TU Wien:Internet Security VU (Weippl)/Prüfung 2017-11-20
Gruppe: A[Bearbeiten | Quelltext bearbeiten]
17 Fragen mit insgesamt 75 Punkten und 75 min Zeit.
- Besides the simple SQL injection methods, in the lecture we discussed Blind SQL Injection. Briefly explain what it is /how it works and give a practical example fo where such a vulnerability might occur in practice.
- Look at the following PHP web application (Beispielcode ähnlich zur letzten Prüfung)... What kind of vulnerability is present in the code? How can this vulnerability be exploited? How can this vulnerability be fixed? Explain your answers.
- What is parameter injection and how can it be prevented? Provide an example for a parameter injection vulnerability and show how the vulnerability can be avoided.
- Cookie/session stealing: Your friend tells you that he always enrypts the session coockie of a web application if the cookie is being sent over an insecure connection. He says he does not want someone to capture the cookie by sniffing. Does this make the web application safer against sniffing attacks? Explain your answer. Give one way of making cookie stealing/using much more difficult for an attacker.
- What is a side channel attack? Give two examples with different side channels and explain them briefly. (Hier wirs im Speziellen auf alles was mit Hardware zu tun hat angespielt wie z.B. Analysiere der PC Hardware mit einem Mikrofon, Messung des Stromverbrauches bei bestimmten Prozessen,...)
- Why is embedded security more challenging than security analysis on PC based environments?
- Name three Software Testing Techniques and describe the main differences.
- What are the main differences when portscanning TCP and UDP
- Many compiler optimizations have been formally proven to be functional equivalent. However, they are not always security equivalent. Describe and explain a scenario, where compiler optimizations can counteract security measures in the source code. (Hier wird z.B. darauf angespielt wenn man ein Programm in C schreibt und ein Passwort manuell mit Zufallswerten überschreibt, dass eventuell der Compiler dieses manuelle überschreiben "wegschneidet" da dies nicht weiter im Programm gebraucht wird)
- How can an attacker circument or rewrite program security with the LD_Preload technique.
- What problems can arise from using Electronic Code Book (ECB) as your mode-of-operation for a block chipher? Quickly describe ECB and name at least two problems of this mode. (Note: It is assumed that you use ECB in combination with a secure Block chipher (e.g. AES) and one sufficiently long random secret key which was securely shared between all your trusted communication partners.)
12. Name all four cryptograpic goals and quickly state from what kind of attack the protect.
- Data confidentiality - only authorized persons should be able to read the data
- Data integrity - the data must not be modified
- Authencity of the sender - verification of the sender
- Irrevocability of the sender - authorship should not be deniable
- (perfec) forward secrecy - (P)FS - past sessions are protected against future compromise
13. Name the three categories in which cryptograpic primitives can be classified. Name at least one example for each category.
- one-way hash function: for saving senstive data in a database (e.g. hashes of passwords)
- symmetric key cryptography: encoding and decoding of a message with the same key (e.g. AES)
- asymmetric key cryptography: encoding and decoding messages with different keys (e.g. RSA)
- digital Signatures: confirming the author of a message or document
14. What is Fast-Flux Hosting, how does it work and where and why is it used?
15. There are different types of C&C infrastructure. What are possible take down mechanisms to prevent bots from connecting to the C&C server?
16. What is compiler-based stack protection? Name an example technology and describe it briefly.
17. Name and explain three ways to detect an operating IMSI Catcher in vicinity.
- Unusual Cell ID (CID), cell location (LAC), frequency - can be checked with a cell/frequency DB (local) combined with GPS location data
- lack of proper encryption - older IMSI catcher downgraded the encryption to 'none'
Gruppe B[Bearbeiten | Quelltext bearbeiten]
1. Same-Origin-Policy (SOP); Arten von XSS, wie werden diese getriggered
The Same-Origin Policy (SOP) denies access from client side script languages to objects (like images) which belong to a different website, or source (origin). Host, protocol and port have to be the same. XSS:
- reflective (non-persistant) - e.g. putting javascript code in a textfield of a from
- persistent (or stored) - code is embedded in the website, e.g. javascript saved as name in a profile, everyone who visits this profile will execute the script
- non-persistent - user gets an URL to click with a maliciousjavascript e.g. http://bla.bla/bla.html?id=<script type='text/javascript'>alert('p0wn3d');</script>
2. Second-order SQL injections
Are injections where parts of the query are stored in the database and later combined for the attack.
3. Injection via GET parameter (PHP Code gegeben: <?php `ls $_GET['filename']`; ?> Wie ist das ausnutzbar?)
This code is vulnerable for a command injection attack. One could simply add additional commands like "http://localhost/example.php?filename=alice.txt;cat /etc/passwd".
4. Wann funktioniert LD_PRELOAD nicht
The loader will ignore LD_PRELOAD if ruid != euid.
5. Welche Arten von Angriffen auf Cryptography gibt es?
- Passive attacks - evesdropping, sniffing the exchange of information and gaining unauthorized access. it does not alter the information nor disrupt the communication channel.
- Active attacks - modifying, deleting the information of the exchanged data
6. Kerckhoffs' Prinzip erklären
The Kerckhoff principle says that the security of a cipher is based on secrecy of the key instead on the algorithm.
7. How to catch an IMSI catcher (3 Möglichkeiten aufzählen und erklären)
- Unusual Cell ID (CID), cell location (LAC), frequency - can be checked with a cell/frequency DB (local) combined with GPS location data
- lack of proper encryption - older IMSI catcher downgraded the encryption to 'none'
8. TCP: Wozu werden Sequence Numbers verwendet und wie müssen diese beschaffen sein
The first connection sets the SYN-flag to 1 and an initial, hopefully random, sequence number. It is later incremented for each packet and used to sort these TCP packets because they can reach the other end in random order.
9. Erklären, wie man eine Reverse-DNS-Prüfung auf eine Domain umgehen kann
10. Buffer Overflow erklären
11. Welche Maßnahmen des OS machen Buffer Overflows schwieriger
12. Fast Flux Hosting / Bullet Proof Hosting
13. Sinkholing um Botnetze auszuhebeln
A sinkhole is a server or network segment that directs all the traffic of a botnet or DoS-attack to itself. It is isolated that no information will get back out. All the packets can then be inspected for flow analysis and traceroutes to the attackers.
14. AES CTR mit 1 Byte Counter: Welche Probleme können entstehen
15. Fault Injection bei Hardware erklären
Fault injections in hardware attemps to simulate a hardware failure within the system.
16. Low-level Analysis vs. High-level Analysis erklären