Examice

Exam SY0-601 All QuestionsBrowse all questions from this exam

Question 155

SIMULATION -

An attack has occurred against a company.

INSTRUCTIONS -

You have been tasked to do the following:

✑ Identify the type of attack that is occurring on the network by clicking on the attacker's tablet and reviewing the output.

✑ Identify which compensating controls a developer should implement on the assets, in order to reduce the effectiveness of future attacks by dragging them to the correct server.

All objects will be used, but not all placeholders may be filled. Objects may only be used once.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Correct Answer:

Discussion

stoneface

I think this is correct. Application Source Code -> Code Review CRM Server - > Record Level access Control Web Server -> WAF and URL Filtering - I initially went with Input Validation instead of URL filtering, but URL filtering works by comparing all web traffic against URL filters, which are typically contained in a database of sites that users are permitted to access or denied from accessing. Database ->Input validation

stoneface

For the attack I think this is a SQLi attack

KetReeb

Why not Session Hijacking? The output shows that the table used multiple accounts and the session cookies associated with the account IDs.

stoneface

Very true - > After digging aroung (again) this could be a Session Hijacking attack, and also a XSS attack - https://owasp.org/www-community/attacks/Session_hijacking_attack But a session hijacking attack or a XSS would not reveal session ids for multiple users, besides there are additional fields on the response (name, login_time), this is information that will tipically be stored on a database. I still believe this is a SQLi attack ... I listen to you.

anonimouse2

It is a XSS attack. Check diagram here: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

fryderyk

Why wouldn't it be sqli? Cookies can be stored on the backend in a db. XSS on the other hand would only allow to steal cookies pertaning to the current user's session.

Knowledge33

It's not mentioned in the question that the database is using SQL. It could be Oracle or anything else. It means SQLi is not correct. The unique possibility is XSS attack

Lionel_TheITGuy

Oracle dbs use a sql structure though.

Protract8593

I think it's an XSS attack. ChatGPT said the following: Based on the provided information, the attack shown in the simulation is Cross-Site Scripting (XSS). In this attack, the attacker injects malicious scripts into the web page viewed by other users, typically by exploiting a vulnerability in the web application. The response shows that the attacker has injected a script into the web page that collects user login details (usernames, cookie IDs, and login times) and sends them to the attacker-controlled server. I believe your compensating controls are correct, though. Also, is it just me or is the answer provided for this question correct? It selected the same compensating controls as you and it selected an XSS attack as the attack type.

Old_Boy_

Hope you're on the CCNA discussions Sir Stone Face. Thanks for your help.

LordJaraxxus

It uses cookies so it's XSS

honeybussy

Shouldn't the type of attack be session hijacking?

nobnarb

The Answer is cross-site scripting, this is from Darryl Gibson's website. Q. A penetration tester has successfully exploited a vulnerability against your organization giving him access to the following data: User, password, login-date, cookie-id Homer, canipass, 2016-09-01 11:12, 286755fad04869ca523320acce0dc6a4 Bart, passican, 2016-09-01 11:15, 8edd7261c353c87a113269cd37635c68 Marge, icanpass, 2016-09-01 11:19, 26887fbd90ac0340e29ad62470270401 What type of attack does this represent? A. SQL injection B. XML injection C. XSS D. Session hijacking Answer: C. Cross-site scripting (XSS) is the best choice of the available answers. You can see that the penetration tester is looking at cookies because the header includes ‘cookie-id’ and successful cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies.

DJCODING

Correct option is session hijacking bro isn;t?

BD69

This is session hijacking because it has a cookie-id. You probably won't get a cookie-id from a database - cookies are stored in the browser

BYU

I took my exam yesterday (3/8/2023) and this question was there. 3/4 of PBQs were from here and 80% of MC too. This study community helped me a lot--Thank you!!

Marito1414

Do you remember what did you select? SQLI or XSS

Rumchata556

This was on my exam, 11/29/23

reto1

This was in the exam. All the questions were from 1-849. Make sure to understand the questions and the answers. Look it up and study all the details of every question. Don't just memorize it. Understand it and think how you an deploy or use at your work or in enterprise. Exam taken on Mar 2024.

