***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-attacks-threats-and-vulnerabilities/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Other Application Attacks``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Other Application Attacks](#a) <br/><br/>

- [Vulnerability - Memory](#b) <br/><br/>
    - [Memory Leak](#c) <br/><br/>
        - [DoS](#c) <br/><br/>
    - [NULL Pointer Dereference](#d) <br/><br/>
        - [DoS](#d) <br/><br/>
    - [Overflow](#e) <br/><br/>
    - [Directory Traversal](#f) <br/><br/>
- [Improper](#g) <br/><br/>
    - [Error Handling](#g) <br/><br/>
    - [Input Handling](#h) <br/><br/>
- [API Attack](#i) <br/><br/>
- [Resource Exhaustion](#j) <br/><br/>
    - [DoS](#j) <br/><br/>
        - [ZIP Bomb](#k) <br/><br/>
        - [DHCP Starvation](#l) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Other Application Attacks
***

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Vulnerability - Memory
***

If an attacker can manipulate the memory of a device, then they can control it to do almost anything, however, finding a vulnerability in memory and being able to manipulate it in a way that gives you that advantage can be very difficult.

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Memory Leak
***

One type of memory vulnerability that often ends with the system crashing or the application failing is a memory leak. 

In a normal application, memory is allocated for storage or for calculations and when that memory is no longer in use it’s returned back to the system. 

With a memory leak, that memory is never returned back to the system and the application continues to use more and more and more memory until eventually it uses all of the available memory, and ultimately that crashes either the application or the operating system it’s running on.

If an attacker is looking for a way to create a denial of service to bring down a system, a memory leak would be a very good choice. 

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### NULL Pointer Dereference
***

When applications are using memory, they’re storing information into a section of that memory and then when they want to reference that information again, they simply point to that area of memory - if an attacker can make an application point to a ``NULL`` section of memory where nothing exists rather than the part of memory where the application data might exist, that’s called a ``NULL Pointer Dereference``.

If you’re pointing to nothing in memory, it very commonly causes the application to crash - they’ll probably be debug information on the screen and this could cause the denial of service the attacker has been hoping for.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Overflow
***

Another way that attackers like to manipulate memory is with an overflow. 

An integer overflow is where a large number might be placed into a smaller section of memory, which means that that extra space has to go somewhere, and usually it goes into an area of memory that’s overflowed. 

Applications should not work in this way - application developers should make sure they’re not storing information into smaller areas and causing some of that information to overflow into other parts of memory. 

It’s very difficult to find an integer overflow situation like this that is something that is repeatable by an attacker, but if an attacker can find an overflow that can be duplicated and it’s one that allows them to manipulate the system in a way that’s advantageous to them, this makes for a very powerful attack.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Directory Traversal
***

Another vulnerability that might give a way for attackers to move around your file system is a directory traversal attack - this allows attackers to read from different parts of a server, even areas of a server where normally they should not have access. 

In this particular drive - running a web server on this - the lighter color are the folders that are used in that web server. 

![image.png](attachment:image.png)

People who are accessing the web server should not have access to these other folders that are on this system - folders like the ``WINDOWS`` operating system folder, for example.

But there are vulnerabilities that you can find, for example, in certain versions of web server that might allow people to browse outside the scope of the web server software or there might be vulnerabilities in the software that you’re running on that web server that would allow attackers to move outside the scope of the web server file system.

Sometimes a web server misconfiguration might allow an attacker to use the ``../../`` be able to move backwards through the file system.

In this particular case, there’s a web server and they’re trying to access ``show.asp`` which would be in the root of this particular web server - then they’re moving backwards through the file system twice (via ``../../``), so they would move up to the ``Inetpub``, and then finally the root of the entire C drive - then they’re going to access the ``WINDOWS`` folder and view the ``system.ini`` file. 

![image.png](attachment:image.png)

By using this type of directory traversal, they were able to break out of the web server and view files that were in the ``WINDOWS`` folder.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Improper Error Handling
***

We all know that eventually the systems that we’re using are going to have some type of error associated with them.

