GitHub/school-of-sre
1
0
Fork 0
mirror of https://github.com/linkedin/school-of-sre synced 2026-01-20 15:38:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deployed 4239ecf with MkDocs version: 1.2.3

Browse Source
This commit is contained in:
github-actions
2024-07-28 12:08:43 +00:00
parent f44a0152c4
commit a6af87660e
61 changed files with 1686 additions and 1410 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
level101/security/conclusion/index.html
View File

@@ -2168,21 +2168,33 @@
<h2 id="other-resources">Other Resources</h2>
<p>Some books that would be a great resource</p>
<ul>
<li>Holistic Info-Sec for Web Developers <a href="https://holisticinfosecforwebdevelopers.com/">https://holisticinfosecforwebdevelopers.com/</a>- Free and downloadable book series with very broad and deep coverage of what Web Developers and DevOps Engineers need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises</li>
<li>Docker Security - Quick Reference: For DevOps Engineers <a href="https://leanpub.com/dockersecurity-quickreference">https://leanpub.com/dockersecurity-quickreference</a> - A book on understanding the Docker security defaults, how to improve them (theory and practical), along with many tools and techniques.</li>
<li>How to Hack Like a Legend <a href="https://amzn.to/2uWh1Up">https://amzn.to/2uWh1Up</a>- A hackers tale breaking into a secretive offshore company, Sparc Flow, 2018</li>
<li>How to Investigate Like a Rockstar <a href="https://books2read.com/u/4jDWoZ">https://books2read.com/u/4jDWoZ</a>- Live a real crisis to master the secrets of forensic analysis, Sparc Flow, 2017</li>
<li>Real World Cryptography <a href="https://www.manning.com/books/real-world-cryptography">https://www.manning.com/books/real-world-cryptography</a>- This early-access book teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications.</li>
<li>AWS Security <a href="https://www.manning.com/books/aws-security?utm_source=github&amp;utm_medium=organic&amp;utm_campaign=book_shields_aws_1_31_20">https://www.manning.com/books/aws-security?utm_source=github&amp;utm_medium=organic&amp;utm_campaign=book_shields_aws_1_31_20</a>- This early-access book covers commong AWS security issues and best practices for access policies, data protection, auditing, continuous monitoring, and incident response.</li>
<li>
<p>Holistic Info-Sec for Web Developers (<a href="https://holisticinfosecforwebdevelopers.com/">https://holisticinfosecforwebdevelopers.com/</a>)&mdash;Free and downloadable book series with very broad and deep coverage of what Web Developers and DevOps Engineers need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises.</p>
</li>
<li>
<p>Docker Security: Quick Reference&mdash;For DevOps Engineers (<a href="https://leanpub.com/dockersecurity-quickreference">https://leanpub.com/dockersecurity-quickreference</a>)&mdash;A book on understanding the Docker security defaults, how to improve them (theory and practical), along with many tools and techniques.</p>
</li>
<li>
<p>How to Hack Like a Legend (<a href="https://amzn.to/2uWh1Up">https://amzn.to/2uWh1Up</a>)&mdash;A hackers tale breaking into a secretive offshore company, Sparc Flow, 2018</p>
</li>
<li>
<p>How to Investigate Like a Rockstar (<a href="https://books2read.com/u/4jDWoZ">https://books2read.com/u/4jDWoZ</a>)&mdash;Live a real crisis to master the secrets of forensic analysis, Sparc Flow, 2017</p>
</li>
<li>
<p>Real World Cryptography (<a href="https://www.manning.com/books/real-world-cryptography">https://www.manning.com/books/real-world-cryptography</a>)&mdash;This early-access book teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications.</p>
</li>
<li>
<p>AWS Security (<a href="https://www.manning.com/books/aws-security?utm_source=github&amp;utm_medium=organic&amp;utm_campaign=book_shields_aws_1_31_20">https://www.manning.com/books/aws-security?utm_source=github&amp;utm_medium=organic&amp;utm_campaign=book_shields_aws_1_31_20</a>)&mdash;This early-access book covers common AWS security issues and best practices for access policies, data protection, auditing, continuous monitoring, and incident response.</p>
</li>
</ul>
<h2 id="post-training-asks-further-reading">Post Training asks/ Further Reading</h2>
<ul>
<li>CTF Events like : <a href="https://github.com/apsdehal/awesome-ctf">https://github.com/apsdehal/awesome-ctf</a></li>
<li>Penetration Testing : <a href="https://github.com/enaqx/awesome-pentest">https://github.com/enaqx/awesome-pentest</a></li>
<li>Threat Intelligence : <a href="https://github.com/hslatman/awesome-threat-intelligence">https://github.com/hslatman/awesome-threat-intelligence</a></li>
<li>Threat Detection &amp; Hunting : <a href="https://github.com/0x4D31/awesome-threat-detection">https://github.com/0x4D31/awesome-threat-detection</a></li>
<li>CTF Events like: <a href="https://github.com/apsdehal/awesome-ctf">https://github.com/apsdehal/awesome-ctf</a></li>
<li>Penetration Testing: <a href="https://github.com/enaqx/awesome-pentest">https://github.com/enaqx/awesome-pentest</a></li>
<li>Threat Intelligence: <a href="https://github.com/hslatman/awesome-threat-intelligence">https://github.com/hslatman/awesome-threat-intelligence</a></li>
<li>Threat Detection &amp; Hunting: <a href="https://github.com/0x4D31/awesome-threat-detection">https://github.com/0x4D31/awesome-threat-detection</a></li>
<li>Web Security: <a href="https://github.com/qazbnm456/awesome-web-security">https://github.com/qazbnm456/awesome-web-security</a></li>
<li>Building Secure and Reliable Systems : <a href="https://landing.google.com/sre/resources/foundationsandprinciples/srs-book/">https://landing.google.com/sre/resources/foundationsandprinciples/srs-book/</a></li>
<li>Building Secure and Reliable Systems: <a href="https://landing.google.com/sre/resources/foundationsandprinciples/srs-book/">https://landing.google.com/sre/resources/foundationsandprinciples/srs-book/</a></li>
</ul>

101
level101/security/fundamentals/index.html
View File

@@ -2352,33 +2352,35 @@
<li>They have quite a big role in System design &amp; hence are quite sometimes the first line of defence.</li>
<li>SREs help in preventing bad design &amp; implementations which can affect the overall security of the infrastructure. </li>
<li>Successfully designing, implementing, and maintaining systems requires a commitment to <strong>the full system lifecycle</strong>. This commitment is possible only when security and reliability are central elements in the architecture of systems.</li>
<li>Core Pillars of Information Security :</li>
<li><strong>Confidentiality</strong> only allow access to data for which the user is permitted</li>
<li><strong>Integrity</strong> ensure data is not tampered or altered by unauthorized users</li>
<li>
<p><strong>Availability</strong> ensure systems and data are available to authorized users when they need it</p>
</li>
<li>
<p>Thinking like a Security Engineer</p>
</li>
<li>
<p>When starting a new application or re-factoring an existing application, you should consider each functional feature, and consider:</p>
<p>Core Pillars of Information Security:</p>
<ul>
<li><strong>Confidentiality</strong>&mdash;only allow access to data for which the user is permitted</li>
<li><strong>Integrity</strong>&mdash;ensure data is not tampered or altered by unauthorized users</li>
<li><strong>Availability</strong>&mdash;ensure systems and data are available to authorized users when they need it</li>
</ul>
</li>
<li>
<p>Thinking like a Security Engineer:</p>
<ul>
<li>When starting a new application or re-factoring an existing application, you should consider each functional feature, and consider:<ul>
<li>Is the process surrounding this feature as safe as possible? In other words, is this a flawed process?</li>
<li>If I were evil, how would I abuse this feature? Or more specifically failing to address how a feature can be abused can cause design flaws.</li>
<li>Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature?</li>
</ul>
</li>
</ul>
</li>
<li>
<p>Security Principles By OWASP (Open Web Application Security Project)</p>
</li>
<li>Minimize attack surface area :<ul>
<li>Minimize attack surface area:<ul>
<li>Every feature that is added to an application adds a certain amount of risk to the overall application. The aim of secure development is to reduce the overall risk by reducing the attack surface area.</li>
<li>For example, a web application implements online help with a search function. The search function may be vulnerable to SQL injection attacks. If the help feature was limited to authorized users, the attack likelihood is reduced. If the help features search function was gated through centralized data validation routines, the ability to perform SQL injection is dramatically reduced. However, if the help feature was re-written to eliminate the search function (through a better user interface, for example), this almost eliminates the attack surface area, even if the help feature was available to the Internet at large.</li>
</ul>
</li>
<li>Establish secure defaults:<ul>
<li>There are many ways to deliver an “out of the box” experience for users. However, by default, the experience should be secure, and it should be up to the user to reduce their security if they are allowed.</li>
<li>There are many ways to deliver an “out of the box” experience for users. However, by default, the experience should be secure, and it should be up to the user to reduce their security&mdash;if they are allowed.</li>
<li>For example, by default, password ageing and complexity should be enabled. Users might be allowed to turn these two features off to simplify their use of the application and increase their risk.</li>
<li>Default Passwords of routers, IoT devices should be changed</li>
</ul>
@@ -2397,19 +2399,19 @@
<li>
<p>Fail securely</p>
<ul>
<li>Applications regularly fail to process transactions for many reasons. How they fail can determine if an application is secure or not.</li>
<li>Applications regularly fail to process transactions for many reasons. How they fail can determine if an application is secure or not.
