[CERTMaster]

SYN flood attack -cause resource exhaustion on the host's processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely
A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).
A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim's IP address and attempts to open connections with multiple servers.
Packet filtering is a Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.
DLL injection is not a vulnerability, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library.
If the pointer that references an object at a memory location was set to a null value by a malicious process, then this can create a null pointer exception, causing instability and crashes.
- A pointer is a reference to an object in memory. Attempting to access that memory address is called dereferencing. An integer is a positive or negative whole number.
Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended. A TOCTTOU vulnerability will take advantage of this timing to modify data before finally using it; occurs when multiple threads are attempting to write at the same memory location. Attackers have used race conditions as an anti-virus evasion technique. An integer is a positive or negative whole number.
Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.
A race condition is a software vulnerability that occurs when the execution processes are dependent on the timing of certain events, and those events fail to execute in the order and timing intended.
Overflow - Many improper input handling attacks, described as an overflow type, occurs when the attacker submits input that is larger than the variables assigned by the application to store.
- To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.
- An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds.
Injection - Many improper input handling attacks, described as an injection type, occurs when the attacker embeds code within the input or appends code to it that executes when the server processes the submission.
- Command Injection
- SQL Injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code
Secure socket layer (SSL) stripping is an On-path attack using ARP poisoning that redirects clients to an HTTPS site in an unsafe way when attempting an HTTP connection.
A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can forge a digital signature.
A downgrade attack facilitates a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

Dynamic Link Library Injection (DLL) is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information.
Directory traversal is an application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
XML injection is fundamentally the same thing but targeted against web servers using XML applications rather than SQL.
Clickjacking occurs when the attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing it.
Application programming interface (API) intrusion occurs when an attacker takes advantage of unsecure communication with application services to perform denial of service attacks using multiple API calls, for example.
A resource exhaustion attack overloads resources like CPU time, memory, or disk capacity using distributed denial of service (DDoS) requests.

Pass-the-hash-attack occurs when the attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.
replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack.
Key Discovery - API calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.
Improper error handling - Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker.
Denial of Service (DoS) can occur when the application is bombarded with spurious calls. Reconfiguring default web settings to throttle or limit calls can prevent this.
A command injection attack runs OS shell commands from the browser and allows commands to operate outside of the server's directory root, allowing commands to run as the web "guest" user.
Shimming is when an attacker uses a code library or database to intercept and redirect calls to enable legacy mode functionality on a system in order to misuse.
- A shim is a code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).

Server Side Request forgery (SSRF) abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session; causes the server application to process an arbitrary request that targets another service, either on the same host or another.
A client-side (or cross-site) request forgery is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to.
Cross-site request forgery (XSRF) is a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.
Cross-Site Scripting (XSS) is a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.
- Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser.
- Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that inserts code into a back-end database used by the trusted site.
- Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.

A lightweight directory access protocol (LDAP) injection occurs when an attacker exploits a client’s unauthenticated access to submit LDAP queries that could create or delete accounts, even change authorizations and privileges. LDAP uses port 389.

[CLC website]

Application and Service Attacks:

Zero Day attacks
Spoofing
DoS and DDoS attacks
Man-In-The-Middle attacks
ARP Poisoning
Buffer Overflow Attacks
Injection Attacks
Priveledge Escalation
Reflection and Amplification
DNS poisoning
Domain Hijacking
Man-in-the-browser
Cross-site Scripting and Request Forgery
Replay Attacks
Pass the Hash Attacks

Next up

Previous

1.7 Techniques used in security assessments

Description