GustavSvenson

The attack seems to be SQLi based on; -The input page shows input which the web-app will use to access the database - The response page shows a list of users --Since it's multiple users, it can only come from the DB and not from a single-scoped attack --The cookie-id field is used to match the cookie-id of the user's sessions--a common way to handle sessions in web apps. --The login times are also common DB options --There're no proof of XSS anywhere and it wouldn't reveal multiple users accounts --There's no evidence of XML anywhere --There's no evidence of session hijacking and it would also be scope to just one account -WAF and URL filtering on the web server -Input validation and Code Review on the Source Code repository (you don't do input validation on the db server--it doesn't care) -Record level access control on the CRM, because it obviously isn't on the db (since multiple records have been exfiltrated)

EduardosSS

i'm a bit confused... but in the end i think i'll go for sql injection, if anyone could clarify i'd be grateful!

DashRyde

Why input validation would be dragged to Database server? it should be on Application code repo, because it's one of the application security if we are talking about DB security that would be like encrypting sensitive data like DataMasking, Data Tokenization, HashingSalting passwords for example. I think my answer will be: Application Source Code > Code review + Input Validation CRM Server > Record level Access control Web Server > WAF + URL Filtering Regarding the attack I am between Session Hijacking and SQL Injection :(

above

https://blogs.getcertifiedgetahead.com/cookie-attacks-security/ A SQL injection attack uses a SQL statement, and typically includes a phrase such as or 1=1. An XML injection attack would include XML markup data, with XML tags within the < and > symbols. A session hijacking attack uses a cookie to take over a session. However, it’s more than just the text within a cookie.

MorganB

MorganB 0 minutes ago Awaiting moderator approval Pass my exam 27, April 23. This question was not on my exam but replaced with another simulation question.

Attila777

Do you remember what type of pbq did you have?

MS2023

Do u remember which other PBQ u got pls ?

mosher21

Why would a web server need a URL filter?

BD69

web servers have IP filters, so perhaps they're thinking it this way. A url filter is usually for users inside a network to prevent them from accessing bad urls on the Internet (and found on routers or end user hosts). Technically speaking, you wouldn't use this ANYWHERE in this place.

AbdullahMohammad251

Session hijacking CRM server ----> none of the above (BLANK) Database----> Record-level access control (to control access to individual records) Web server ---> URL filtering (to prevent the web server from accessing malicious websites) & WAF (to inspect incoming and outgoing HTTP traffic) App source code -----> input validation (to prevent injection attacks) & Code review (following best practices to protect against vulnerabilities)

fb8c9bb

I believe it is input validation for the database. By validating input, you ensure that only properly formatted data is allowed into the database queries. This helps prevent attackers from injecting malicious SQL commands.

DriftandLuna

is the 1st window the attacker tablet?

GigaChungus

I think this is an SQL injection. If you look at the response data provided, it lists out the data in columns and rows, just like if you were displaying a database table.

7308365

Application Source Code within Repository-> Code Review CRM Server-> Record Level Access Control Web Server-> WAF/URL Filtering Database->Input Validation SQL Injection On the login landing page all user credentials were displayed SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.

7308365

In simple words, SQL Injection permits an attacker to access data that they would normally be unable to recover.

Paula77

XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk. Session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts. I believe the correct answer is XSS

BD69

if it was SQLi, how did they get the cookie-id (which is stored in the browser)?

BD69

I thought it was weird that they wanted Input Validation, which only happens on the web server, as a mitigation for the database, but, I will agree that it's the only relevant mitigation from the selection. You wouldn't use record level access control on a web database .

Ilginz

I think the answer is correct. Because in the request section, the user enters a username and password, and as a response, the cookie IDs are generated. XSS Attack Scenario: When other users visit the affected page, the injected scripts execute in their browsers, potentially leading to cookie theft, session manipulation, or performing unauthorized actions on the user's behalf. SQLi doesn't make any sense to me. There is no words like "get, select, union etc." or symbols ' ' . Session hijacking intercepts the network traffic and takes control of an active session. There is no sign about it.

Frogalicious

Does the "Submit Query" button on the request screen give any credence to this being a SQLi attack?