Deepfactor "Deep Hack of the Week" Answers

Question: What is the H2C Smuggling vulnerability?

Answer Choices: 

a) A vulnerability that allows attackers to hijack an H2C connection and steal sensitive information.

b) A vulnerability that allows attackers to bypass web application firewalls by smuggling HTTP requests over H2C.

c) A vulnerability that allows attackers to perform server-side request forgery (SSRF) attacks over H2C connections.

Correct Answer: b) A vulnerability that allows attackers to bypass web application firewalls by smuggling HTTP requests over H2C.

Explanation: The H2C Smuggling vulnerability occurs when an attacker sends HTTP requests over an H2C (HTTP/2 over cleartext TCP) connection in a way that bypasses security controls such as web application firewalls. By exploiting differences in the way H2C and HTTP/1.x handle HTTP pipelining and chunked encoding, an attacker can craft a request that appears valid to the web application but is interpreted differently by the H2C connection and the firewall.

(If you haven’t seen it yet, check put the 12-minute Deepfactor demo video.)

Question: What is the Psychic Signature vulnerability in Java?

Answer Choices: 

a) A vulnerability that allows an attacker to bypass security restrictions in the Java runtime environment.

b) A vulnerability that can occur when a method is invoked with an object of a different type than expected, causing an unsafe cast.

c) A vulnerability that allows an attacker to execute arbitrary code on a system through a Java applet.

Correct Answer: b) A vulnerability that can occur when a method is invoked with an object of a different type than expected, causing an unsafe cast.

Explanation: When a method takes a parameter of a specific type in Java, if the method is invoked with an object of a different type, the Java runtime may perform an unsafe cast to automatically convert the object to the expected type. This can lead to unexpected behavior and potential vulnerabilities. (If you haven’t seen it yet, check put the 12-minute Deepfactor demo video.)

Question: What is EPSS?

Answer Choices: 

a) An open, data-driven framework for estimating the likelihood that a software vulnerability will be exploited in the wild.

b) A scoring system that outputs a probability of the estimated likelihood of exploitation from 0 to 1 or 0% to 100%.

c) A community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild.

d) All of the above.

Correct Answer: d) All of the above.

Explanation: EPSS is an open, data-driven framework for estimating the likelihood that a software vulnerability will be exploited in the wild. It is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in the wild. The EPSS model produces a probability score between 0 and 1 or 0% and 100%. The higher the score, the greater the probability that a vulnerability will be exploited. (If you haven’t seen it yet, check put the 12-minute Deepfactor demo video.)

Question: Which of the following is a potential consequence of the Psychic Signature vulnerability in Java?

Answer Choices: 

a) Arbitrary code execution

b) Cross-site scripting (XSS)

c) Directory traversal

d) SQL injection

Correct Answer: a) Arbitrary code execution

Explanation: Because the Psychic Signature vulnerability can cause an unsafe cast, an attacker may be able to provide an object of their own choosing that can be cast to a malicious class, potentially allowing for arbitrary code execution.

Question: What is In a software bill of materials (SBOM) list?

Answer Choices: 

a) All the bugs and vulnerabilities found in software.

b) All the details & supply chain relationships used in building software.

c) All the features and functionalities in a software product.

d) All the tools used in developing a software product.

Correct Answer: b) All the details & supply chain relationships used in building software.

Explanation: According to the U.S. National Institute of Standards and Technology (NIST), an SBOM is “a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.” Check out Deepfactor resources on SBOM, including the whitepaper SBOM Security: Top 5 Reasons to Build SBOMs Into Your Pipeline and the webinar with Cisco and VMware, Integrating SBOMs Into Your SDLC by the Biden Executive Order June Deadline.

Question: When is the White House Executive Order deadline for software supply chain requirements?

Answer Choices: 

a) September 22, 2023

b) April 20, 2023

c) June 11, 2023

d) January 1, 2024

Correct Answer: June 11, 2023

Explanation: Executive Order (EO) 14028, Improving the Nation’s Cybersecurity (May 12, 2021), focuses on the security and integrity of the software supply chain and emphasizes the importance of secure software development environments. This memorandum sets a schedule of deliverables for federal agencies to follow. Within 90 days from the distribution of M-22-18, they must identify and inventory all software subject to the requirements of the memo and make a separate inventory of “critical software.” And within 270 days (by June 11, 2023) of the distribution of the memo, agencies need to have collected attestation letters (i.e. evidence) for any critical software they have identified.

Question: What type of vulnerability is present in the following Java code snippet? (This is supposed to return their own profile information to a user.)

@RestController

public class UserController {

@GetMapping(“/user/{id}”)

public User getUser(@PathVariable int id) {

return userService.getUserProfile(id);

}

}

Answer Choices:

a) Cross-Site Scripting (XSS)

b) Cross-Site Request Forgery (CSRF)

c) Insecure Direct Object Reference (IDOR)

d) SQL Injection

Correct Answer:

c) Insecure Direct Object Reference (IDOR)

Explanation: The code snippet is a RESTful web service that retrieves user information by calling userService.getUser(id) with the id parameter from the URL. If proper access controls are not implemented, an attacker could manipulate the id parameter in the URL to access information for users that they should not have access to, leading to an IDOR vulnerability, also called Broken Object Level Authorization (BOLA). This vulnerability can be mitigated by implementing proper access controls and validating user input.