<pre><code>
is_admin = true;
try {
code_which_may_fail();
is_admin = is_user_assigned_role("Adminstrator");
}
catch (Exception err) {
log.error(err.toString());
}
</code><pre></li>
<li>If either <code>codeWhichMayFail()</code> or <code>isUserInRole</code> fails or throws an exception, the user is an admin by default. This is obviously a security risk.</li>
</ul>
<p>```</p>
<p>is_admin = true;
try {
code_which_may_faile();
is_admin = is_user_assigned_role("Adminstrator");
}
catch (Exception err) {
log.error(err.toString());
}</p>
<p>```
- If either codeWhichMayFail() or isUserInRole fails or throws an exception, the user is an admin by default. This is obviously a security risk.</p>
</li>
<li>
<p>Dont trust services</p>
@@ -2422,7 +2424,7 @@ log.error(err.toString());
<li>Separation of duties<ul>
<li>The key to fraud control is the separation of duties. For example, someone who requests a computer cannot also sign for it, nor should they directly receive the computer. This prevents the user from requesting many computers and claiming they never arrived.</li>
<li>Certain roles have different levels of trust than normal users. In particular, administrators are different from normal users. In general, administrators should not be users of the application.</li>
<li>For example, an administrator should be able to turn the system on or off, set password policy but shouldnt be able to log on to the storefront as a super privileged user, such as being able to buy goods on behalf of other users.</li>
<li>For example, an administrator should be able to turn the system on or off, set password policy but shouldn't be able to log on to the storefront as a super privileged user, such as being able to "buy" goods on behalf of other users.</li>
</ul>
</li>
<li>Avoid security by obscurity<ul>
@@ -2444,7 +2446,7 @@ log.error(err.toString());
</li>
<li>Reliability &amp; Security<ul>
<li>Reliability and security are both crucial components of a truly trustworthy system, but building systems that are both reliable and secure is difficult. While the requirements for reliability and security share many common properties, they also require different design considerations. It is easy to miss the subtle interplay between reliability and security that can cause unexpected outcomes</li>
<li>Ex: A password management application failure was triggered by a reliability problem i.e poor load-balancing and load-shedding strategies and its recovery were later complicated by multiple measures (HSM mechanism which needs to be plugged into server racks, which works as an authentication &amp; the HSM token supposedly locked inside a case.. &amp; the problem can be further elongated ) designed to increase the security of the system.</li>
<li>Ex: A password management application failure was triggered by a reliability problem i.e poor load-balancing and load-shedding strategies and its recovery were later complicated by multiple measures (HSM mechanism which needs to be plugged into server racks, which works as an authentication &amp; the HSM token supposedly locked inside a case.. &amp; the problem can be further elongated) designed to increase the security of the system.</li>
</ul>
</li>
</ul>
@@ -2465,7 +2467,7 @@ log.error(err.toString());
</ul>
<h3 id="openidoauth">OpenID/OAuth</h3>
<p><strong><em>OpenID</em></strong> is an authentication protocol that allows us to authenticate users without using a local auth system. In such a scenario, a user has to be registered with an OpenID Provider and the same provider should be integrated with the authentication flow of your application. To verify the details, we have to forward the authentication requests to the provider. On successful authentication, we receive a success message and/or profile details with which we can execute the necessary flow.</p>
<p><strong><em>OAuth</em></strong> is an authorization mechanism that allows your application user access to a provider(Gmail/Facebook/Instagram/etc). On successful response, we (your application) receive a token with which the application can access certain APIs on behalf of a user. OAuth is convenient in case your business use case requires some certain user-facing APIs like access to Google Drive or sending tweets on your behalf. Most OAuth 2.0 providers can be used for pseudo authentication. Having said that, it can get pretty complicated if you are using multiple OAuth providers to authenticate users on top of the local authentication system.</p>
<p><strong><em>OAuth</em></strong> is an authorization mechanism that allows your application user access to a provider (Gmail/Facebook/Instagram/etc). On successful response, we (your application) receive a token with which the application can access certain APIs on behalf of a user. OAuth is convenient in case your business use case requires some certain user-facing APIs like access to Google Drive or sending tweets on your behalf. Most OAuth 2.0 providers can be used for pseudo authentication. Having said that, it can get pretty complicated if you are using multiple OAuth providers to authenticate users on top of the local authentication system.</p>
<hr />
<h2 id="cryptography">Cryptography</h2>
<ul>
@@ -2493,14 +2495,14 @@ D(k,E(k,m)) = m
</code></pre>
<p>Stream Ciphers:</p>
<ul>
<li>The message is broken into characters or bits and enciphered with a key or keystream(should be random and generated independently of the message stream) that is as long as the plaintext bitstream.</li>
<li>The message is broken into characters or bits and enciphered with a key or keystream (should be random and generated independently of the message stream) that is as long as the plaintext bitstream.</li>
<li>If the keystream is random, this scheme would be unbreakable unless the keystream was acquired, making it unconditionally secure. The keystream must be provided to both parties in a secure way to prevent its release.</li>
</ul>
<p>Block Ciphers:</p>
<ul>
<li>Block ciphersprocess messages in blocks, each of which is then encrypted or decrypted.</li>
<li>Block ciphers&mdash;process messages in blocks, each of which is then encrypted or decrypted.</li>
<li>
<p>A block cipher is a symmetric cipher in which blocks of plaintext are treated as a whole and used to produce ciphertext blocks. The block cipher takes blocks that are b bits long and encrypts them to blocks that are also b bits long. Block sizes are typically 64 or 128 bits long. </p>
<p>A block cipher is a symmetric cipher in which blocks of plaintext are treated as a whole and used to produce ciphertext blocks. The block cipher takes blocks that are <em>b</em> bits long and encrypts them to blocks that are also <em>b</em> bits long. Block sizes are typically 64 or 128 bits long. </p>
<p><img alt="image5" src="../images/image5.png" />
<img alt="image6" src="../images/image6.png" /></p>
</li>
@@ -2508,7 +2510,7 @@ D(k,E(k,m)) = m
<p>Encryption</p>
<ul>
<li><strong>Secret Key (Symmetric Key)</strong>: the same key is used for encryption and decryption</li>
<li><strong>Public Key (Asymmetric Key)</strong> in an asymmetric, the encryption and decryption keys are different but related. The encryption key is known as the public key and the decryption key is known as the private key. The public and private keys are known as a key pair.</li>
<li><strong>Public Key (Asymmetric Key)</strong>: in an asymmetric, the encryption and decryption keys are different but related. The encryption key is known as the public key and the decryption key is known as the private key. The public and private keys are known as a key pair.</li>
</ul>
<p>Symmetric Key Encryption</p>
<p>DES</p>
@@ -2556,7 +2558,7 @@ D(k,E(k,m)) = m
<p><strong>NOTE</strong>: In terms of TLS key exchange, this is the common approach.</p>
<p>Diffie-Hellman</p>
<ul>
<li>The protocol has two system parameters, p and g. They are both public and may be used by everybody. Parameter p is a prime number, and parameter g (usually called a generator) is an integer that is smaller than p, but with the following property: For every number n between 1 and p 1 inclusive, there is a power k of g such that n = gk mod p.</li>
<li>The protocol has two system parameters, <em>p</em> and <em>g</em>. They are both public and may be used by everybody. Parameter <em>p</em> is a prime number, and parameter <em>g</em> (usually called a generator) is an integer that is smaller than <em>p</em>, but with the following property: For every number, <em>n</em> between 1 and p 1 inclusive, there is a power <em>k</em> of <em>g</em> such that <code>n = gk mod p</code>.</li>
<li>Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric key algorithm. Nowadays most of the people use hybrid cryptosystem i.e, a combination of symmetric and asymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share a secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.</li>
<li>Refer: <a href="https://medium.com/@akhigbemmanuel/what-is-the-diffie-hellman-key-exchange-algorithm-84d60025a30d">https://medium.com/@akhigbemmanuel/what-is-the-diffie-hellman-key-exchange-algorithm-84d60025a30d</a></li>
</ul>
@@ -2578,10 +2580,12 @@ D(k,E(k,m)) = m
</li>
<li>
<p>More:</p>
</li>
<ul>
<li><a href="https://medium.com/@rauljordan/the-state-of-hashing-algorithms-the-why-the-how-and-the-future-b21d5c0440de">https://medium.com/@rauljordan/the-state-of-hashing-algorithms-the-why-the-how-and-the-future-b21d5c0440de</a></li>
<li><a href="https://medium.com/@StevieCEllis/the-beautiful-hash-algorithm-f18d9d2b84fb">https://medium.com/@StevieCEllis/the-beautiful-hash-algorithm-f18d9d2b84fb</a></li>
</ul>
</li>
</ul>
<p>MD5</p>
<ul>
<li>MD5 is a one-way function with which it is easy to compute the hash from the given input data, but it is unfeasible to compute input data given only a hash.</li>
@@ -2651,8 +2655,10 @@ D(k,E(k,m)) = m
<li>a client: A user/ a service</li>
<li>
<p>a server: Kerberos protected hosts reside</p>
<p><img alt="image10" src="../images/image10.png" />
- a Key Distribution Center (KDC), which acts as the trusted third-party authentication service.</p>
<p><img alt="image10" src="../images/image10.png" /></p>
</li>
<li>
<p>a Key Distribution Center (KDC), which acts as the trusted third-party authentication service.</p>
</li>
</ul>
<p>The KDC includes the following two servers:</p>
@@ -2664,23 +2670,24 @@ D(k,E(k,m)) = m
</li>
</ul>
<h3 id="certificate-chain">Certificate Chain</h3>
<p>The first part of the output of the OpenSSL command shows three certificates numbered 0, 1, and 2(not 2 anymore). Each certificate has a subject, s, and an issuer, i. The first certificate, number 0, is called the end-entity certificate. The subject line tells us its valid for any subdomain of google.com because its subject is set to *.google.com. </p>
<p><code>$ openssl s_client -connect www.google.com:443 -CApath /etc/ssl/certs
<p>The first part of the output of the OpenSSL command shows three certificates numbered 0, 1, and 2 (not 2 anymore). Each certificate has a subject, <em>s</em>, and an issuer, <em>i</em>. The first certificate, number 0, is called the end-entity certificate. The subject line tells us its valid for any subdomain of <code>google.com</code> because its subject is set to <code>*.google.com</code>. </p>
<pre><code class="language-shell">$ openssl s_client -connect www.google.com:443 -CApath /etc/ssl/certs
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1</code>
<code>---
verify return:1`
`---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---</code>
<code>Server certificate</code></p>
---
</code></pre>
<p><strong>Server certificate</strong></p>
<ul>
<li>The issuer line indicates its issued by Google Internet Authority G2, which also happens to be the subject of the second certificate, number 1</li>
<li>What the OpenSSL command line doesnt show here is the trust store that contains the list of CA certificates trusted by the system OpenSSL runs on.</li>
@@ -2696,14 +2703,14 @@ Certificate chain
<ol>
<li>The client sends a HELLO message to the server with a list of protocols and algorithms it supports.</li>
<li>The server says HELLO back and sends its chain of certificates. Based on the capabilities of the client, the server picks a cipher suite.</li>
<li>If the cipher suite supports ephemeral key exchange, like ECDHE does(ECDHE is an algorithm known as the Elliptic Curve Diffie-Hellman Exchange), the server and the client negotiate a pre-master key with the Diffie-Hellman algorithm. The pre-master key is never sent over the wire.</li>
<li>If the cipher suite supports ephemeral key exchange, like ECDHE does (ECDHE is an algorithm known as the Elliptic Curve Diffie-Hellman Exchange), the server and the client negotiate a pre-master key with the Diffie-Hellman algorithm. The pre-master key is never sent over the wire.</li>
<li>The client and server create a session key that will be used to encrypt the data transiting through the connection.</li>
</ol>
<p>At the end of the handshake, both parties possess a secret session key used to encrypt data for the rest of the connection. This is what OpenSSL refers to as Master-Key</p>
<p>At the end of the handshake, both parties possess a secret session key used to encrypt data for the rest of the connection. This is what OpenSSL refers to as Master-Key.</p>
<p><strong>NOTE</strong></p>
<ul>
<li>There are 3 versions of TLS , TLS 1.0, 1.1 &amp; 1.2</li>
<li>TLS 1.0 was released in 1999, making it a nearly two-decade-old protocol. It has been known to be vulnerable to attackssuch as BEAST and POODLEfor years, in addition to supporting weak cryptography, which doesnt keep modern-day connections sufficiently secure.</li>
<li>There are 3 versions of TLS, TLS 1.0, 1.1 &amp; 1.2</li>
