins to write and test a patch to eliminate it. However, until the vendor releases the patch, the vulnerability is still a zero-day vulnerability.
As an example, a bug existed in the virtual DOS machine (VDM) that shipped with every version of 32-bit Windows systems from 1993 to 2010. The bug allowed attackers to escalate their privileges to full system level, effectively allowing them to take over the system. Google researcher Tavis Ormandy stated that he reported the bug to Microsoft in mid-2009. At this point, Microsoft (the vendor) knew about the bug, but didn’t release a work-around until January 2010 and a patch until February 2010. Because the bug wasn’t known publicly until January 2010, it remained a zero-day vulnerability until then.
Both attackers and security experts are constantly looking for zero-day vulnerabilities. Attackers want to learn about them so that they can exploit them. Most security experts want to know about them so that they can help ensure that vendors patch them before causing damage to users.
Remember this
Zero-day exploits are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Session Hijacking Attacks
When a user logs on to a web site, the web site often returns a cookie with a session ID. In many cases, this cookie is stored on the user’s system and remains active until the user logs off. If the user closes the session and returns to the web site, the web site reads the cookie and automatically logs the user on. This is convenient for the user, but can be exploited by an attacker.
In a session hijacking attack, the attacker learns the user’s session ID and uses it to impersonate the user. The web server doesn’t know the difference between the original user and the attacker because it is only identifying the user based on the session ID.
Attackers can read cookies installed on systems through several methods, including cross-site scripting attacks and Flash cookies (described in the next section). Once they have the session ID, they can use header manipulation to hijack the session.
Flash Cookies and LSOs
A Flash cookie is one created by Adobe Flash Player and is different from a traditional text cookie. They are also known as local shared objects (LSOs) or locally shared objects. As one example, Flash cookies are stored in multiple locations by default, and traditional methods of deleting cookies through a web browser do not delete Flash cookies. Some Flash cookies store the session ID from traditional cookies. If a user deletes the traditional cookies, the Flash cookies re-create them.
Many sites use Flash cookies to track users’ online activity without their knowledge or consent. For example, when a user goes to a web site using a Flash cookie, then goes to web site B, the Flash cookie records their activity on web site B. This continues for the entire session as the Flash cookie tracks and records all of the user’s activity. Their usage has prompted many class-action lawsuits against sites using Flash cookies.
Arbitrary Code Execution/Remote Code Execution
Arbitrary code execution refers to the ability of an attacker to execute commands or run programs on a target system. Remote code execution refers to the ability of an attacker to execute the code from a remote system. Neither of these is desirable because it allows attackers to install and run malware on vulnerable systems.
As an example, imagine an application such as a web browser has a vulnerability that allows execution of code using one of these methods. An unsuspecting user can visit a malicious web site with specially crafted code to exploit this vulnerability. This code can use elevated privileges to cause the system to download a malicious file and then execute it to install it. Once installed, the malware can allow the attacker to take control of the computer whenever desired.
Software bugs are the most common reason that arbitrary code execution and remote code execution is possible. This is another reason why it is important to keep systems up to date with current patches.
Q. An attacker recently attacked a web server hosted by your company. After investigation, security professionals determined that the attacker used a previously unknown application exploit. Which of the following BEST identifies this attack?
A. Buffer overflow
B. Zero-day attack
C. Fuzzing
D. Session hijacking
Answer is B. A zero-day attack takes advantage of an undocumented exploit or an exploit that is unknown to the public.
A buffer overflow attack sends unexpected data to a system to access system memory or cause it to crash. Although some buffer overflow attacks are unknown, others are known. If the server isn’t kept up to date with patches, it can be attacked with a known buffer overflow attack.
Fuzzing sends random data to a system and can detect buffer overflows and zero-day attack methods, but the scenario doesn’t indicate the user is sending random data.
Session hijacking takes over a user’s session and isn’t related to an attack on a server.