Learn how Deepfactor developer security prioritizes your alerts here!

Question: What is “SBOM”?

Answer Choices: 

a. System Build Object Model

b. Secure Bounds of Memory

c. Software Bill of Material

d. Security-Based Override Mitigation

Correct Answer: 

c. Software Bill of Materials

Explanation: A Software Bill of Materials (SBOM) is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.

Watch and learn more about Deepfactor’s Software Bill of Materials!

Read the whitepaper “SBOM Security: Top 5 Reasons to Build SBOMs Into Your Pipeline”

Question: What is a type confusion vulnerability?

Complete the sentence: “A vulnerability that…”

a. Occurs when the wrong type of data is used in an operation

b. Occurs when an object is used after it has been freed from memory

c. Allows an attacker to steal sensitive information

d. Allows an attacker to cause a denial of service attack

Correct Answer: B) A vulnerability that occurs when an object is used after it has been freed from memory.

Explanation: A use-after-free vulnerability is a type of security vulnerability that occurs when an object is used after it has been freed from memory. This can result in unexpected behavior, such as memory corruption or arbitrary code execution. Runtime security tools can help detect use-after-free vulnerabilities by monitoring the memory management of an application and checking for any issues with object deallocation and reuse.

Learn how Deepfactor developer security prioritizes your alerts here!

Question: What is a common method used by attackers to penetrate software supply chains?

Answer Choices: 

a. Social engineering

b. Brute force attacks

c. Drive-by downloads

d. Watering hole attacks

Correct Answer: Watering hole attacks

Explanation: A watering hole attack is a type of supply chain attack in which an adversary targets a specific website or group of websites that is frequently visited by a target group, such as employees of a particular company. By compromising these sites, the attacker can infect systems with malware or steal sensitive information when the target group visits the site. This type of attack is often used to penetrate software supply chains and target specific organizations.

Learn how Deepfactor developer security prioritizes your alerts here!

Question: Which of the following vulnerabilities is demonstrated in this code snippet?

string fileName = Request.Form[“fileName”];

string filePath = “C:\\files\\” + fileName;

System.IO.File.Delete(filePath);

Answer Choices: 

a. XXE (XML External Entity)

b. Path Traversal

c. Loading  dynamic library from uncommon path

d. Subdomain takeover

Correct Answer:  Path Traversal

Explanation: In this program the first line indicates that the fileName variable is being read from user input that comes from a web form. This is directly appended to a filePath without any input validation. This means, special characters like ../../ could be used to allow the file to be written to a directory outside the intended directory, or to overwrite system files.

Learn how Deepfactor developer security prioritizes your alerts here!

Question: Which of the following is NOT a best practice for securing the supply chain?

Answer: Using only open source software components

Explanation: All open source software components are not secure. There have been several instances recently where an attacker took over as a maintainer of a well-known open source library and updated it with malicious code. Watch and learn how Deepfactor breaks down your runtime alerts in this example highlighting a suspicious outbound connection.

Question: Which of the following is NOT a common vulnerability in backend software?

Answer: Cross-Site Scripting

Explanation: Cross-Site Scripting is a common frontend exploit. To learn more about runtime security alerts watch this quick clip! 

Question: True or False—If you use open source libraries with known CVE you are 100% vulnerable to attacks. 

Answer: False

If you use an open source library with known CVE, there is a likelihood that you are vulnerable to attacks, but it isn’t 100% certain. It is possible that you are not calling the vulnerable function or method call in your code and therefore your software is not vulnerable to attack. Traditional security tools like SAST or DAST do not provide runtime visibility into program behavior to give you full context about the exploitability of the vulnerability within your application. Modern tools like Deepfactor identify runtime risks, finding vulnerabilities in dev and test that are missed by static scanning. Watch this quick clip!

Question: What percentage of a software code repository is usually third-party libraries?

Answer: Greater than 40%

Most developers do not realize the number of direct and indirect third-party dependencies that get pulled into their code repositories when they import a small number of dependencies. In fact node.js, one of the most notorious frameworks for having transitive dependenices, has libraries that pull more than 1000 of them. See how Deepfactor Developer Security can help. Watch this quick clip!

Question: Find the security flaw in the following code snippet:

from flask import Flask
import requests

app = Flask(__name__)

@app.route("/", methods=['GET','POST'])
def home():
  if request.method == 'POST':
    URL = request.form.get('url')
    r = requests.get(url = URL, headers=headers)
    body = r.text
    header = r.headers

Answer: SSRF

This program starts with an import of Flask, which is an indicator that this code snippet is using Python Flask framework and is backend code. If you observe deeply, you will notice that the URL parameter is coming from the client side (HTTP form) and is being directly used in requests.get, which allows an attacker to induce a connection to an internal resource.

Background / Context: Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. See how Deepfactor Developer Security can help. Watch this quick clip!

Question: How can an attacker steal credentials directly from your own application without having a victim browse to a phishing site?

Answer: If your application has a Cross Site Scripting (XSS) flaw, it is possible for the attacker to run javascript within your application’s webpage. Using this capability, an attacker can create a legitimate-looking login form, within your own web application. See how Deepfactor Developer Security can help. Watch this quick clip!