<li>TLS 1.0 was released in 1999, making it a nearly two-decade-old protocol. It has been known to be vulnerable to attacks&mdash;such as BEAST and POODLE&mdash;for years, in addition to supporting weak cryptography, which doesnt keep modern-day connections sufficiently secure.</li>
<li>TLS 1.1 is the forgotten “middle child.” It also has bad cryptography like its younger sibling. In most software, it was leapfrogged by TLS 1.2 and its rare to see TLS 1.1 used.</li>
</ul>
<h3 id="perfect-forward-secrecy">“Perfect” Forward Secrecy</h3>
@@ -2712,9 +2719,11 @@ Certificate chain
<li>In a non-ephemeral key exchange, the client sends the pre-master key to the server by encrypting it with the servers public key. The server then decrypts the pre-master key with its private key. If at a later point in time, the private key of the server is compromised, an attacker can go back to this handshake, decrypt the pre-master key, obtain the session key, and decrypt the entire traffic. Non-ephemeral key exchanges are vulnerable to attacks that may happen in the future on recorded traffic. And because people seldom change their password, decrypting data from the past may still be valuable for an attacker.</li>
<li>An ephemeral key exchange like DHE, or its variant on elliptic curve, ECDHE, solves this problem by not transmitting the pre-master key over the wire. Instead, the pre-master key is computed by both the client and the server in isolation, using nonsensitive information exchanged publicly. Because the pre-master key cant be decrypted later by an attacker, the session key is safe from future attacks: hence, the term perfect forward secrecy.</li>
<li>Keys are changed every X blocks along the stream. That prevents an attacker from simply sniffing the stream and applying brute force to crack the whole thing. "Forward secrecy" means that just because I can decrypt block M, does not mean that I can decrypt block Q</li>
<li>Downside:</li>
<li>Downside:<ul>
<li>The downside to PFS is that all those extra computational steps induce latency on the handshake and slow the user down. To avoid repeating this expensive work at every connection, both sides cache the session key for future use via a technique called session resumption. This is what the session-ID and TLS ticket are for: they allow a client and server that share a session ID to skip over the negotiation of a session key, because they already agreed on one previously, and go directly to exchanging data securely.</li>
</ul>
</li>
</ul>

2
level101/security/intro/index.html
View File

@@ -2201,7 +2201,7 @@
</li>
</ol>
<h2 id="what-to-expect-from-this-course">What to expect from this course</h2>
<p>The course covers fundamentals of information security along with touching on subjects of system security, network &amp; web security. This course aims to get you familiar with the basics of information security in day to day operations &amp; then as an SRE develop the mindset of ensuring that security takes a front-seat while developing solutions. The course also serves as an introduction to common risks and best practices along with practical ways to find out vulnerable systems and loopholes which might become compromised if not secured.</p>
<p>The course covers fundamentals of information security along with touching on subjects of system security, network &amp; web security. This course aims to get you familiar with the basics of information security in day-to-day operations and then as an SRE develop the mindset of ensuring that security takes a front-seat while developing solutions. The course also serves as an introduction to common risks and best practices along with practical ways to find out vulnerable systems and loopholes which might become compromised if not secured.</p>
<h2 id="what-is-not-covered-under-this-course">What is not covered under this course</h2>
<p>The courseware is not an ethical hacking workshop or a very deep dive into the fundamentals of the problems. The course does not deal with hacking or breaking into systems but rather an approach on how to ensure you dont get into those situations and also to make you aware of different ways a system can be compromised.</p>
<h2 id="course-contents">Course Contents</h2>

373
level101/security/network_security/index.html
View File

@@ -1285,10 +1285,10 @@
<li class="md-nav__item">
<a href="#network-perimeter-security" class="md-nav__link">
Network Perimeter Security
Network Perimeter Security
</a>
<nav class="md-nav" aria-label="Network Perimeter Security">
<nav class="md-nav" aria-label="Network Perimeter Security">
<ul class="md-nav__list">
<li class="md-nav__item">
@@ -1313,8 +1313,8 @@
</li>
<li class="md-nav__item">
<a href="#application-gatewaysalg" class="md-nav__link">
Application Gateways(ALG)
<a href="#application-gateways-alg" class="md-nav__link">
Application Gateways (ALG)
</a>
</li>
@@ -1362,14 +1362,14 @@
<li class="md-nav__item">
<a href="#wireshark" class="md-nav__link">
WireShark
Wireshark
</a>
</li>
<li class="md-nav__item">
<a href="#dumpcap" class="md-nav__link">
DumpCap
Dumpcap
</a>
</li>
@@ -1383,14 +1383,14 @@
<li class="md-nav__item">
<a href="#netsniff-ng" class="md-nav__link">
NetSniff-NG
netsniff-ng
</a>
</li>
<li class="md-nav__item">
<a href="#netflow" class="md-nav__link">
Netflow
NetFlow
</a>
</li>
@@ -2370,10 +2370,10 @@
<li class="md-nav__item">
<a href="#network-perimeter-security" class="md-nav__link">
Network Perimeter Security
Network Perimeter Security
</a>
<nav class="md-nav" aria-label="Network Perimeter Security">
<nav class="md-nav" aria-label="Network Perimeter Security">
<ul class="md-nav__list">
<li class="md-nav__item">
@@ -2398,8 +2398,8 @@
</li>
<li class="md-nav__item">
<a href="#application-gatewaysalg" class="md-nav__link">
Application Gateways(ALG)
<a href="#application-gateways-alg" class="md-nav__link">
Application Gateways (ALG)
</a>
</li>
@@ -2447,14 +2447,14 @@
<li class="md-nav__item">
<a href="#wireshark" class="md-nav__link">
WireShark
Wireshark
</a>
</li>
<li class="md-nav__item">
<a href="#dumpcap" class="md-nav__link">
DumpCap
Dumpcap
</a>
</li>
@@ -2468,14 +2468,14 @@
<li class="md-nav__item">
<a href="#netsniff-ng" class="md-nav__link">
NetSniff-NG
netsniff-ng
</a>
</li>
<li class="md-nav__item">
<a href="#netflow" class="md-nav__link">
Netflow
NetFlow
</a>
</li>
@@ -2567,7 +2567,7 @@
<li>
<p>The OSI model is a seven-layer architecture. The OSI architecture is similar to the TCP/IP architecture, except that the OSI model specifies two additional layers between the application layer and the transport layer in the TCP/IP architecture. These two layers are the presentation layer and the session layer. Figure 5.1 shows the relationship between the TCP/IP layers and the OSI layers. The application layer in TCP/IP corresponds to the application layer and the presentation layer in OSI. The transport layer in TCP/IP corresponds to the session layer and the transport layer in OSI. The remaining three layers in the TCP/IP architecture are one-to-one correspondent to the remaining three layers in the OSI model.</p>
<p><img alt="image14" src="../images/image14.png" />
Correspondence between layers of the TCP/IP architecture and the OSI model. Also shown are placements of cryptographic algorithms in network layers, where the dotted arrows indicate actual communications of cryptographic algorithms</p>
Correspondence between layers of the TCP/IP architecture and the OSI model. Also shown are placements of cryptographic algorithms in network layers, where the <em>dotted arrows</em> indicate actual communications of cryptographic algorithms</p>
</li>
</ul>
<p>The functionalities of OSI layers are briefly described as follows:</p>
@@ -2577,7 +2577,7 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
<li>The session layer is responsible for creating, managing, and closing a communication connection.</li>
<li>The transport layer is responsible for providing reliable connections, such as packet sequencing, traffic control, and congestion control.</li>
<li>The network layer is responsible for routing device-independent data packets from the current hop to the next hop.</li>
<li>The data-link layer is responsible for encapsulating device-independent data packets into device-dependent data frames. It has two sublayers: logical link control and media access control.</li>
<li>The data-link layer is responsible for encapsulating device-independent data packets into device-dependent data frames. It has two sublayers: logical link control (LLC) and media access control (MAC).</li>
<li>
<p>The physical layer is responsible for transmitting device-dependent frames through some physical media.</p>
</li>
@@ -2615,13 +2615,13 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
<h3 id="pgp-smime-email-security">PGP &amp; S/MIME : Email Security</h3>
<ul>
<li>There are several security protocols at the application layer. The most used of these protocols are email security protocols namely PGP and S/MIME.</li>
<li>SMTP (“Simple Mail Transfer Protocol”) is used for sending and delivering from a client to a server via port 25: its the outgoing server. On the contrary, POP (“Post Office Protocol”) allows the users to pick up the message and download it into their inbox: its the incoming server. The latest version of the Post Office Protocol is named POP3, and its been used since 1996; it uses port 110</li>
<li>SMTP (“Simple Mail Transfer Protocol”) is used for sending and delivering from a client to a server via port 25: its the outgoing server. On the contrary, POP (“Post Office Protocol”) allows the users to pick up the message and download it into their inbox: its the incoming server. The latest version of the Post Office Protocol is named POP3, and its been used since 1996; it uses port 110.</li>
</ul>
<p>PGP</p>
<ul>
<li>PGP implements all major cryptographic algorithms, the ZIP compression algorithm, and the Base64 encoding algorithm.</li>
<li>It can be used to authenticate a message, encrypt a message, or both. PGP follows the following general process: authentication, ZIP compression, encryption, and Base64 encoding.</li>
<li>The Base64 encoding procedure makes the message ready for SMTP transmission</li>
<li>The Base64 encoding procedure makes the message ready for SMTP transmission.</li>
</ul>
<p>GPG (GnuPG)</p>
<ul>
@@ -2632,27 +2632,29 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
</ul>
<p>S/MIME</p>
<ul>
<li>SMTP can only handle 7-bit ASCII text (You can use UTF-8 extensions to alleviate these limitations, ) messages. While POP can handle other content types besides 7-bit ASCII, POP may, under a common default setting, download all the messages stored in the mail server to the user's local computer. After that, if POP removes these messages from the mail server. This makes it difficult for the users to read their messages from multiple computers.</li>
<li>SMTP can only handle 7-bit ASCII text messages (You can use UTF-8 extensions to alleviate these limitations.) While POP can handle other content types besides 7-bit ASCII, POP may, under a common default setting, download all the messages stored in the mail server to the user's local computer. After that, if POP removes these messages from the mail server. This makes it difficult for the users to read their messages from multiple computers.</li>
<li>The Multipurpose Internet Mail Extension protocol (MIME) was designed to support sending and receiving email messages in various formats, including nontext files generated by word processors, graphics files, sound files, and video clips. Moreover, MIME allows a single message to include mixed types of data in any combination of these formats.</li>
<li>The Internet Mail Access Protocol (IMAP), operated on TCP port 143(only for non-encrypted), stores (Configurable on both server &amp; client just like PoP) incoming email messages in the mail server until the user deletes them deliberately. This allows the users to access their mailbox from multiple machines and download messages to a local machine without deleting it from the mailbox in the mail server.</li>
<li>The Internet Mail Access Protocol (IMAP), operated on TCP port 143 (only for non-encrypted), stores (Configurable on both server &amp; client just like PoP) incoming email messages in the mail server until the user deletes them deliberately. This allows the users to access their mailbox from multiple machines and download messages to a local machine without deleting it from the mailbox in the mail server.</li>
</ul>
<p>SSL/TLS</p>
<ul>
<li>SSL uses a PKI to decide if a servers public key is trustworthy by requiring servers to use a security certificate signed by a trusted CA.</li>
<li>When Netscape Navigator 1.0 was released, it trusted a single CA operated by the RSA Data Security corporation.</li>
<li>The servers public RSA keys were used to be stored in the security certificate, which can then be used by the browser to establish a secure communication channel. The security certificates we use today still rely on the same standard (named X.509) that Netscape Navigator 1.0 used back then.</li>
<li>Netscape intended to train users(though this didnt work out later) to differentiate secure communications from insecure ones, so they put a lock icon next to the address bar. When the lock is open, the communication is insecure. A closed lock means communication has been secured with SSL, which required the server to provide a signed certificate. Youre obviously familiar with this icon as its been in every browser ever since. The engineers at Netscape truly created a standard for secure internet communications.</li>
