Are you familiar with many attacks that target server applications? If you’re planning to take the Security+ exam, it’s something you might like to review. For example, can you answer this sample practice test question?
Q. During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe?
A. SQL injection
B. Fuzzing
C. Transitive access
D. XSRF
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Fuzzing
Fuzzing (or fuzz testing) uses a computer program to send random data to an application. In some cases, the random data can actually crash the program or provide unexpected results, indicating a vulnerability. Security professionals use fuzz testing to test systems and applications for vulnerabilities they can correct. In contrast, attackers use fuzz testing to identify vulnerabilities they can exploit.
Sometimes attackers will write a fuzz testing script to run on the attacked system instead of sending the data over the network. For example, an attacker can use JavaScript to send random data to another service on the same system. In some cases, this discovers a string of code that can cause a buffer overflow. If an attacker discovers a string of data that can create a buffer overflow, he can use it in an attack.
Remember this
Fuzzing sends random strings of data to applications looking for vulnerabilities. Administrators use fuzz testing to test applications and attackers use fuzzing to detect attack methods.
Directory Traversal/Command Injection
In some cases, attackers are able to inject operating system commands into an application using web page forms or text boxes. Any web page that accepts input from users is a potential threat. Directory traversal is a specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure.
For example, in Unix systems, the passwd file includes user logon information, and it is stored in the /etc directory with a full directory path of /etc/passwd. Attackers can use commands such as ../../etc/passwd or /etc/passwd to read the file. Similarly, they could use a remove directory command (such as rm -rf) to delete a directory, including all files and subdirectories. Input validation can prevent these types of attacks.
LDAP Injection
Lightweight Directory Application Protocol (LDAP) is the primary protocol used to communicate with servers hosting directory services such as Active Directory in a Microsoft system. In some cases, attackers are able to use LDAP injection attacks to query and modify account information in Active Directory with LDAP commands.
Remember this
LDAP injection attacks attempt to access or modify data hosted on directory service servers.
Q. During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe?
A. SQL injection
B. Fuzzing
C. Transitive access
D. XSRF
Answer is B. Fuzzing or fuzz testing sends extra input to an application to test it. Ideally, the application can handle the extra input, but it is possible that fuzz testing causes an application to crash. Other answers do not cause the application to crash.
A SQL injection attack sends specific SQL code to access or modify data in a database.
A cross-site request forgery (XSRF) attack uses HTML or JavaScript code to take actions on behalf of a user.
