- (Topic 3)
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?
Correct Answer:
C
This question shows a classic example of an IDOR vulnerability. Rob substitutes Ned's name in the "name" parameter and if the developer has not fixed this vulnerability, then Rob will gain access to Ned's account. Below you will find more detailed information about IDOR vulnerability.
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction.
Most web applications use simple IDs to reference objects. For example, a user in a database will usually be referred to via the user ID. The same user ID is the primary key to the database column containing user information and is generated automatically. The database key generation algorithm is very simple: it usually uses the next available integer. The same database ID generation mechanisms are used for all other types of database records.
The approach described above is legitimate but not recommended because it could enable the attacker to enumerate all users. If it??s necessary to maintain this approach, the developer must at least make absolutely sure that more than just a reference is needed to access resources. For example, let??s say that the web application displays transaction details using the following URL:
✑ https://www.example.com/transaction.php?id=74656
A malicious hacker could try to substitute the id parameter value 74656 with other similar values, for example:
✑ https://www.example.com/transaction.php?id=74657
The 74657 transaction could be a valid transaction belonging to another user. The malicious hacker should not be authorized to see it. However, if the developer made an error, the attacker would see this transaction and hence we would have an insecure direct object reference vulnerability.
- (Topic 3)
During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities?
Correct Answer:
B
The base metric represents the inherent qualities of a vulnerability, according to the Common Vulnerability Scoring System (CVSS). CVSS is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS consists of three metric groups: Base, Temporal, and Environmental. The base metric group captures the characteristics of a vulnerability that are constant over time and across user environments. The base metric group consists of six sub-metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact. The impact sub-metric further consists of three sub-metrics: Confidentiality, Integrity, and Availability. The base metric group produces a score ranging from 0 to 10, which reflects the intrinsic and fundamental properties of a vulnerability12.
The other options are not correct for the following reasons:
✑ A. Temporal metric represents the inherent qualities of a vulnerability: This option is incorrect because the temporal metric group captures the characteristics of a vulnerability that change over time due to events external to the vulnerability. The temporal metric group consists of three sub-metrics: Exploit Code Maturity, Remediation Level, and Report Confidence. The temporal metric group modifies the base score to reflect the current state of the vulnerability, such as the availability of exploit code, the existence of patches or workarounds, and the degree of verification of the vulnerability report12.
✑ C. Environmental metric involves the features that change during the lifetime of the vulnerability: This option is incorrect because the environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user??s environment. The environmental metric group consists of three sub-metrics: Modified Attack Vector, Modified Attack Complexity, and Modified Privileges Required. The environmental metric group also allows the user to assign importance values to the impact sub-metrics: Confidentiality Requirement, Integrity Requirement, and Availability Requirement. The environmental metric group modifies the base and temporal scores to reflect the impact of the vulnerability on the user??s specific environment, such as the network configuration, the security objectives, and the asset value12.
✑ D. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation: This option is incorrect because the temporal metric group does not involve measuring vulnerabilities based on a specific environment or implementation, but rather on the factors that change over time due to events external to the vulnerability. The environmental metric group, not the temporal metric group, involves measuring vulnerabilities based on a specific environment or implementation, as explained in option C.
References:
✑ 1: What is CVSS - Common Vulnerability Scoring System - SANS Institute
✑ 2: Common Vulnerability Scoring System - Wikipedia
- (Topic 1)
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ????FTP on the network!????;)
Correct Answer:
D
- (Topic 3)
Which of the following is a passive wireless packet analyzer that works on Linux-based systems?
Correct Answer:
C
- (Topic 2)
There have been concerns in your network that the wireless network component is not sufficiently secure. You perform a vulnerability scan of the wireless network and find that it is using an old encryption protocol that was designed to mimic wired encryption, what encryption protocol is being used?
Correct Answer:
A
Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that??s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what??s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren??t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network??s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.A research group from the University of California at Berkeley recently published a report citing ??major security flaws?? in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group??s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP– which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it??s very effective.