<li>Netscape intended to train users (though this didnt work out later) to differentiate secure communications from insecure ones, so they put a lock icon next to the address bar. When the lock is open, the communication is insecure. A closed lock means communication has been secured with SSL, which required the server to provide a signed certificate. Youre obviously familiar with this icon as its been in every browser ever since. The engineers at Netscape truly created a standard for secure Internet communications.</li>
<li>
<p>A year after releasing SSL 2.0, Netscape fixed several security issues and released SSL 3.0, a protocol that, albeit being officially deprecated since June 2015, remains in use in certain parts of the world more than 20 years after its introduction. To standardize SSL, the Internet Engineering Task Force (IETF) created a slightly modified SSL 3.0 and, in 1999, unveiled it as Transport Layer Security (TLS) 1.0. The name change between SSL and TLS continues to confuse people today. Officially, TLS is the new SSL, but in practice, people use SSL and TLS interchangeably to talk about any version of the protocol.</p>
</li>
<li>
<p>Must See:</p>
</li>
<ul>
<li><a href="https://tls.ulfheim.net/">https://tls.ulfheim.net/</a></li>
<li><a href="https://davidwong.fr/tls13/">https://davidwong.fr/tls13/</a></li>
</ul>
<h2 id="network-perimeter-security">Network Perimeter Security</h2>
<p>Let us see how we keep a check on the perimeter i.e the edges, the first layer of protection</p>
</li>
</ul>
<h2 id="network-perimeter-security">Network Perimeter Security</h2>
<p>Let us see how we keep a check on the perimeter, i.e the edges, the first layer of protection.</p>
<h3 id="general-firewall-framework">General Firewall Framework</h3>
<ul>
<li>Firewalls are needed because encryption algorithms cannot effectively stop malicious packets from getting into an edge network.</li>
@@ -2664,9 +2666,11 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
<h3 id="packet-filters">Packet Filters</h3>
<ul>
<li>It inspects ingress packets coming to an internal network from outside and inspects egress packets going outside from an internal network</li>
<li>Packing filtering only inspects IP headers and TCP headers, not the payloads generated at the application layer</li>
<li>Packet-filtering only inspects IP headers and TCP headers, not the payloads generated at the application layer.</li>
<li>A packet-filtering firewall uses a set of rules to determine whether a packet should be allowed or denied to pass through.</li>
<li>2 types:</li>
<li>
<p>2 types:</p>
<ul>
<li>
<p>Stateless</p>
<ul>
@@ -2680,20 +2684,24 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
</ul>
</li>
</ul>
</li>
</ul>
<h3 id="circuit-gateways">Circuit Gateways</h3>
<ul>
<li>Circuit gateways, also referred to as circuit-level gateways, are typically operated at the transportation layer</li>
<li>Circuit gateways, also referred to as circuit-level gateways, are typically operated at the transportation layer.</li>
<li>They evaluate the information of the IP addresses and the port numbers contained in TCP (or UDP) headers and use it to determine whether to allow or to disallow an internal host and an external host to establish a connection.</li>
<li>It is common practice to combine packet filters and circuit gateways to form a dynamic packet filter (DPF).</li>
</ul>
<h3 id="application-gatewaysalg">Application Gateways(ALG)</h3>
<h3 id="application-gateways-alg">Application Gateways (ALG)</h3>
<ul>
<li>Aka PROXY Servers</li>
<li>An Application Level Gateway (ALG) acts as a proxy for internal hosts, processing service requests from external clients.</li>
<li>An ALG performs deep inspections on each IP packet (ingress or egress).</li>
<li>In particular, an ALG inspects application program formats contained in the packet (e.g., MIME format or SQL format) and examines whether its payload is permitted.</li>
<li>In particular, an ALG inspects application program formats contained in the packet (e.g., MIME format or SQL format) and examines whether its payload is permitted.<ul>
<li>Thus, an ALG may be able to detect a computer virus contained in the payload. Because an ALG inspects packet payloads, it may be able to detect malicious code and quarantine suspicious packets, in addition to blocking packets with suspicious IP addresses and TCP ports. On the other hand, an ALG also incurs substantial computation and space overheads.</li>
</ul>
</li>
</ul>
<h3 id="trusted-systems-bastion-hosts">Trusted Systems &amp; Bastion Hosts</h3>
<ul>
<li>A Trusted Operating System (TOS) is an operating system that meets a particular set of security requirements. Whether an operating system can be trusted or not depends on several elements. For example, for an operating system on a particular computer to be certified trusted, one needs to validate that, among other things, the following four requirements are satisfied:</li>
@@ -2705,85 +2713,103 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
</li>
<li>
<p>Bastion Hosts</p>
</li>
<ul>
<li>Bastion hosts are computers with strong defence mechanisms. They often serve as host computers for implementing application gateways, circuit gateways, and other types of firewalls. A bastion host is operated on a trusted operating system that must not contain unnecessary functionalities or programs. This measure helps to reduce error probabilities and makes it easier to conduct security checks. Only those network application programs that are necessary, for example, SSH, DNS, SMTP, and authentication programs, are installed on a bastion host.</li>
<li>Bastion hosts are also primarily used as controlled ingress points so that the security monitoring can focus more narrowly on actions happening at a single point closely.</li>
</ul>
</li>
</ul>
<hr />
<h2 id="common-techniques-scannings-packet-capturing">Common Techniques &amp; Scannings, Packet Capturing</h2>
<h3 id="scanning-ports-with-nmap">Scanning Ports with Nmap</h3>
<ul>
<li>Nmap ("Network Mapper") is a free and open-source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.</li>
<li>The best thing about Nmap is its free and open-source and is very flexible and versatile</li>
<li>The best thing about Nmap is its free and open-source and is very flexible and versatile.</li>
<li>Nmap is often used to determine alive hosts in a network, open ports on those hosts, services running on those open ports, and version identification of that service on that port.</li>
<li>More at http://scanme.nmap.org/</li>
<li>More at <a href="http://scanme.nmap.org/">http://scanme.nmap.org/</a>.</li>
</ul>
<pre><code>nmap [scan type] [options] [target specification]
</code></pre>
<p>Nmap uses 6 different port states:</p>
<ul>
<li><strong>Open</strong>An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what interests us the most because they are the ones that are vulnerable to attacks. Open ports also show the available services on a network.</li>
<li><strong>Closed</strong>A port that receives and responds to Nmap probe packets but there is no application listening on that port. Useful for identifying that the host exists and for OS detection.</li>
<li><strong>Filtered</strong>Nmap cant determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules. Often little information is given from filtered ports during scans as the filters can drop the probes without responding or respond with useless error messages e.g. destination unreachable.</li>
<li><strong>Unfiltered</strong>Port is accessible but Nmap doesnt know if it is open or closed. Only used in ACK scan which is used to map firewall rulesets. Other scan types can be used to identify whether the port is open.</li>
<li><strong>Open/filtered</strong>Nmap is unable to determine between open and filtered. This happens when an open port gives no response. No response could mean that the probe was dropped by a packet filter or any response is blocked.</li>
<li><strong>Closed/filtered</strong>Nmap is unable to determine whether a port is closed or filtered. Only used in the IP ID idle scan.</li>
<li><strong>Open</strong>&mdash;An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what interests us the most because they are the ones that are vulnerable to attacks. Open ports also show the available services on a network.</li>
<li><strong>Closed</strong>&mdash;A port that receives and responds to Nmap probe packets but there is no application listening on that port. Useful for identifying that the host exists and for OS detection.</li>
<li><strong>Filtered</strong>&mdash;Nmap cant determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules. Often little information is given from filtered ports during scans as the filters can drop the probes without responding or respond with useless error messages, e.g. destination unreachable.</li>
<li><strong>Unfiltered</strong>&mdash;Port is accessible but Nmap doesnt know if it is open or closed. Only used in ACK scan which is used to map firewall rulesets. Other scan types can be used to identify whether the port is open.</li>
<li><strong>Open/filtered</strong>&mdash;Nmap is unable to determine between open and filtered. This happens when an open port gives no response. No response could mean that the probe was dropped by a packet filter or any response is blocked.</li>
<li><strong>Closed/filtered</strong>&mdash;Nmap is unable to determine whether a port is closed or filtered. Only used in the IP ID idle scan.</li>
</ul>
<h3 id="types-of-nmap-scan">Types of Nmap Scan:</h3>
<ol>
<li>TCP Connect</li>
<li>TCP Connect scan completes the 3-way handshake.</li>
<li>TCP Connect<ul>
<li>TCP Connect scan completes the three-way handshake.</li>
<li>If a port is open, the operating system completes the TCP three-way handshake and the port scanner immediately closes the connection to avoid DOS. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.</li>
<li>UDP Scan</li>
<li>This scan checks to see if any UDP ports are listening.</li>
</ul>
</li>
<li>
<p>Since UDP does not respond with a positive acknowledgement like TCP and only responds to an incoming UDP packet when the port is closed,</p>
<p>UDP Scan</p>
<ul>
<li>This scan checks to see if any UDP ports are listening.</li>
<li>Since UDP does not respond with a positive acknowledgement like TCP and only responds to an incoming UDP packet when the port is closed.</li>
</ul>
</li>
<li>
<p>SYN Scan</p>
</li>
<ul>
<li>SYN scan is another form of TCP scanning.</li>
<li>This scan type is also known as “half-open scanning” because it never actually opens a full TCP connection.</li>
<li>The port scanner generates a SYN packet. If the target port is open, it will respond with an SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.</li>
<li>If the port is closed but unfiltered, the target will instantly respond with an RST packet.</li>
<li>
<p>SYN scan has the advantage that the individual services never actually receive a connection.</p>
<li>SYN scan has the advantage that the individual services never actually receive a connection.</li>
</ul>
</li>
<li>
<p>FIN Scan</p>
</li>
<li>
<p>This is a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead.</p>
<ul>
<li>This is a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead.</li>
</ul>
</li>
<li>
<p>ACK Scan</p>
<ul>
<li>ACK scanning determines whether the port is filtered or not.</li>
</ul>
</li>
<li>Ack scanning determines whether the port is filtered or not.</li>
<li>Null Scan</li>
<li>Another very stealthy scan that sets all the TCP header flags to off or null.</li>
<li>NULL Scan<ul>
<li>Another very stealthy scan that sets all the TCP header flags to off or NULL.</li>
<li>This is not normally a valid packet and some hosts will not know what to do with this.</li>
<li>XMAS Scan</li>
<li>Similar to the NULL scan except for all the flags in the TCP header is set to on</li>
<li>RPC Scan</li>
<li>This special type of scan looks for machine answering to RPC (Remote Procedure Call) services</li>
<li>IDLE Scan</li>
</ul>
</li>
<li>XMAS Scan<ul>
<li>Similar to the NULL scan except for all the flags in the TCP header is set to on.</li>
</ul>
</li>
<li>RPC Scan<ul>
<li>This special type of scan looks for machine answering to RPC (Remote Procedure Call) services.</li>
</ul>
</li>
<li>IDLE Scan<ul>
<li>It is a super stealthy method whereby the scan packets are bounced off an external host.</li>
<li>You dont need to have control over the other host but it does have to set up and meet certain requirements. You must input the IP address of our “zombie” host and what port number to use. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.</li>
</ul>
</li>
</ol>
<p>Scan Techniques</p>
<p>A couple of scan techniques which can be used to gain more information about a system and its ports. You can read more at <a href="https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca">https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca</a></p>
<p>A couple of scan techniques which can be used to gain more information about a system and its ports. You can read more at <a href="https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca">https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca</a>.</p>
<h3 id="openvas">OpenVAS</h3>
<ul>
<li>OpenVAS is a full-featured vulnerability scanner. </li>
<li>OpenVAS is a framework of services and tools that provides a comprehensive and powerful vulnerability scanning and management package</li>
<li>OpenVAS, which is an open-source program, began as a fork of the once-more-popular scanning program, Nessus.</li>
<li>OpenVAS is made up of three main parts. These are:</li>
<li>OpenVAS is made up of three main parts. These are:<ul>
<li>a regularly updated feed of Network Vulnerability Tests (NVTs);</li>
<li>a scanner, which runs the NVTs; and</li>
