WEBVTT

00:00.000 --> 00:03.885
>> Vulnerability risk
mitigation part 2.

00:03.885 --> 00:06.690
The learning objectives
for this lesson are to

00:06.690 --> 00:09.720
define the different types of
web vulnerability attacks,

00:09.720 --> 00:12.390
to explore virtual
machine attacks,

00:12.390 --> 00:15.420
and to describe Border
Gateway Protocol BGP

00:15.420 --> 00:16.860
or Route Hijacking.

00:16.860 --> 00:19.530
Let's get started. We're going

00:19.530 --> 00:21.675
to start off with web
application attacks.

00:21.675 --> 00:23.070
The first attack we're going to

00:23.070 --> 00:25.260
discuss is the
directory traversal.

00:25.260 --> 00:28.245
This is also known as
file path traversal.

00:28.245 --> 00:30.330
It's a web server vulnerability.

00:30.330 --> 00:32.340
When this vulnerability
is present,

00:32.340 --> 00:34.890
this allows the attacker
to browse files

00:34.890 --> 00:37.540
that are outside of the
web document directory.

00:37.540 --> 00:38.855
This means they
have access to the

00:38.855 --> 00:40.925
operating system
files themselves.

00:40.925 --> 00:42.860
They're able to
read those files,

00:42.860 --> 00:44.030
but they can also write to

00:44.030 --> 00:46.670
those areas of the
operating system and this

00:46.670 --> 00:48.830
allows them to upload
tools that they

00:48.830 --> 00:51.020
can further compromise
the system.

00:51.020 --> 00:52.130
A good example of this is

00:52.130 --> 00:54.230
the Linux /etc/shadow
file could now be

00:54.230 --> 00:56.030
red and then the attacker

00:56.030 --> 00:59.400
could collect the password
hashes from the system.

00:59.600 --> 01:02.690
Cross-site scripting. This is

01:02.690 --> 01:04.370
similar to directory traversal,

01:04.370 --> 01:06.425
but in cross-site scripting,

01:06.425 --> 01:08.210
it manipulates the file paths.

01:08.210 --> 01:10.460
They control how a
web app operates.

01:10.460 --> 01:13.220
A common use for this is
when an attacker will

01:13.220 --> 01:14.780
send malicious code
to the web app

01:14.780 --> 01:16.090
of the visitor's browser.

01:16.090 --> 01:18.830
This is known as reflected
cross-site scripting.

01:18.830 --> 01:21.320
However, stored cross-site
scripting inserts

01:21.320 --> 01:24.070
malicious code into
the web app itself.

01:24.070 --> 01:26.690
Then when the victim visits
then they would receive

01:26.690 --> 01:31.260
the malicious content
from the server directly.

01:31.760 --> 01:34.510
Cross-site Request Forgery.

01:34.510 --> 01:37.220
This is an attack that
causes the victim to

01:37.220 --> 01:38.750
unintentionally make changes to

01:38.750 --> 01:40.300
their own account and a web app.

01:40.300 --> 01:42.230
Because they made these changes,

01:42.230 --> 01:45.050
now the attacker has
access to their account.

01:45.050 --> 01:48.350
A good example of this are
the forgot my password links.

01:48.350 --> 01:50.900
The key to remember is false
information is sent to

01:50.900 --> 01:53.435
the victim on behalf
of the attacker.

01:53.435 --> 01:55.460
This causes the victim
to make changes to

01:55.460 --> 01:57.020
their account and
now the attacker

01:57.020 --> 01:59.280
has access to the account.

01:59.510 --> 02:03.760
XML and XML external
entity injection.

02:03.760 --> 02:06.490
XML is read and then
it's processed.

02:06.490 --> 02:08.920
This can lead to many
types of attacks such as

02:08.920 --> 02:12.320
directory traversal and
code execution attacks.

02:14.000 --> 02:17.644
LDAP injection. This manipulates

02:17.644 --> 02:20.045
LDAP strings to perform
malicious actions.

02:20.045 --> 02:23.125
If we have our LDAP server
improperly configured,

02:23.125 --> 02:26.020
then these strings could be
crafted in a way that allow

02:26.020 --> 02:28.990
an attacker to gain access
to the LDAP directory.

02:28.990 --> 02:30.760
They would be able
to get information

02:30.760 --> 02:32.380
such as all the user accounts,

02:32.380 --> 02:33.610
all the user information,

02:33.610 --> 02:35.110
and it also insert information

02:35.110 --> 02:38.060
directly into the
LDAP directory.

02:38.660 --> 02:40.965
SQL injection.

02:40.965 --> 02:44.030
This manipulates SQL
language to gain access to

02:44.030 --> 02:47.570
data in the specifically
targeted database.

02:47.570 --> 02:49.820
It is successful
against web apps

02:49.820 --> 02:51.530
that take user input and

02:51.530 --> 02:53.570
concatenate it to an SQL command

02:53.570 --> 02:56.509
that is executed
against the database.

02:56.509 --> 02:59.240
This would allow for the
extraction of records from

02:59.240 --> 03:01.010
a database or for data to be

03:01.010 --> 03:03.840
directly written
to the database.

