---
- title: Java Exploits and Cybersecurity
- author: david
- categories: [Lab Notebook]
- tags: [Java]
- type: tangibles
- week: 17
- description: Lesson on Java exploits and cybersecurity.
- toc: True
- comments: True
- date: 2023-12-18 12:00:00 +0000
- pin: true
---

## HTTP vs HTTPS Sites
> These are the two types of sites, HTTP being insecure and HTTPS being secure.

There are two types of sites, HTTP and HTTPS sites. One is obviously more secure than the other but why and how exactly is it more secure? The following sections will give an overview of this.

**Popcorn Hack:** Why is HTTPS more secure than HTTPS?

### HTTP
In this case we are looking at posting passwords without encryption. Going to [vulnweb.com](http://testphp.vulnweb.com/login.php), a common test site for web attacks, we can test and see how not securing data can be dangerous. Keep in mind that this is highly illegal to do on public networks.

We use a network scanner to track information between the internet and the user's device. This basically intercepts all CRUD operations and payloads sent between a website server and user. In this example we enter test data in to the username and password inputs:

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/2d6bd935-79fe-4178-a6b7-7d6292892b8a)

It looks like everything is secure to the user, the password is blurred from your general view and the website seems slightly trustworthy. This is however very far from the truth, especially when we begin using the network scanner to see the traffic.

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/0b71ae66-63fe-4864-aa50-d9ecd96723d6)

Here we see something that we are all familiar with, a POST. When we open the contents of this post, we can see the following:

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/b8e1ec9f-850f-4d6b-b6ab-a8af9528ac3d)

We can very clearly see the password that was inputted in the password field of the website. This is a very clear reason why you should never store your passwords without the use of JWTs. 

### HTTPS
If I, for example, log into MyPlan, we can see an entirely different story:

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/7215c1d2-96dc-4e5e-b1b7-da0e47a4de29)

Here we see no POST, mainly because we are using something called TCP and TLS handshakes, which create an encrypted connection between the user and backend server.

## TCP and TLS
> Describing the encryption and communication protocols between servers for secure data.

![](https://cf-assets.www.cloudflare.com/slt3lc6tev37/5aYOr5erfyNBq20X5djTco/3c859532c91f25d961b2884bf521c1eb/tls-ssl-handshake.png)

### TCP Three-Way Handshake
> The step process of connecting to the server securely.

![tcp](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/376fa2f2-b050-4445-8e36-238c0992ec6b)

1. SYN (synchronize) - initiates connection
    - sends ISN (initial sequence number) that is used to identify the following bytes of data
2. SYN-ACK (synchronize-acknowledge) - acknowledgement of connection
    - sends it's own ISN and the client's ISN, confirming a connection
3. ACK (acknowledge) - completing the connection
    - indicates that it knows the server's ISN

The server is now ready for a TLS connection.

### TLS Handshake
> This is where the encrypted data is transferred between the client and server. This exchange varies on the version of TLS that is used, however they all have a similar series of steps.

![tls](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/abc686bd-4350-4e45-8dfc-3916abe26412)

1. Client Hello - begins connection
    - send the TLS version that is supported, agreeing on a method of communication
    - provides the supported cipher suites, deciding on method of encryption
    - creates and sends string of random bytes used to create entropy in creating the pre-master secret
2. Server Hello - server response confirming connection
    - selects the highest supported TLS version, creating compatibility
    - selects a compatible cipher suite
    - creates another random string of bytes contributing to the creation of the pre-master secret
3. Authentication - SSL certificate
    - server sends the SSL certificate for client to read
4. Pre-Master Secret - shared secret between client and server
    - used to make session keys for safe transmission of data
    - this makes sure that only the server can access any dat transmitted
5. Session Keys - common set of keys
    - used to decrypt any information sent between client and server
6. Finished Message - finishes setting up encryption
    - the client and server can now send and receive encrypted data

The server and client can now exchange information with a smaller risk than without encryption.

**Note:** Encryption is not 100% safe. TLS 1.2 has been recently replaced with TLS 1.3, due to RSA being deemed insecure when compared to DH (Diffie-Hellman) and ECDH (elliptical curve variant). This is because RSA is relatively shorter in length and with the advance of quantum computing is easier to decrypt. You can learn more about this [here](https://www.cloudflare.com/learning/ssl/keyless-ssl/).

## Other Exploits
> These are some exploits that may be used through the browser to not only steal information through packet sniffing but also download malicious content that can gather sensitive data.

### Phishing
> This is another way that hackers can more directly steal information.

Moving away from browser exploits, this is another common tool that is extremely easy to replicate with the right knowledge. Websites that mask themselves as other websites usually catch people that don't pay much attention to what they click. It is extremely easy to create such sites that are port-forwarded through local nginx servers, capturing data that unsuspecting visitors may enter. These sites usually use simple POST actions to transmit the data to the server, making these sites once more dangerous to access. Here are a few examples of what they might look like:

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/3fb5213e-0662-4647-a8c5-5a29aba47840)

![image](https://github.com/CSA-Tri-2/CSA-Tri-2/assets/111480448/07b3acbb-b9a6-4874-bdf8-5a0fce672087)

Through social engineering, emails and websites can lead you to enter credentials or even download malicious content.

### Keylogging
> This can be a local way that hackers steal password and sensitive information.

Although this cannot be directly done within a browser because of sandboxing, which limits the access which one has to the rest of the computer. Hackers can easily bypass this by using phishing to catch unsuspecting people. These programs can disguise them as default applications within the computer, making it hard to detect them without an antivirus program.

Popcorn Hack: What would the expected behavior be from opening the Windows recycle bin?