<li>an SQLite 3 database for storing both your test configurations and the NVTs results and configurations.</li>
<li><a href="https://www.greenbone.net/en/install_use_gce/">https://www.greenbone.net/en/install_use_gce/</a></li>
</ul>
<h3 id="wireshark">WireShark</h3>
</li>
</ul>
<h3 id="wireshark">Wireshark</h3>
<ul>
<li>Wireshark is a protocol analyzer.</li>
<li>This means Wireshark is designed to decode not only packet bits and bytes but also the relations between packets and protocols.</li>
@@ -2791,161 +2817,190 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
</ul>
<p>A simple demo of Wireshark</p>
<ol>
<li>Capture only udp packets:</li>
<li>
<p>Capture filter = “udp”</p>
<p>Capture only UDP packets:</p>
<ul>
<li><code>Capture filter = “udp”</code></li>
</ul>
</li>
<li>
<p>Capture only tcp packets</p>
<p>Capture only TCP packets:</p>
<ul>
<li><code>Capture filter = “tcp”</code></li>
</ul>
</li>
<li>
<p>Capture filter = “tcp”</p>
</li>
<li>
<p>TCP/IP 3 way Handshake
<p>TCP/IP three-way Handshake:<br/><br/>
<img alt="image17" src="../images/image17.png" /></p>
</li>
<li>
<p>Filter by IP address: displays all traffic from IP, be it source or destination</p>
<ul>
<li><code>ip.addr == 192.168.1.1</code></li>
</ul>
</li>
<li>ip.addr == 192.168.1.1</li>
<li>Filter by source address: display traffic only from IP source</li>
<li>
<p>ip.src == 192.168.0.1</p>
<p>Filter by source address: display traffic only from IP source</p>
<ul>
<li><code>ip.src == 192.168.0.1</code></li>
</ul>
</li>
<li>
<p>Filter by destination: display traffic only form IP destination</p>
</li>
<li>
<p>ip.dst == 192.168.0.1</p>
<ul>
<li><code>ip.dst == 192.168.0.1</code></li>
</ul>
</li>
<li>
<p>Filter by IP subnet: display traffic from subnet, be it source or destination</p>
</li>
<li>
<p>ip.addr = 192.168.0.1/24 </p>
<ul>
<li><code>ip.addr = 192.168.0.1/24</code> </li>
</ul>
</li>
<li>
<p>Filter by protocol: filter traffic by protocol name</p>
</li>
<ul>
<li>dns</li>
<li>http</li>
<li>ftp</li>
<li>arp</li>
<li>ssh</li>
<li>telnet</li>
<li>
<p>icmp</p>
<li>icmp</li>
</ul>
</li>
<li>
<p>Exclude IP address: remove traffic from and to IP address</p>
</li>
<li>
<p>!ip.addr ==192.168.0.1</p>
<ul>
<li><code>!ip.addr ==192.168.0.1</code></li>
</ul>
</li>
<li>
<p>Display traffic between two specific subnet</p>
<ul>
<li>ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24</li>
<li><code>ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24</code></li>
</ul>
</li>
<li>
<p>Display traffic between two specific workstations</p>
<ul>
<li>ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2</li>
<li><code>ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2</code></li>
</ul>
</li>
<li>
<p>Filter by MAC</p>
<ul>
<li>eth.addr = 00:50:7f:c5:b6:78</li>
<li><code>eth.addr = 00:50:7f:c5:b6:78</code></li>
</ul>
</li>
<li>
<p>Filter TCP port</p>
<ul>
<li>tcp.port == 80</li>
<li><code>tcp.port == 80</code></li>
</ul>
</li>
<li>Filter TCP port source<ul>
<li>tcp.srcport == 80</li>
<li>
<p>Filter TCP port source</p>
<ul>
<li><code>tcp.srcport == 80</code></li>
</ul>
</li>
<li>Filter TCP port destination<ul>
<li>tcp.dstport == 80</li>
<li>
<p>Filter TCP port destination</p>
<ul>
<li><code>tcp.dstport == 80</code></li>
</ul>
</li>
<li>Find user agents<ul>
<li>http.user_agent contains Firefox</li>
<li>!http.user_agent contains || !http.user_agent contains Chrome</li>
<li>
<p>Find user agents</p>
<ul>
<li><code>http.user_agent contains Firefox</code></li>
<li><code>!http.user_agent contains || !http.user_agent contains Chrome</code></li>
</ul>
</li>
<li>Filter broadcast traffic<ul>
<li>!(arp or icmp or dns)</li>
<li>
<p>Filter broadcast traffic</p>
<ul>
<li><code>!(arp or icmp or dns)</code></li>
</ul>
</li>
<li>
<p>Filter IP address and port</p>
<ul>
<li>tcp.port == 80 &amp;&amp; ip.addr == 192.168.0.1</li>
<li><code>tcp.port == 80 &amp;&amp; ip.addr == 192.168.0.1</code></li>
</ul>
</li>
<li>
<p>Filter all http get requests</p>
<p>Filter all HTTP GET requests</p>
<ul>
<li>http.request</li>
<li><code>http.request</code></li>
</ul>
</li>
<li>Filter all http get requests and responses<ul>
<li>http.request or http.response</li>
<li>
<p>Filter all HTTP GET requests and responses</p>
<ul>
<li><code>http.request or http.response</code></li>
</ul>
</li>
<li>Filter three way handshake<ul>
<li>tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)</li>
<li>
<p>Filter three-way handshake</p>
<ul>
<li><code>tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)</code></li>
</ul>
</li>
<li>Find files by type<ul>
<li>frame contains “(attachment|tar|exe|zip|pdf)”</li>
<li>
<p>Find files by type</p>
<ul>
<li><code>frame contains “(attachment|tar|exe|zip|pdf)”</code></li>
</ul>
</li>
<li>Find traffic based on keyword<ul>
<li>tcp contains facebook</li>
<li>frame contains facebook</li>
<li>
<p>Find traffic based on keyword</p>
<ul>
<li><code>tcp contains facebook</code></li>
<li><code>frame contains facebook</code></li>
</ul>
</li>
<li>Detecting SYN Floods<ul>
<li>tcp.flags.syn == 1 and tcp.flags.ack == 0</li>
<li>
<p>Detecting SYN Floods</p>
<ul>
<li><code>tcp.flags.syn == 1 and tcp.flags.ack == 0</code></li>
</ul>
</li>
</ol>
<p><strong>Wireshark Promiscuous Mode</strong>
- By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.</p>
<h3 id="dumpcap">DumpCap</h3>
<p><strong>Wireshark Promiscuous Mode</strong></p>
<ul>
<li>Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcaps native capture file format is pcapng, which is also the format used by Wireshark.</li>
<li>By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.</li>
<li>The Wireshark command-line utility called 'dumpcap.exe' can be used to capture LAN traffic over an extended period of time.</li>
<li>Wireshark itself can also be used, but dumpcap does not significantly utilize the computer's memory while capturing for long periods.</li>
<li>By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.</li>
</ul>
<h3 id="dumpcap">Dumpcap</h3>
<ul>
<li>Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcaps native capture file format is <code>pcapng</code>, which is also the format used by Wireshark.</li>
<li>By default, Dumpcap uses the <code>pcap</code> library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets time stamps into a <code>pcapng</code> file. The capture filter syntax follows the rules of the <code>pcap</code> library.</li>
<li>The Wireshark command-line utility called <code>dumpcap.exe</code> can be used to capture LAN traffic over an extended period of time.</li>
<li>Wireshark itself can also be used, but Dumpcap does not significantly utilize the computer's memory while capturing for long periods.</li>
</ul>
<h3 id="daemonlogger">DaemonLogger</h3>
<ul>
<li>Daemonlogger is a packet logging application designed specifically for use in Network and Systems Management (NSM) environments.</li>
<li>The biggest benefit Daemonlogger provides is that, like Dumpcap, it is simple to use for capturing packets. In order to begin capturing, you need only to invoke the command and specify an interface.</li>
<li>daemonlogger i eth1</li>
<li>DaemonLogger is a packet logging application designed specifically for use in Network and Systems Management (NSM) environments.</li>
<li>The biggest benefit DaemonLogger provides is that, like Dumpcap, it is simple to use for capturing packets. In order to begin capturing, you need only to invoke the command and specify an interface.<ul>
<li><code>daemonlogger i eth1</code></li>
<li>This option, by default, will begin capturing packets and logging them to the current working directory.</li>
<li>Packets will be collected until the capture file size reaches 2 GB, and then a new file will be created. This will continue indefinitely until the process is halted.</li>
</ul>
<h3 id="netsniff-ng">NetSniff-NG</h3>
<ul>
<li>Netsniff-NG is a high-performance packet capture utility</li>
<li>While the utilities weve discussed to this point rely on Libpcap for capture, Netsniff-NG utilizes zero-copy mechanisms to capture packets. This is done with the intent to support full packet capture over high throughput links.</li>
<li>To begin capturing packets with Netsniff-NG, we have to specify an input and output. In most cases, the input will be a network interface, and the output will be a file or folder on disk.</li>
</li>
</ul>
<p><code>netsniff-ng i eth1 o data.pcap</code></p>
<h3 id="netflow">Netflow</h3>
<h3 id="netsniff-ng">netsniff-ng</h3>
<ul>
<li>netsniff-ng is a high-performance packet capture utility</li>
<li>While the utilities weve discussed to this point rely on <code>libpcap</code> for capture, netsniff-ng utilizes zero-copy mechanisms to capture packets. This is done with the intent to support full packet capture over high throughput links.</li>
<li>To begin capturing packets with netsniff-ng, we have to specify an input and output. In most cases, the input will be a network interface, and the output will be a file or folder on disk.</li>
</ul>
<pre><code class="language-shell">netsniff-ng i eth1 o data.pcap
</code></pre>
<h3 id="netflow">NetFlow</h3>
<ul>
<li>
<p>NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:[1]</p>
<p>NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<sup>[1]</sup></p>
</li>
<li>
<p>Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.</p>
@@ -2958,7 +3013,7 @@ Correspondence between layers of the TCP/IP architecture and the OSI model. Also
</ul>
<h3 id="ids">IDS</h3>
<p>A security solution that detects security-related events in your environment but does not block them.
IDS sensors can be software and hardware-based used to collect and analyze the network traffic. These sensors are available in two varieties, network IDS and host IDS.</p>
IDS sensors can be software- and hardware-based used to collect and analyze the network traffic. These sensors are available in two varieties, network IDS and host IDS.</p>
<ul>
<li>A host IDS is a server-specific agent running on a server with a minimum of overhead to monitor the operating system.</li>
<li>A network IDS can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic.</li>
@@ -2966,7 +3021,7 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
<p>Signature Based IDS</p>
<ul>
<li>The signature-based IDS monitors the network traffic or observes the system and sends an alarm if a known malicious event is happening. </li>
<li>It does so by comparing the data flow against a database of known attack patterns</li>
<li>It does so by comparing the data flow against a database of known attack patterns.</li>
<li>These signatures explicitly define what traffic or activity should be considered as malicious. </li>
<li>Signature-based detection has been the bread and butter of network-based defensive security for over a decade, partially because it is very similar to how malicious activity is detected at the host level with antivirus utilities</li>
<li>
@@ -2985,7 +3040,7 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
</ul>
<p>Anomaly Based IDS</p>
<ul>
<li>The anomaly-based IDS looks for traffic that deviates from the normal, but the definition of what is a normal network traffic pattern is the tricky part</li>
<li>The anomaly-based IDS looks for traffic that deviates from the normal, but the definition of what is a normal network traffic pattern is the tricky part.</li>
<li>Two types of anomaly-based IDS exist: statistical and nonstatistical anomaly detection</li>
<li>Statistical anomaly detection learns the traffic patterns interactively over a period of time.</li>
<li>In the nonstatistical approach, the IDS has a predefined configuration of the supposedly acceptable and valid traffic patterns.</li>
@@ -3001,7 +3056,7 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
</ul>
<p>Honeypots </p>
<ul>
<li>The use of decoy machines to direct intruders' attention away from the machines under protection is a major technique to preclude intrusion attacks. Any device, system, directory, or file used as a decoy to lure attackers away from important assets and to collect intrusion or abusive behaviours is referred to as a honeypot.</li>
<li>The use of decoy machines to direct intruders' attention away from the machines under protection is a major technique to preclude intrusion attacks. Any device, system, directory, or file used as a decoy to lure attackers away from important assets and to collect intrusion or abusive behaviors is referred to as a honeypot.</li>
<li>A honeypot may be implemented as a physical device or as an emulation system. The idea is to set up decoy machines in a LAN, or decoy directories/files in a file system and make them appear important, but with several exploitable loopholes, to lure attackers to attack these machines or directories/files, so that other machines, directories, and files can evade intruders' attentions. A decoy machine may be a host computer or a server computer. Likewise, we may also set up decoy routers or even decoy LANs.</li>
</ul>
<hr />
@@ -3015,63 +3070,69 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
</ul>
<p>IP Spoofing Detection Techniques</p>
<ul>
<li>Direct TTL Probes</li>
<li>
<p>In this technique we send a packet to a host of suspect spoofed IP that triggers reply and compares TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked; it is a spoofed packet.</p>
</li>
<li>
<p>This Technique is successful when the attacker is in a different subnet from the victim.
<img alt="image19" src="../images/image19.png" /></p>
<p>Direct TTL Probes</p>
<ul>
<li>In this technique, we send a packet to a host of suspect spoofed IP that triggers reply and compares TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked; it is a spoofed packet.</li>
<li>This Technique is successful when the attacker is in a different subnet from the victim.
