While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?
A. Clickjacking
B. Web Form Input Validation
C. Cross-Site Request Forgery
D. Cross-Site Scripting
EC-Council Certified Ethical Hacker v11Free dumps for 312-50v11 in Printable PDF format.High quality PDF and software. VALID exam to help you pass. |
 |
|
Download Printable PDF. VALID exam to help you PASS. |
|
I guess it should be A because the user clicked the email which opened a new page in browser. If he had not opened the email, then the fraud would not have occurred. CSRF will actually decode your session id and use it to commit fraud. We can say that it is a mix of clickjacking and CSRF but more it will be clickjacking as the fraud occurred because of user action.
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other
https://portswigger.net/web-security/csrf
C….
D. Cross-Site Scripting
using a cross-site scripting attack the attacker can catch the victim’s sessionID of his bank account if the victim is logged in a page (as the statement says) vulnerable to XSS and clicks a link inside of it where the XSS vulnerability is exploited (as the statement says), when this action is performed the victim will be redirect to another page controlled by the attacker (the “new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile” of the statement)
you can do this with this script:
And then the attacker looks for the sessionID cached in his webserver “access.log” and then login into the bank online service using the victim’s session ID (even “several days later” as the statement says) and extract ALL the funds (as the statement says once again)
D. Cross-Site Scripting
This is a tricky question, because an attacker could use 3 of 4 options to perform this fraud. It’s necessary to read the statement very well.
You can easily say that the correct answer is a CSRF attack cause is the easiest one, but if an attacker use this technique the result will be instantaneous, not “after several days” as the statement says and the attacker can’t extract all the funds (as the statement says too) because the CSRF attack is based on an static form previously filled by the attacker and validated by the victim’s credentials as if they were yours, also needs to be repeated by the victim over and over again till the funds are gone (the statement says he just hit the link once) and then some money could survive the attack, like the cents.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
To perform this fraud through a Clickjacking attack, the attacker needs to infect the victim’s browser using a Java Script exploit if there is an exploitable vulnerability in his browser (there is no evidence in the statement that this happens), then perform a code execution (if it is possible once again), catch the credentials or the sessionID of the victim’s account after a successful remote control and then the fraud. But the statement says that the victims just did the banking once, so this option is not possible.
A Web Form Input Validation, is not an attack technique is an “option” that you can use while creating a web page to ensure the users are introducing the correct data in a real time validation, here is an example:
https://developer.mozilla.org/es/docs/Learn/HTML/Forms/Validacion_formulario_datos
Finally using a cross-site scripting attack the attacker can catch the victim’s sessionID of his bank account if the victim is logged in a page (as the statement says) vulnerable to XSS and clicks a link inside of it where the XSS vulnerability is exploited (as the statement says), when this action is performed the victim will be redirect to another page controlled by the attacker (the “new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile” of the statement)
And then the attacker looks for the sessionID cached in his webserver “access.log” and then login into the bank online service using the victim’s session ID (even “several days later” as the statement says) and extract ALL the funds (as the statement says once again)
This is classical CRSF. The attacker exploited the trust that the victim had with their bank website to carry out the malicious action.
I would have considered this to be a Phishing attempt; however, since its not an option and the online banking seems to have triggered the email being sent to him, I choose “clickjacking.”
According to OWASP definition, “Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page.
I have to assume that the online banking webpage that Kyle thought he was logging into was not the actual bank.
Due to the fact that Kyle was browsing the online bank website when he got an e-mail, there is a reason to believe that an attacker exploited an XSS vulnerability that allowed the attacker to get Kyle’s e-mail address. The attacker sent an e-mail to Kyle that has a link that executed an unauthorized command transmitted by the user from a trusted web-application. CSRF was performed that transferred or withdrew Kyle’s funds from his bank account without his full-awareness due – an attacker creates such command not currently existing in the web application.