## What is XSS?
XSS (Cross Site Scripting) is a security vunerability.

**OCCURS WHEN** an attacker injects malicious scripts into web pages that are viewed by other users.

The scripts can be executed in the context of a user's browser, leading to potential harm:
1. Stealing sensitive information
2. Session hijacking
3. Defacing websites

A term needed to know to understand XSS is **payload**: A "payload" refers to the malicious code or set of instructions that an perpetrator (attacker) delivers to a target system to achieve a specific objective, ex. stealing information from others.

**Popcorn hack:**
What are two other possible harms of XSS?

## 3 Main Types of XSS:

### **Stored XSS:**
**General Definition**: Occurs when the malicious script is permanently stored on the target server and served to users whenever they access the compromised page.

![image](https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/sorted-XSS.png)

**Steps based on the diagram:**
1. *Perpetrator Discovers Vulnerability:*
    - Description: The attacker, known as the perpetrator, identifies a website that has a security vulnerability, often related to inadequate input validation or output encoding.
    - Objective: The goal is to find a weakness that allows the injection of malicious scripts into the web application.
2. *Injection of Malicious Script:*
    - Description: The perpetrator injects a malicious script into the vulnerable website. This script is designed to execute specific actions when loaded by visitors' browsers.
    - Objective: The injected script is crafted to steal sensitive information, commonly session cookies, from users who visit the compromised page.
3. *Activation of Malicious Script:*
    - Description: Whenever a visitor accesses the perpetrated website, the injected malicious script is activated within their browser.
    - Objective: The script executes in the context of the user's session, enabling the attacker to carry out actions on behalf of the user or extract sensitive information.
4. *Sending Stolen Session Cookies:*
    - Description: The malicious script, now activated during each visitor's session, collects the session cookies of the users.
    - Objective: The stolen session cookies are sent back to the perpetrator, who can then use these cookies to impersonate the users, gaining unauthorized access to their accounts.

**Example:** An attacker discovers that a website allows user-generated content without proper input validation. They inject a script into a comment section, and whenever other users view that comment, the malicious script executes in their browsers, stealing their session cookies. The attacker then uses these stolen session cookies to log in as the compromised users.

### **Reflected XSS:**
**General Definition:** The injected script is part of the user's request and reflected back to the user, often via a crafted link. Unlike a Stored XSS, it doesn't exist on the target server, rather it exists in the malicious link.

![image](https://media.geeksforgeeks.org/wp-content/uploads/20210706191745/tuxpicom1625579254-660x373.jpg)

**Steps based on the diagram:**
1. *Perpetrator Sends Malicious Links:*
    - Description: The attacker, known as the perpetrator, sends crafted and malicious links to potential victims.
    - Objective: The links contain specially crafted payloads, often in the form of parameters in the URL, that exploit vulnerabilities on the targeted website.
2. *User Clicks the Link and Execution in the Browser:*
    - Description: A user receives the malicious link and clicks on it.
    - Objective: The payload embedded in the link is executed within the user's browser, exploiting the vulnerability on the target website.
3. *Browser Sends Private Data to the Attacker:*
    - Description: As a result of the executed payload, the user's browser performs actions on the targeted website, often unintentionally.
    - Objective: The payload may include code that steals sensitive information, such as session cookies or other private data, from the user's session.

**Example:** An attacker discovers a website with a search feature that reflects the user's input in the URL without proper validation. The attacker sends a crafted link to a user, and when the user clicks it, the payload in the URL is reflected back by the website. This payload includes a script that steals the user's session cookie and sends it to the attacker.

### **DOM-based XSS:**
**General Definition**: DOM-based Cross-Site Scripting (DOM-based XSS) is a type of Cross-Site Scripting attack where the vulnerability is located in the Document Object Model (DOM) of a web page. Unlike traditional XSS attacks, where the malicious payload is inserted into the HTML content, DOM-based XSS occurs in the client-side script itself. 

![img](https://www.researchgate.net/publication/348065719/figure/fig7/AS:974893847937024@1609444214143/DOM-based-XSS-Attack-Model.png)

**Steps based on diagram:**
1. *Attacker Crafts a Malicious URL:*
    - Description: The attacker creates a specially crafted URL containing a malicious payload, typically in the fragment part of the URL (e.g., after the # symbol).
    - Objective: The goal is to inject malicious JavaScript code into the victim's browser.
2. *User Opens the Link:*
    - Description: The attacker tricks the user into opening the malicious link, causing the victim's browser to make a request to the targeted website with the malicious payload.
    - Objective: The user's action initiates the process of loading the targeted website.
3. *Website Receives the Request:*
    - Description: The targeted website receives the user's request, including the malicious payload in the URL fragment.
    - Objective: Despite receiving the payload, the website does not directly include it in the response to the user.
4. *Legitimate Script Execution:*
    - Description: The website processes the request and sends a response to the user's browser. The response may include legitimate client-side scripts.
    - Objective: The user's browser executes the legitimate scripts included in the response, causing the page to render as intended.
5. *Execution of Malicious Script:*
    - Description: During the legitimate script execution, the browser processes the malicious payload included in the page, leading to the execution of the attacker's injected script.
    - Objective: The attacker's script is executed in the context of the user's session, allowing it to perform malicious actions, such as stealing sensitive information.
6. *Sensitive Information Sent to Attacker:*
    - Description: The executed malicious script carries out actions, such as stealing user-sensitive information (ex. session cookies), which is then sent to the attacker's server.
    - Objective: The attacker gains unauthorized access to the victim's information, potentially leading to further exploitation.


**Popcorn Hack:**
Provide an example of DOM-based XSS...

**Example:**