<img alt="image19" src="../images/image19.png" /></li>
</ul>
</li>
<li>
<p>IP Identification Number.</p>
</li>
<li>Send a probe to the host of suspect spoofed traffic that triggers a reply and compares IP ID with suspect traffic.</li>
<li>
<p>If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed</p>
<p>If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed.</p>
</li>
<li>
<p>TCP Flow Control Method</p>
</li>
<ul>
<li>Attackers sending spoofed TCP packets will not receive the targets SYN-ACK packets.</li>
<li>Attackers cannot, therefore, be responsive to change in the congestion window size</li>
<li>Attackers cannot, therefore, be responsive to change in the congestion window size.</li>
<li>When the receiver still receives traffic even after a windows size is exhausted, most probably the packets are spoofed.</li>
</ul>
</li>
</ul>
<h3 id="covert-channel">Covert Channel</h3>
<ul>
<li>A covert or clandestine channel can be best described as a pipe or communication channel between two entities that can be exploited by a process or application transferring information in a manner that violates the system's security specifications.</li>
<li>More specifically for TCP/IP, in some instances, covert channels are established, and data can be secretly passed between two end systems.</li>
<li>Ex: ICMP resides at the Internet layer of the TCP/IP protocol suite and is implemented in all TCP/IP hosts. Based on the specifications of the ICMP Protocol, an ICMP Echo Request message should have an 8-byte header and a 56-byte payload. The ICMP Echo Request packet should not carry any data in the payload. However, these packets are often used to carry secret information. The ICMP packets are altered slightly to carry secret data in the payload. This makes the size of the packet larger, but no control exists in the protocol stack to defeat this behaviour. The alteration of ICMP packets allows intruders to program specialized client-server pairs. These small pieces of code export confidential information without alerting the network administrator.</li>
<li>
<p>More specifically for TCP/IP, in some instances, covert channels are established, and data can be secretly passed between two end systems.</p>
<ul>
<li>Ex: ICMP resides at the Internet layer of the TCP/IP protocol suite and is implemented in all TCP/IP hosts. Based on the specifications of the ICMP Protocol, an ICMP Echo Request message should have an 8-byte header and a 56-byte payload. The ICMP Echo Request packet should not carry any data in the payload. However, these packets are often used to carry secret information. The ICMP packets are altered slightly to carry secret data in the payload. This makes the size of the packet larger, but no control exists in the protocol stack to defeat this behavior. The alteration of ICMP packets allows intruders to program specialized client-server pairs. These small pieces of code export confidential information without alerting the network administrator.</li>
<li>
<p>ICMP can be leveraged for more than data exfiltration. For eg. some C&amp;C tools such as Loki used ICMP channel to establish encrypted interactive session back in 1996.</p>
</li>
<li>
<p>Deep packet inspection has since come a long way. A lot of IDS/IPS detect ICMP tunnelling.</p>
<ul>
<li>Check for echo responses that do not contain the same payload as request</li>
<li>Check for the volume of ICMP traffic especially for volumes beyond an acceptable threshold</li>
<li>Check for Echo responses that do not contain the same payload as request.</li>
<li>Check for the volume of ICMP traffic especially for volumes beyond an acceptable threshold.</li>
</ul>
</li>
</ul>
</li>
</ul>
<h3 id="ip-fragmentation-attack">IP Fragmentation Attack</h3>
<ul>
<li>The TCP/IP protocol suite, or more specifically IP, allows the fragmentation of packets.(this is a feature &amp; not a bug)</li>
<li>The TCP/IP protocol suite, or more specifically IP, allows the fragmentation of packets. (this is a feature &amp; not a bug)</li>
<li>IP fragmentation offset is used to keep track of the different parts of a datagram.</li>
<li>The information or content in this field is used at the destination to reassemble the datagrams</li>
<li>The information or content in this field is used at the destination to reassemble the datagrams.</li>
<li>
<p>All such fragments have the same Identification field value, and the fragmentation offset indicates the position of the current fragment in the context of the original packet.</p>
</li>
<li>
<p>Many access routers and firewalls do not perform packet reassembly. In normal operation, IP fragments do not overlap, but attackers can create artificially fragmented packets to mislead the routers or firewalls. Usually, these packets are small and almost impractical for end systems because of data and computational overhead.</p>
</li>
<li>A good example of an IP fragmentation attack is the Ping of Death attack. The Ping of Death attack sends fragments that, when reassembled at the end station, create a larger packet than the maximum permissible length.</li>
<li>A good example of an IP fragmentation attack is the Ping of Death (PoD) attack. The Ping of Death attack sends fragments that, when reassembled at the end station, create a larger packet than the maximum permissible length.</li>
</ul>
<p>TCP Flags</p>
<ul>
<li>Data exchange using TCP does not happen until a three-way handshake has been completed. This handshake uses different flags to influence the way TCP segments are processed.</li>
<li>There are 6 bits in the TCP header that are often called flags. Namely:</li>
<li>
<p>6 different flags are part of the TCP header: Urgent pointer field (URG), Acknowledgment field (ACK), Push function (PSH), Reset the connection (RST), Synchronize sequence numbers (SYN), and the sender is finished with this connection (FIN).
<p>six different flags are part of the TCP header: Urgent pointer field (URG), Acknowledgment field (ACK), Push function (PSH), Reset the connection (RST), Synchronize sequence numbers (SYN), and the sender is finished with this connection (FIN).
<img alt="image20" src="../images/image20.png" /></p>
</li>
<li>
@@ -3090,8 +3151,8 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
</ul>
<p>SYN FLOOD</p>
<ul>
<li>The timers (or lack of certain timers) in 3 way handshake are often used and exploited by attackers to disable services or even to enter systems.</li>
<li>After step 2 of the three-way handshake, no limit is set on the time to wait after receiving a SYN. The attacker initiates many connection requests to the webserver of Company XYZ (almost certainly with a spoofed IP address).</li>
<li>The timers (or lack of certain timers) in three-way handshake are often used and exploited by attackers to disable services or even to enter systems.</li>
<li>After step 2 of the three-way handshake, no limit is set on the time-to-wait after receiving a SYN. The attacker initiates many connection requests to the webserver of Company XYZ (almost certainly with a spoofed IP address).</li>
<li>The SYN+ACK packets (Step 2) sent by the web server back to the originating source IP address are not replied to. This leaves a TCP session half-open on the webserver. Multiple packets cause multiple TCP sessions to stay open.</li>
<li>Based on the hardware limitations of the server, a limited number of TCP sessions can stay open, and as a result, the webserver refuses further connection establishments attempts from any host as soon as a certain limit is reached. These half-open connections need to be completed or timed out before new connections can be established.</li>
</ul>
@@ -3134,7 +3195,7 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
<li>Buffer overflow vulnerabilities exist in different types. But the overall goal for all buffer overflow attacks is to take over the control of a privileged program and, if possible, the host. The attacker has two tasks to achieve this goal. First, the dirty code needs to be available in the program's code address space. Second, the privileged program should jump to that particular part of the code, which ensures that the proper parameters are loaded into memory.</li>
<li>The first task can be achieved in two ways: by injecting the code in the right address space or by using the existing code and modifying certain parameters slightly. The second task is a little more complex because the program's control flow needs to be modified to make the program jump to the dirty code.</li>
</ul>
<p>CounterMeasure:</p>
<p>Counter Measure:</p>
<ul>
<li>The most important approach is to have a concerted focus on writing correct code.</li>
<li>A second method is to make the data buffers (memory locations) address space of the program code non-executable. This type of address space makes it impossible to execute code, which might be infiltrated in the program's buffers during an attack.</li>
@@ -3143,14 +3204,16 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
<p>Address Resolution Protocol Spoofing</p>
<ul>
<li>The Address Resolution Protocol (ARP) provides a mechanism to resolve, or map, a known IP address to a MAC sublayer address.</li>
<li>Using ARP spoofing, the cracker can exploit this hardware address authentication mechanism by spoofing the hardware address of Host B. Basically, the attacker can convince any host or network device on the local network that the cracker's workstation is the host to be trusted. This is a common method used in a switched environment.</li>
<li>Using ARP spoofing, the cracker can exploit this hardware address authentication mechanism by spoofing the hardware address of Host B. Basically, the attacker can convince any host or network device on the local network that the cracker's workstation is the host to be trusted. This is a common method used in a switched environment.<ul>
<li>ARP spoofing can be prevented with the implementation of static ARP tables in all the hosts and routers of your network. Alternatively, you can implement an ARP server that responds to ARP requests on behalf of the target host.</li>
</ul>
</li>
</ul>
<p>DNS Spoofing</p>
<ul>
<li>DNS spoofing is the method whereby the hacker convinces the target machine that the system it wants to connect to is the machine of the cracker.</li>
<li>The cracker modifies some records so that name entries of hosts correspond to the attacker's IP address. There have been instances in which the complete DNS server was compromised by an attack.</li>
<li>To counter DNS spoofing, the reverse lookup detects these attacks. The reverse lookup is a mechanism to verify the IP address against a name. The IP address and name files are usually kept on different servers to make compromise much more difficult</li>
<li>To counter DNS spoofing, the reverse lookup detects these attacks. The reverse lookup is a mechanism to verify the IP address against a name. The IP address and name files are usually kept on different servers to make compromise much more difficult.</li>
</ul>

98
level101/security/threats_attacks_defences/index.html
View File

@@ -1408,7 +1408,7 @@
<li class="md-nav__item">
<a href="#distributed-denial-of-service-attacks" class="md-nav__link">
Distributed Denial of Service Attacks
Distributed Denial-of-Service Attacks
</a>
</li>
@@ -2529,7 +2529,7 @@
<li class="md-nav__item">
<a href="#distributed-denial-of-service-attacks" class="md-nav__link">
Distributed Denial of Service Attacks
Distributed Denial-of-Service Attacks
</a>
</li>
@@ -2663,20 +2663,22 @@
<li>Since DNS responses are cached, a quick response can be provided for repeated translations.
DNS negative queries are also cached, e.g., misspelt words, and all cached data periodically times out.
Cache poisoning is an issue in what is known as pharming. This term is used to describe a hackers attack in which a websites traffic is redirected to a bogus website by forging the DNS mapping. In this case, an attacker attempts to insert a fake address record for an Internet domain into the DNS.
If the server accepts the fake record, the cache is poisoned and subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. As long as the fake entry is cached by the server, browsers or e-mail servers will automatically go to the address provided by the compromised DNS server.
the typical time to live (TTL) for cached entries is a couple of hours, thereby permitting ample time for numerous users to be affected by the attack.</li>
If the server accepts the fake record, the cache is poisoned and subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. As long as the fake entry is cached by the server, browsers or e-mail servers will automatically go to the address provided by the compromised DNS server.