03:04.960 --> 03:08.855
This is a good comic from XKCD.

03:08.855 --> 03:12.335
They all make all kind of
comics about all things IT.

03:12.335 --> 03:13.640
But this is a really good one

03:13.640 --> 03:15.050
about why we should sanitize

03:15.050 --> 03:18.600
our data inputs
for SQL injection.

03:22.390 --> 03:25.040
Authentication bypass.

03:25.040 --> 03:27.785
This exploits how
logins are received

03:27.785 --> 03:29.060
and then how they're
processed by

03:29.060 --> 03:30.650
the web application itself.

03:30.650 --> 03:33.125
An example would be
sending an SQL string

03:33.125 --> 03:34.160
rather than the log on

03:34.160 --> 03:36.425
credentials that the
web app is expecting.

03:36.425 --> 03:38.705
A defense against
this would include

03:38.705 --> 03:41.910
input validation and
parameterization.

03:43.070 --> 03:46.010
Command injection. This takes

03:46.010 --> 03:47.720
advantage of the web apps that

03:47.720 --> 03:50.150
bypass operating system APIs

03:50.150 --> 03:52.760
and instead will
spawn command shells.

03:52.760 --> 03:54.515
This allows for
the commands to be

03:54.515 --> 03:56.150
strung together and additional

03:56.150 --> 03:57.800
output given to the attacker

03:57.800 --> 04:00.570
that they wouldn't
normally have access to.

04:01.790 --> 04:05.045
The main defense against this
would be input validation.

04:05.045 --> 04:06.500
I don't know if you're
seeing a pattern here,

04:06.500 --> 04:08.570
but input validation
is a big thing

04:08.570 --> 04:11.670
that would prevent
many types of attacks.

04:11.870 --> 04:15.150
Process injection. As it's

04:15.150 --> 04:17.115
defined by the MITRE
ATT&CK Framework,

04:17.115 --> 04:19.010
this is an attack
where the attacker

04:19.010 --> 04:21.995
injects code into a
currently running process.

04:21.995 --> 04:24.260
They do this to help
evade detection,

04:24.260 --> 04:26.240
but it also could
be a prelude to

04:26.240 --> 04:31.905
priviledge escalation.
Sandbox escape.

04:31.905 --> 04:34.880
This occurs in web
browsers when the code

04:34.880 --> 04:36.590
escapes the safety of

04:36.590 --> 04:38.690
the sandbox that's built
into the web browser,

04:38.690 --> 04:41.600
and then the code executes
outside of the sandbox.

04:41.600 --> 04:43.160
Defenses for this would be

04:43.160 --> 04:44.750
keeping your browser up-to-date,

04:44.750 --> 04:47.315
limiting the browser
add-ons you install,

04:47.315 --> 04:50.270
because many of them could
be malicious themselves,

04:50.270 --> 04:51.650
and then also making
sure you're not

04:51.650 --> 04:54.110
going to sketchy parts
of the Internet.

04:55.610 --> 04:58.170
Virtual machine attacks.

04:58.170 --> 04:59.765
The first one we're
going to go over

04:59.765 --> 05:01.685
is virtual machine hopping,

05:01.685 --> 05:03.290
or also known as escaping.

05:03.290 --> 05:06.740
This is an attack against
the hypervisor itself and it

05:06.740 --> 05:09.950
allows the attacker to move
from one VM to another.

05:09.950 --> 05:12.830
They've already managed
to gain access to

05:12.830 --> 05:14.060
one VM running on

05:14.060 --> 05:16.430
the hypervisor and they want
to get over to another.

05:16.430 --> 05:19.715
This attack allows them to
jump from one to the other.

05:19.715 --> 05:21.680
Defenses for this
would be keeping

05:21.680 --> 05:23.960
your VMs patched and
fully up-to-date.

05:23.960 --> 05:26.615
Also making sure your
hypervisor is updated.

05:26.615 --> 05:28.730
You can also use
logical isolation of

05:28.730 --> 05:31.740
the VMs and then
resource limits.

05:33.110 --> 05:36.765
Network attacks. VLAN hopping.

05:36.765 --> 05:38.840
This allows an attacker to move

05:38.840 --> 05:41.435
between isolated
networks or VLANs.

05:41.435 --> 05:44.810
It usually happens when
we spoof a switch and I

05:44.810 --> 05:46.520
switched environment and allows

05:46.520 --> 05:48.845
us to move from one
village to another.

05:48.845 --> 05:51.925
Another type of attack is
called double tagging.

05:51.925 --> 05:54.440
This is where trunking is
taken advantage of so that

05:54.440 --> 05:57.035
we can gain access
to all VLAN traffic.

05:57.035 --> 05:58.580
Defenses against both of these

05:58.580 --> 06:00.850
include changing your
default VLAN IDs,

06:00.850 --> 06:02.795
never leave default settings,

06:02.795 --> 06:04.850
and also the user
devices should not

06:04.850 --> 06:07.770
be connected to the native VLAN.