It might be in the operating system or the application or some other component of what’s running on that device. When that error occurs, there’s probably going to be messages on the screen - these messages might have information about the error, might have a code associated with it, and it may show a little too much information about the underlying system it’s running on.

Should make sure that your error messages are showing just enough information so that people understand what the error might be and they might be able to report that to someone else but you want to be sure to avoid information, such as the network you’re connected to, maybe a dump of memory or stack traces or even database dumps - if you’re showing that as part of an error message, an attacker may be able to use those details to learn more about the underlying system. 

Fortunately, this is a relatively easy issue to fix as long as you have control of the development process for that application.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### Improper Input Handling
***

All applications we’re using will have some type of input - may have to put in usernames or passwords or we may have to input information into a spreadsheet or a word processing document. 

The data that’s being input by the users is going to be evaluated and acted on by the application, so the application developers need to make sure that the data that’s being input is not malicious or trying to circumvent any security mechanisms within the system itself.

For example, having a very specific string of input into a field might allow someone access to an entire database of information or it might cause a denial of service (SQL Injections - Buffer Overflows) and cause the application or the operating system to fail completely. 

It may be difficult for attackers to find these instances where this type of input might cause these issues, but as soon as they’re able to identify that in a vulnerable application they will take advantage of it.

< [Table of Contents](#top) | [References](#references) >
<a id="i"></a>
***
###### API Attack
***

When an attacker tries to manipulate the application programming interface of an application, that’s considered an API attack - they’re trying to manipulate that API so that they can gain additional access or gain access to data that would not normally be available to them and in some cases, they can manipulate the API to bring down the application or the system, creating a denial of service. 

In a traditional application that we would run from our browser, we would have an ``HTTP`` ``GET`` command - this might be a very complex ``GET`` command that’s sent to the web server. 

The web server interprets that command, sends information on the backend to the database that is then going to respond, and the web server will give us an ``HTTP`` response.

![image.png](attachment:image.png)

An API based application is usually something running from a mobile phone, for example and instead of sending an ``HTTP`` ``GET``, there will be many, many different application programming interface requests being sent to the server. 

The server is going to perform similar functions on the back end to talk to the database server, and then the responses to those API requests are going to be a series of API responses which will be interpreted by the application running on the mobile device.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="j"></a>
***
###### Resource Exhaustion - DoS
***

A resource exhaustion is a denial of service attack that can often be done by a single device over low bandwidths. 

It’s a type of attack that uses up the available resources on a device so that the application or the service that’s being used by it is no longer accessible by others. 

< [Table of Contents](#top) | [References](#references) >
<a id="k"></a>
***
###### ZIP Bomb
***

Here is a historically well known resource exhaustion. It’s a zip bomb. It is a very small zip file which is a compressed file, a 42 kilobytes in size, which is very, very small but if you were to uncompress this file, it would uncompress to a 4.5 petabyte, that’s 4,500 terabytes, file size - can imagine unzipping this on a traditional computer - it would very quickly use all available storage space.

This is such a well-known resource exhaustion that most antivirus software will immediately identify this and prevent it from running. 

< [Table of Contents](#top) | [References](#references) >
<a id="l"></a>
***
###### DHCP Starvation
***

A network based resource exhaustion would be a DHCP starvation where an attacker is starting to flood a network with what seems to be many new devices hitting the network that will need IP address requests.

The attackers usually running from a single device, but is sending these requests with multiple MAC addresses to make it seem as if there are many, many machines on the network and it will very quickly use up all of the available IP addresses that might be inside the DHCP pool - this means that anyone else who tries to connect to this network will not receive an IP address because they have all been used by this resource exhaustion. 

There are configurations that can be made to switch that can limit the number of requests made for DHCP addresses and that might limit the scope or at least the time frame that somebody might have to be able to perform a DHCP starvation.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# END JUPYTER NOTEBOOK