The typical time-to-live (TTL) for cached entries is a couple of hours, thereby permitting ample time for numerous users to be affected by the attack.</li>
</ul>
<h3 id="dnssec-security-extension">DNSSEC (Security Extension)</h3>
<ul>
<li>The long-term solution to these DNS problems is authentication. If a resolver cannot distinguish between valid and invalid data in a response, then add source authentication to verify that the data received in response is equal to the data entered by the zone administrator</li>
<li>The long-term solution to these DNS problems is authentication. If a resolver cannot distinguish between valid and invalid data in a response, then add source authentication to verify that the data received in response is equal to the data entered by the zone administrator.</li>
<li>DNS Security Extensions (DNSSEC) protects against data spoofing and corruption and provides mechanisms to authenticate servers and requests, as well as mechanisms to establish authenticity and integrity.</li>
<li>When authenticating DNS responses, each DNS zone signs its data using a private key. It is recommended that this signing be done offline and in advance. The query for a particular record returns the requested resource record set (RRset) and signature (RRSIG) of the requested resource record set. The resolver then authenticates the response using a public key, which is pre-configured or learned via a sequence of key records in the DNS hierarchy.</li>
<li>The goals of DNSSEC are to provide authentication and integrity for DNS responses without confidentiality or DDoS protection.</li>
</ul>
<h3 id="bgp">BGP</h3>
<ul>
<li>BGP stands for border gateway protocol. It is a routing protocol that exchanges routing information among multiple Autonomous Systems (AS)</li>
<li>BGP stands for border gateway protocol. It is a routing protocol that exchanges routing information among multiple Autonomous Systems (AS)<ul>
<li>An Autonomous System is a collection of routers or networks with the same network policy usually under single administrative control.</li>
</ul>
</li>
<li>BGP tells routers which hop to use in order to reach the destination network.</li>
<li>BGP is used for both communicating information among routers in an AS (interior) and between multiple ASes (exterior).</li>
</ul>
@@ -2685,14 +2687,16 @@ the typical time to live (TTL) for cached entries is a couple of hours, thereby
<ul>
<li>BGP is responsible for finding a path to a destination router &amp; the path it chooses should be the shortest and most reliable one.</li>
<li>This decision is done through a protocol known as Link state. With the link-state protocol, each router broadcasts to all other routers in the network the state of its links and IP subnets. Each router then receives information from the other routers and constructs a complete topology view of the entire network. The next-hop routing table is based on this topology view.</li>
<li>The link-state protocol uses a famous algorithm in the field of computer science, Dijkstras shortest path algorithm:</li>
<li>The link-state protocol uses a famous algorithm in the field of computer science, Dijkstras shortest path algorithm:<ul>
<li>We start from our router considering the path cost to all our direct neighbours.</li>
<li>The shortest path is then taken</li>
<li>We then re-look at all our neighbours that we can reach and update our link state table with the cost information. We then continue taking the shortest path until every router has been visited.</li>
</ul>
</li>
</ul>
<h2 id="bgp-vulnerabilities">BGP Vulnerabilities</h2>
<ul>
<li>By corrupting the BGP routing table we are able to influence the direction traffic flows on the internet! This action is known as BGP hijacking.</li>
<li>By corrupting the BGP routing table, we are able to influence the direction traffic flows on the Internet! This action is known as BGP hijacking.</li>
<li>Injecting bogus route advertising information into the BGP-distributed routing database by malicious sources, accidentally or routers can disrupt Internet backbone operations. </li>
<li>Blackholing traffic:</li>
<li>Blackhole route is a network route, i.e., routing table entry, that goes nowhere and packets matching the route prefix are dropped or ignored. Blackhole routes can only be detected by monitoring the lost traffic.</li>
@@ -2701,16 +2705,18 @@ the typical time to live (TTL) for cached entries is a couple of hours, thereby
<p>Infamous BGP Injection attack on Youtube</p>
</li>
<li>
<p>Ex: In 2008, Pakistan decided to block YouTube by creating a BGP route that led into a black hole. Instead, this routing information got transmitted to a hong kong ISP and from there accidentally got propagated to the rest of the world meaning millions were routed through to this black hole and therefore unable to access YouTube.</p>
<p>Ex: In 2008, Pakistan decided to block YouTube by creating a BGP route that led into a black hole. Instead, this routing information got transmitted to a Hong Kong ISP and from there accidentally got propagated to the rest of the world meaning millions were routed through to this black hole and therefore unable to access YouTube.</p>
</li>
<li>Potentially, the greatest risk to BGP occurs in a denial of service attack in which a router is flooded with more packets than it can handle. Network overload and router resource exhaustion happen when the network begins carrying an excessive number of BGP messages, overloading the router control processors, memory, routing table and reducing the bandwidth available for data traffic.</li>
<li>Potentially, the greatest risk to BGP occurs in a denial-of-service attack in which a router is flooded with more packets than it can handle. Network overload and router resource exhaustion happen when the network begins carrying an excessive number of BGP messages, overloading the router control processors, memory, routing table and reducing the bandwidth available for data traffic.</li>
<li>Refer: <a href="https://medium.com/bugbountywriteup/bgp-the-weak-link-in-the-internet-what-is-bgp-and-how-do-hackers-exploit-it-d899a68ba5bb">https://medium.com/bugbountywriteup/bgp-the-weak-link-in-the-internet-what-is-bgp-and-how-do-hackers-exploit-it-d899a68ba5bb</a></li>
<li>Router flapping is another type of attack. Route flapping refers to repetitive changes to the BGP routing table, often several times a minute. Withdrawing and re-advertising at a high-rate can cause a serious problem for routers since they propagate the announcements of routes. If these route flaps happen fast enough, e.g., 30 to 50 times per second, the router becomes overloaded, which eventually prevents convergence on valid routes. The potential impact for Internet users is a slowdown in message delivery, and in some cases, packets may not be delivered at all.</li>
<li>Router flapping is another type of attack. Route flapping refers to repetitive changes to the BGP routing table, often several times a minute. Withdrawing and re-advertising at a high-rate can cause a serious problem for routers since they propagate the announcements of routes. If these route flaps happen fast enough, e.g., 30-50 times per second, the router becomes overloaded, which eventually prevents convergence on valid routes. The potential impact for Internet users is a slowdown in message delivery, and in some cases, packets may not be delivered at all.</li>
</ul>
<p>BGP Security</p>
<ul>
<li>Border Gateway Protocol Security recommends the use of BGP peer authentication since it is one of the strongest mechanisms for preventing malicious activity.</li>
<li>Border Gateway Protocol Security recommends the use of BGP peer authentication since it is one of the strongest mechanisms for preventing malicious activity.<ul>
<li>The authentication mechanisms are Internet Protocol Security (IPsec) or BGP MD5.</li>
</ul>
</li>
<li>Another method, known as prefix limits, can be used to avoid filling router tables. In this approach, routers should be configured to disable or terminate a BGP peering session, and issue warning messages to administrators when a neighbour sends in excess of a preset number of prefixes.</li>
<li>IETF is currently working on improving this space</li>
</ul>
@@ -2719,7 +2725,7 @@ the typical time to live (TTL) for cached entries is a couple of hours, thereby
<ul>
<li>HTTP response splitting attack may happen where the server script embeds user data in HTTP response headers without appropriate sanitation.</li>
<li>This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.</li>
<li>HTTP response splitting attacks can be used to perform web cache poisoning and cross-site scripting attacks.</li>
<li>HTTP response splitting attacks can be used to perform web cache poisoning and cross-site scripting (XSS) attacks.</li>
<li>HTTP response splitting is the attackers ability to send a single HTTP request that forces the webserver to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.</li>
</ul>
<h3 id="cross-site-request-forgery-csrf-or-xsrf">Cross-Site Request Forgery (CSRF or XSRF)</h3>
@@ -2727,9 +2733,9 @@ the typical time to live (TTL) for cached entries is a couple of hours, thereby
<li>A Cross-Site Request Forgery attack tricks the victims browser into issuing a command to a vulnerable web application.</li>
<li>Vulnerability is caused by browsers automatically including user authentication data, session ID, IP address, Windows domain credentials, etc. with each request.</li>
<li>Attackers typically use CSRF to initiate transactions such as transfer funds, login/logout user, close account, access sensitive data, and change account details.</li>
<li>The vulnerability is caused by web browsers that automatically include credentials with each request, even for requests caused by a form, script, or image on another site. CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack</li>
<li>The vulnerability is caused by web browsers that automatically include credentials with each request, even for requests caused by a form, script, or image on another site. CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack.</li>
<li>All sites relying on automatic credentials are vulnerable. Popular browsers cannot prevent cross-site request forgery. Logging out of high-value sites as soon as possible can mitigate CSRF risk. It is recommended that a high-value website must require a client to manually provide authentication data in the same HTTP request used to perform any operation with security implications. Limiting the lifetime of session cookies can also reduce the chance of being used by other malicious sites.</li>
<li>OWASP recommends website developers include a required security token in HTTP requests associated with sensitive business functions in order to mitigate CSRF attacks</li>
<li>OWASP recommends website developers include a required security token in HTTP requests associated with sensitive business functions in order to mitigate CSRF attacks.</li>
</ul>
<h3 id="cross-site-scripting-xss-attacks">Cross-Site Scripting (XSS) Attacks</h3>
<ul>
@@ -2747,27 +2753,25 @@ the typical time to live (TTL) for cached entries is a couple of hours, thereby
<li>The technique works by hiding malicious link/scripts under the cover of the content of a legitimate site.</li>
<li>Buttons on a website actually contain invisible links, placed there by the attacker. So, an individual who clicks on an object they can visually see is actually being duped into visiting a malicious page or executing a malicious script.</li>
<li>When mouseover is used together with clickjacking, the outcome is devastating. Facebook users have been hit by a clickjacking attack, which tricks people into “liking” a particular Facebook page, thus enabling the attack to spread since Memorial Day 2010.</li>
<li>There is not yet effective defence against clickjacking, and disabling JavaScript is the only viable method</li>
<li>There is not yet effective defence against clickjacking, and disabling JavaScript is the only viable method.</li>
</ul>
<h2 id="database-attacks-defenses">DataBase Attacks &amp; Defenses</h2>
<h3 id="sql-injection-attacks">SQL injection Attacks</h3>
<ul>
<li>It exploits improper input validation in database queries.</li>
<li>A successful exploit will allow attackers to access, modify, or delete information in the database.</li>
<li>It permits attackers to steal sensitive information stored within the backend databases of affected websites, which may include such things as user credentials, email addresses, personal information, and credit card numbers</li>
<li>It permits attackers to steal sensitive information stored within the backend databases of affected websites, which may include such things as user credentials, email addresses, personal information, and credit card numbers.</li>
</ul>
<pre><code>SELECT USERNAME,PASSWORD from USERS where USERNAME='&lt;username&gt;' AND PASSWORD='&lt;password&gt;';
Here the username &amp; password is the input provided by the user. Suppose an attacker gives the input as &quot; OR '1'='1'&quot; in both fields. Therefore the SQL query will look like:
SELECT USERNAME,PASSWORD from USERS where USERNAME='' OR '1'='1' AND PASSOWRD='' OR '1'='1';
This query results in a true statement &amp; the user gets logged in. This example depicts the bost basic type of SQL injection
<pre><code class="language-SQL">SELECT USERNAME,PASSWORD from USERS where USERNAME='&lt;username&gt;' AND PASSWORD='&lt;password&gt;';
</code></pre>
<p>Here, the username &amp; password is the input provided by the user. Suppose an attacker gives the input as <code>OR '1'='1'</code> in both fields. Therefore the SQL query will look like:</p>
<pre><code class="language-SQL">SELECT USERNAME,PASSWORD from USERS where USERNAME='' OR '1'='1' AND PASSOWRD='' OR '1'='1';
</code></pre>
<p>This query results in a true statement &amp; the user gets logged in. This example depicts the most basic type of SQL injection.</p>
<h3 id="sql-injection-attack-defenses">SQL Injection Attack Defenses</h3>
<ul>
<li>SQL injection can be protected by filtering the query to eliminate malicious syntax, which involves the employment of some tools in order to (a) scan the source code.</li>
<li>In addition, the input fields should be restricted to the absolute minimum, typically anywhere from 7-12 characters, and validate any data, e.g., if a user inputs an age make sure the input is an integer with a maximum of 3 digits.</li>
<li>In addition, the input fields should be restricted to the absolute minimum, typically anywhere from 7-12 characters, and validate any data, e.g., if a user inputs an age, make sure the input is an integer with a maximum of 3 digits.</li>
</ul>
<h2 id="vpn">VPN</h2>
<p>A virtual private network (VPN) is a service that offers a secure, reliable connection over a shared public infrastructure such as the Internet. Cisco defines a VPN as an encrypted connection between private networks over a public network. To date, there are three types of VPNs:</p>
@@ -2780,15 +2784,15 @@ This query results in a true statement &amp; the user gets logged in. This examp