06:09.400 --> 06:13.710
Border Gateway Protocol,
BGP or route hijacking.

06:13.710 --> 06:16.605
BGP is the routing
protocol of the Internet.

06:16.605 --> 06:18.350
It was created back in the day

06:18.350 --> 06:20.360
when security wasn't
a consideration.

06:20.360 --> 06:21.980
Because of that, it depends

06:21.980 --> 06:23.795
on the interconnected networks

06:23.795 --> 06:25.400
to all truthfully and

06:25.400 --> 06:27.845
accurately help maintain
the routing tables.

06:27.845 --> 06:30.470
Defenses against these
types of attacks include

06:30.470 --> 06:32.660
IP prefix filtering and also

06:32.660 --> 06:36.300
monitoring traffic for
abnormal behavior.

06:36.520 --> 06:38.870
Now, instructor side note,

06:38.870 --> 06:41.060
BGP hijacking is a big deal.

06:41.060 --> 06:44.645
From 2015-2017, China diverted

06:44.645 --> 06:47.660
all US domestic Internet
communications and routed it

06:47.660 --> 06:49.100
through China before it went

06:49.100 --> 06:51.040
onto their proper destinations.

06:51.040 --> 06:53.075
Then again in 2019,

06:53.075 --> 06:54.620
China diverted a large amount of

06:54.620 --> 06:57.860
the European data for a
period of up to two hours.

06:57.860 --> 07:01.310
In 1998, the hacker
group L0pht testified to

07:01.310 --> 07:02.810
Congress that they
could take down

07:02.810 --> 07:05.300
the Internet in less than
30 minutes using BGP.

07:05.300 --> 07:07.130
This is one of those
protocols that

07:07.130 --> 07:09.800
we have really no good way

07:09.800 --> 07:11.990
of defending against
because security

07:11.990 --> 07:14.645
was never built into
it from the beginning.

07:14.645 --> 07:16.205
Just keep a note of this,

07:16.205 --> 07:18.470
that BGP hijacking
is a big deal.

07:18.470 --> 07:23.370
It has huge and
wide-ranging ramifications.

07:24.560 --> 07:26.590
Then, finally,
let's go over some

07:26.590 --> 07:28.490
other types of attacks.

07:28.490 --> 07:30.670
Interception attacks.

07:30.670 --> 07:34.405
These are any unauthorized
access to network traffic.

07:34.405 --> 07:36.940
Defenses for these would
be access controls,

07:36.940 --> 07:38.905
but also traffic encryption.

07:38.905 --> 07:40.630
Denial-of-service, or

07:40.630 --> 07:42.875
distributed
denial-of-service attacks.

07:42.875 --> 07:47.260
These are attacks against the
availability of a website

07:47.260 --> 07:49.210
or a service by
sending too much data

07:49.210 --> 07:51.400
to it for that
service to process.

07:51.400 --> 07:53.020
Defenses include using

07:53.020 --> 07:56.050
DDoS mitigation services
like Cloudflare.

07:56.050 --> 07:58.180
Also social engineering.

07:58.180 --> 08:00.310
This is using human
nature against

08:00.310 --> 08:02.740
users by using their
emotions such as fear

08:02.740 --> 08:04.450
or there need to be helpful

08:04.450 --> 08:07.510
to get them to do things that
they wouldn't normally do.

08:07.510 --> 08:10.300
Defenses include training,
and also limiting user

08:10.300 --> 08:13.050
access to unnecessary
services or data.

08:13.050 --> 08:14.710
If they don't need to
have access to it,

08:14.710 --> 08:17.270
we shouldn't give
them access to it.

08:19.070 --> 08:22.120
Let's summarize. We discussed

08:22.120 --> 08:24.070
common web application attacks.

08:24.070 --> 08:26.170
We also went over virtual
machine attacks and

08:26.170 --> 08:27.970
VLAN hopping and then we also

08:27.970 --> 08:30.220
discussed BGP or
route hijacking.

08:30.220 --> 08:32.840
Let's do some example questions.

08:32.990 --> 08:36.310
Question 1. This is
an attack against

08:36.310 --> 08:40.580
a hypervisor in order to
move from one VM to another.

08:40.850 --> 08:45.375
VM hopping. Question 2.

08:45.375 --> 08:47.560
This protocol is the
routing protocol of

08:47.560 --> 08:50.900
the Internet and wasn't
designed with security in mind.

08:51.050 --> 08:55.850
Border Gateway
Protocol. Question 3.

08:55.850 --> 08:57.410
This is considered one of the

08:57.410 --> 08:58.970
hardest attack types of defends

08:58.970 --> 09:02.995
against as it uses human
nature against users.

09:02.995 --> 09:07.155
Social engineering.
Finally question 4.

09:07.155 --> 09:10.520
This type of attack manipulates
data inputs to a database

09:10.520 --> 09:14.940
to either retrieve protected
data or bypass permissions.

09:15.280 --> 09:17.600
SQL Injection.

09:17.600 --> 09:19.040
I hope this lesson was helpful

09:19.040 --> 09:21.480
for you, and I'll see
you in the next one.