3.6 KiB
3.6 KiB
Privilege Escalation
- Leverages programming errors nd system design flaws to give an attacker elevated access to the network and related systems, data, and applications
- Privilege escalation can occur during the attacks kill chain or as part of penetration testing
- Can be vertical or horizontal
- Advanced Persistent Threats (APTs) often attempt an escalation of access privileges soon after the initial compromise phase
- The goal is to become a root or administrative user, level 15 user on a switch or router, exec user, Domain Admin group member, etc.
- The higher the level, the broader the access, and the more potential there is to damage or exfiltrate critical data
- Least privilege principles are Key for Mitigation
- Check the OS release of the vulnerable system
logseq.order-list-type:: number
- View its kernel version
logseq.order-list-type:: number
- Check the available users and the current user privileges
logseq.order-list-type:: number
- list the SUID files
logseq.order-list-type:: number
- View the installed packaged, programs, and running services (outdated version may be vulnerable)
logseq.order-list-type:: number
-
Cross-site Scripting and Request Forgery
- Flaws in pages rendered by web servers and not the web server code itself (i.e. Apace, IIS) where malicious scripts or code are injected into trusted or innocent web sites pages
- Malicious scripts can steal cookies, session tokens, or other sensitive data stored by the browser and used with the site
- Attacker typically sends browser-side scripts to end user
- Can occur anytime a web program uses user input within the output it generates without validating or encoding
-
Cross-site Scripting Types
- DOM-based XSS (Local or Type 0)
- Reflected XSS (Nonpersistent or Type 1)
- Stored XSS (Persistent or Type 2)
-
Request Forgery (CSRF/XSRF)
- Attack forces an end user to perform undesirable actions in a web application in which they are authenticated
- An effective CSRF/XSRF attack can force users to perform state-changing requests such as
- Transferring funds
- Changing their e-mail address
- Changing their password
- If the victim is and administrative account, the CSRF attack can compromise the entire web application
-
Injection Attacks
- The Injection attack is often the result of MITM exploit or RAT attack
- Malware can inject false MAC or IP addresses
- DLL Injection is where malicious code forces itself to run in place of other benign code
- This "injected" code is usually code written by a third-party developer, designed to perform some malicious function
-
SQL Injection
- involves inserting a SQL query through input data from client to server application and can allow for several exploits
- Read Sensitive database data (SELECT FROM)
- Change database data (INSERT, UPDATE, DELETE)
- Execute administrative functions (e.g. shutdown DBMS)
- Get contents of files on database management systems (DBMS)
- Run commands on operating system
- involves inserting a SQL query through input data from client to server application and can allow for several exploits
-
LDAP Injection
- LDAP is often used in web applications over the internet or a corporate intranet
- The web applications take the input from the client in order to process it further, so the attacker exploits the data not being properly sanitized or going directly to a back-end database
- The attacks can render sensitive user information or change information in the LDAP directory
-
XML Injection
- Also known as "SOAP Injection"
- User input is inserted unsafely
- XML metacharacters can be used to modify
- Can interfere with application logic
- Performs unauthorized tasks or accesses data
-
Targeted Coding Attacks
- Pointer/object dereference