<p>In spite of the most aggressive steps to protect computers from attacks, attackers sometimes get through. Any event that results in a violation of any of the confidentiality, integrity, or availability (CIA) security tenets is a security breach.</p>
<h3 id="denial-of-service-attacks">Denial of Service Attacks</h3>
<ul>
<li>Denial of service (DoS) attacks result in downtime or inability of a user to access a system. DoS attacks impact the availability of tenet of information systems security. A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks. This excessive activity makes the system unavailable to perform legitimate operations</li>
<li>Denial-of-service (DoS) attacks result in downtime or inability of a user to access a system. DoS attacks impact the availability of tenet of information systems security. A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks. This excessive activity makes the system unavailable to perform legitimate operations</li>
<li>Two common types of DoS attacks are as follows:</li>
<li>Logic attacksLogic attacks use software flaws to crash or seriously hinder the performance of remote servers. You can prevent many of these attacks by installing the latest patches to keep your software up to date.</li>
<li>Flooding attacksFlooding attacks overwhelm the victim computers CPU, memory, or network resources by sending large numbers of useless requests to the machine.</li>
<li>Logic attacks&mdash;Logic attacks use software flaws to crash or seriously hinder the performance of remote servers. You can prevent many of these attacks by installing the latest patches to keep your software up to date.</li>
<li>Flooding attacks&mdash;Flooding attacks overwhelm the victim computers CPU, memory, or network resources by sending large numbers of useless requests to the machine.</li>
<li>Most DoS attacks target weaknesses in the overall system architecture rather than a software bug or security flaw</li>
<li>One popular technique for launching a packet flood is a SYN flood.</li>
<li>One of the best defences against DoS attacks is to use intrusion prevention system (IPS) software or devices to detect and stop the attack.</li>
</ul>
<h3 id="distributed-denial-of-service-attacks">Distributed Denial of Service Attacks</h3>
<h3 id="distributed-denial-of-service-attacks">Distributed Denial-of-Service Attacks</h3>
<ul>
<li>DDoS attacks differ from regular DoS attacks in their scope. In a DDoS attack, attackers hijack hundreds or even thousands of Internet computers, planting automated attack agents on those systems. The attacker then instructs the agents to bombard the target site with forged messages. This overloads the site and blocks legitimate traffic. The key here is strength in numbers. The attacker does more damage by distributing the attack across multiple computers.</li>
</ul>
@@ -2800,10 +2804,12 @@ This query results in a true statement &amp; the user gets logged in. This examp
<li>
<p>Attackers can tap telephone lines and data communication lines. Wiretapping can be active, where the attacker makes modifications to the line. It can also be passive, where an unauthorized user simply listens to the transmission without changing the contents. Passive intrusion can include the copying of data for a subsequent active attack.</p>
</li>
<li>Two methods of active wiretapping are as follows:</li>
<li>Two methods of active wiretapping are as follows:<ul>
<li>Between-the-lines wiretapping—This type of wiretapping does not alter the messages sent by the legitimate user but inserts additional messages into the communication line when the legitimate user pauses.</li>
<li>Piggyback-entry wiretapping—This type of wiretapping intercepts and modifies the original message by breaking the communications line and routing the message to another computer that acts as a host.</li>
</ul>
</li>
</ul>
<h3 id="backdoors">Backdoors</h3>
<ul>
<li>Software developers sometimes include hidden access methods, called backdoors, in their programs. Backdoors give developers or support personnel easy access to a system without having to struggle with security controls. The problem is that backdoors dont always stay hidden. When an attacker discovers a backdoor, he or she can use it to bypass existing security controls such as passwords, encryption, and so on. Where legitimate users log on through front doors using a user ID and password, attackers use backdoors to bypass these normal access controls.</li>
@@ -2812,44 +2818,56 @@ This query results in a true statement &amp; the user gets logged in. This examp
<h3 id="birthday-attack">Birthday Attack</h3>
<ul>
<li>Once an attacker compromises a hashed password file, a birthday attack is performed. A birthday attack is a type of cryptographic attack that is used to make a brute-force attack of one-way hashes easier. It is a mathematical exploit that is based on the birthday problem in probability theory.</li>
<li>Further Reading:</li>
<li>Further Reading:<ul>
<li><a href="https://www.sciencedirect.com/topics/computer-science/birthday-attack">https://www.sciencedirect.com/topics/computer-science/birthday-attack</a></li>
<li><a href="https://www.internetsecurity.tips/birthday-attack/">https://www.internetsecurity.tips/birthday-attack/</a></li>
</ul>
</li>
</ul>
<h3 id="brute-force-password-attacks">Brute-Force Password Attacks</h3>
<ul>
<li>In a brute-force password attack, the attacker tries different passwords on a system until one of them is successful. Usually, the attacker employs a software program to try all possible combinations of a likely password, user ID, or security code until it locates a match. This occurs rapidly and in sequence. This type of attack is called a brute-force password attack because the attacker simply hammers away at the code. There is no skill or stealth involvedjust brute force that eventually breaks the code.</li>
<li>Further Reading:</li>
<li>In a brute-force password attack, the attacker tries different passwords on a system until one of them is successful. Usually, the attacker employs a software program to try all possible combinations of a likely password, user ID, or security code until it locates a match. This occurs rapidly and in sequence. This type of attack is called a brute-force password attack because the attacker simply hammers away at the code. There is no skill or stealth involved&mdash;just brute force that eventually breaks the code.</li>
<li>Further Reading:<ul>
<li><a href="https://owasp.org/www-community/attacks/Brute_force_attack">https://owasp.org/www-community/attacks/Brute_force_attack</a></li>
<li><a href="https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks">https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks</a></li>
</ul>
</li>
</ul>
<h3 id="dictionary-password-attacks">Dictionary Password Attacks</h3>
<ul>
<li>A dictionary password attack is a simple attack that relies on users making poor password choices. In a dictionary password attack, a simple password-cracker program takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password.</li>
<li>Further Reading:
https://capec.mitre.org/data/definitions/16.html</li>
<li>Further Reading:<ul>
<li><a href="https://capec.mitre.org/data/definitions/16.html">https://capec.mitre.org/data/definitions/16.html</a></li>
</ul>
</li>
</ul>
<h3 id="replay-attacks">Replay Attacks</h3>
<ul>
<li>Replay attacks involve capturing data packets from a network and retransmitting them to produce an unauthorized effect. The receipt of duplicate, authenticated IP packets may disrupt service or have some other undesired consequence. Systems can be broken through replay attacks when attackers reuse old messages or parts of old messages to deceive system users. This helps intruders to gain information that allows unauthorized access into a system.</li>
<li>Further reading:
<a href="https://study.com/academy/lesson/replay-attack-definition-examples-prevention.html">https://study.com/academy/lesson/replay-attack-definition-examples-prevention.html</a></li>
<li>Further reading:</li>
<li><a href="https://study.com/academy/lesson/replay-attack-definition-examples-prevention.html">https://study.com/academy/lesson/replay-attack-definition-examples-prevention.html</a></li>
</ul>
<h3 id="man-in-the-middle-attacks">Man-in-the-Middle Attacks</h3>
<ul>
<li>A man-in-the-middle attack takes advantage of the multihop process used by many types of networks. In this type of attack, an attacker intercepts messages between two parties before transferring them on to their intended destination.</li>
<li>Web spoofing is a type of man-in-the-middle attack in which the user believes a secure session exists with a particular web server. In reality, the secure connection exists only with the attacker, not the webserver. The attacker then establishes a secure connection with the webserver, acting as an invisible go-between. The attacker passes traffic between the user and the webserver. In this way, the attacker can trick the user into supplying passwords, credit card information, and other private data.</li>
<li>Further Reading:</li>
<li>Further Reading:<ul>
<li><a href="https://owasp.org/www-community/attacks/Man-in-the-middle_attack">https://owasp.org/www-community/attacks/Man-in-the-middle_attack</a></li>
</ul>
</li>
</ul>
<h3 id="masquerading">Masquerading</h3>
<ul>
<li>In a masquerade attack, one user or computer pretends to be another user or computer. Masquerade attacks usually include one of the other forms of active attacks, such as IP address spoofing or replaying. Attackers can capture authentication sequences and then replay them later to log on again to an application or operating system. For example, an attacker might monitor usernames and passwords sent to a weak web application. The attacker could then use the intercepted credentials to log on to the web application and impersonate the user.</li>
<li>Further Reading: <a href="https://dl.acm.org/doi/book/10.5555/2521792">https://dl.acm.org/doi/book/10.5555/2521792</a> <a href="https://ieeexplore.ieee.org/document/1653228">https://ieeexplore.ieee.org/document/1653228</a></li>
<li>Further Reading: <ul>
<li><a href="https://dl.acm.org/doi/book/10.5555/2521792">https://dl.acm.org/doi/book/10.5555/2521792</a></li>
<li><a href="https://ieeexplore.ieee.org/document/1653228">https://ieeexplore.ieee.org/document/1653228</a></li>
</ul>
</li>
</ul>
<h3 id="eavesdropping">Eavesdropping</h3>
<ul>
<li>Eavesdropping, or sniffing, occurs when a host sets its network interface on promiscuous mode and copies packets that pass by for later analysis. Promiscuous mode enables a network device to intercept and read each network packet(of course given some conditions) given sec, even if the packets address doesnt match the network device. It is possible to attach hardware and software to monitor and analyze all packets on that segment of the transmission media without alerting any other users. Candidates for eavesdropping include satellite, wireless, mobile, and other transmission methods.</li>
<li>Eavesdropping, or sniffing, occurs when a host sets its network interface on promiscuous mode and copies packets that pass by for later analysis. Promiscuous mode enables a network device to intercept and read each network packet (of course given some conditions) given sec, even if the packets address doesnt match the network device. It is possible to attach hardware and software to monitor and analyze all packets on that segment of the transmission media without alerting any other users. Candidates for eavesdropping include satellite, wireless, mobile, and other transmission methods.</li>
</ul>
<h3 id="social-engineering">Social Engineering</h3>
<ul>

6
level101/security/writing_secure_code/index.html
View File

@@ -2329,7 +2329,7 @@
</ul>
<h3 id="refactoring">Refactoring</h3>
<ul>
<li>Refactoring is the most effective way to keep a codebase clean and simple. Even a healthy codebase occasionally needs to be</li>
<li>Refactoring is the most effective way to keep a codebase clean and simple. Even a healthy codebase occasionally needs to be.</li>
<li>Regardless of the reasons behind refactoring, you should always follow one golden rule: never mix refactoring and functional changes in a single commit to the code repository. Refactoring changes are typically significant and can be difficult to understand.</li>
<li>If a commit also includes functional changes, theres a higher risk that an author or reviewer might overlook bugs.</li>
</ul>
@@ -2339,11 +2339,11 @@
</ul>
<h3 id="fuzz-testing">Fuzz Testing</h3>
<ul>
<li>Fuzz testing is a technique that complements the previously mentioned testing techniques. Fuzzing involves using a fuzzing engine to generate a large number of candidate inputs that are then passed through a fuzz driver to the fuzz target. The fuzzer then analyzes how the system handles the input. Complex inputs handled by all kinds of software are popular targets for fuzzing - for example, file parsers, compression algorithms, network protocol implementation and audio codec.</li>
<li>Fuzz testing is a technique that complements the previously mentioned testing techniques. Fuzzing involves using a fuzzing engine to generate a large number of candidate inputs that are then passed through a fuzz driver to the fuzz target. The fuzzer then analyzes how the system handles the input. Complex inputs handled by all kinds of software are popular targets for fuzzing&mdash;for example, file parsers, compression algorithms, network protocol implementation and audio codec.</li>
</ul>
<h3 id="integration-testing">Integration Testing</h3>
<ul>
<li>Integration testing moves beyond individual units and abstractions, replacing fake or stubbed-out implementations of abstractions like databases or network services with real implementations. As a result, integration tests exercise more complete code paths. Because you must initialize and configure these other dependencies, integration testing may be slower and flakier than unit testingto execute the test, this approach incorporates real-world variables like network latency as services communicate end-to-end. As you move from testing individual low-level units of code to testing how they interact when composed together, the net result is a higher degree of confidence that the system is behaving as expected.</li>
<li>Integration testing moves beyond individual units and abstractions, replacing fake or stubbed-out implementations of abstractions like databases or network services with real implementations. As a result, integration tests exercise more complete code paths. Because you must initialize and configure these other dependencies, integration testing may be slower and flakier than unit testing&mdash;to execute the test, this approach incorporates real-world variables like network latency as services communicate end-to-end. As you move from testing individual low-level units of code to testing how they interact when composed together, the net result is a higher degree of confidence that the system is behaving as expected.</li>
</ul>
<h3 id="last-but-not-the-least">Last But not the least</h3>
<ul>