An attacker used an undocumented and unknown application exploit to gain access to a file server. Which of the following BEST describes this type of attack?
A.
Integer overflow
B.
Cross-site scripting
C.
Zero-day
D.
Session hijacking
E.
XML injection
Explanation:
The vulnerability is undocumented and unknown. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor.
This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it–this exploit is called a zero day attack. Uses of zero day
attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to
those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Incorrect Answers:
A: Integer overflow is the result of an attempt by a CPU to arithmetically generate a number larger than what can fit in the devoted memory storage space.
Arithmetic operations always have the potential of returning unexpected values, which may cause an error that forces the whole program to shut down. For this
reason, most programmers prefer to perform mathematical operations inside an exception frame, which returns an exception in the case of integer overflow
instead. This is not what is described in this question. Therefore, this answer is incorrect.
B: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into
Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug- in systems on which they rely. Exploiting one of these, attackers
fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it
has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into
web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the
browser on behalf of the user. This is not what is described in this question. Therefore, this answer is incorrect.D: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session–sometimes also called a
session key–to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to
authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be
easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer. This is not what is described in this
question. Therefore, this answer is incorrect.
E: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the
user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar
manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best
way to prevent XML injection attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return more data than it should. This is
not what is described in this question. Therefore, this answer is incorrect.http://www.pctools.com/security-news/zero-day-vulnerability/ http://www.techopedia.com/definition/14427/integer-overflow http://en.wikipedia.org/wiki/Crosssite_scripting
http://en.wikipedia.org/wiki/Session_hijacking
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 337