7. Web - Control Questions Flashcards

1
Q

● How does the structure of an URL look like?

A

○ Universal Resource Locator (URL)
■ http:// – scheme (browser default: http)
■ example.com – domain name
■ :80 – port (browser default: 80)
■ /dir/news – path (browser default: /)
■ ?article=1&x=3 – query string (optional)
■ #comments – fragment identifier (optional)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

● What are the basic web security problems?

A

○ Securing transactions between the browser and the server
■ authentication and communication security ( → TLS)
■ session hijacking attacks and defenses
○ Attacks targeting the client side
■ Cross Site Scripting
■ Client privacy
○ Attacks targeting the server side
■ SQL injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

● What is the OWASP Project?

A

○ Open Web Application Security Project (OWASP)
○ Worldwide not-for-profit charitable organization focused on improving the security of software
○ Mission is to make software security visible, so that individuals and organizations are able to make informed decisions
○ Everyone is free to participate in OWASP and all of their materials are available under a free and open software license
○ Does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

● What is usually the first step of an attack against a web server?

A

○ Attacker’s first step: maximizing attack surface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

● What is the general problem in case of an injection attacks?

A

○ Injection means that where you have a data input field, instead of putting the desired data, a hacker inserts something else
■ JavaScript code, a SQL statement, something…
○ Validate you inputs!
○ Input validation must be done on the server!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

● Show a simple SQL injection example!

A

○ Assume that the server receives an e-mail address email and a password pwd in the HTTP request, and uses them in the following dynamic SQL statement: statement := “SELECT * FROM users WHERE EmailAddr = ’” + email + “’ AND Password = ‘” + Pwd + “’;”
○ When executed, the server checks if the database returns a record or not; if so, the user is logged in
○ E.g., when email is alice@crysys.hu and pwd is foo, the following statement will be executed:
SELECT * FROM users WHERE EmailAddr = ‘alice@crysys.hu’ AND Password = ‘foo’
○ what if we supply the string ’ OR 1=1; – as the value for email? (pwd can be anything)
○ the following statement will be executed:
SELECT * FROM users WHERE EmailAddr = ‘’ OR 1=1; –’ AND Password = ‘xxx’;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

● How does a blind SQL injection work?

A

○ A web application may be vulnerable to an SQL injection but the results of the injection are not directly visible to the attacker
○ Yet, the page may display differently depending on the results of some logical statement injected → 1 bit of information
○ A new statement must be crafted for each bit recovered à time intensive attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

● How could a timing attack work with SQL injections?

A

?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

● What are the possible countermeasures against SQL injections?

A

○ Avoid dynamic SQL
■ use static SQL statement text (unless you cannot)
■ static SQL statements cannot change at run time, and hence, they are not vulnerable to SQL injection attacks
○ Filter and sanitize input
■ escaping special characters, conforming to naming conventions, …
○ Use parameterized statements
■ placeholders, bind arguments
○ Proper setting of access rights to the database
■ e.g., allow only SELECT operation, etc…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

● What is the security boundary on the client side?

A

○ Origin = scheme + domain + port combination

○ Basic principle: origin = security boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

● What is the Same Origin Policy?

A

○ A webpage can only read resources without restriction on its own origin (scheme, domain, port). Resources on other origins are subject to various access control rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

● What is limited by the Same Origin Policy when an XMLHttpRequest is sent?

A

?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

● Where could Javascript code appear?

A

○ Every script from the same origin can access and modify every variable, function, object and page content
○ And remote scripts embedded with are equal with other scripts
○ XSS is a real danger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

● What could a malicious Javascript do on the client side?

A

○ For malicious purposes, JavaScripts can do all these within the same origin:
■ Different scripts can access each other’s variables
■ Different scripts can redefine each other’s functions
■ Scripts can override native methods
■ Transmit data anywhere
■ Watch keystrokes
■ Steal cookies
■ User click is equivalent to JavaScript click

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

● What is an XSS attack?

A

○ Cross Site Scripting (XSS): when an attacker manages to run JavaScript code in the context of another origin.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

● What are the types of the XSS attacks?

A

○ Whether the attacker string is stored on the server – Where the HTML fragment is assembled
○ Persistent: Attack JS is stored by the site
○ Reflected: Attack JS passed as GET/POST parameter
○ DOM-based: The injection does not occur on the server side, HTML is created on the client side

17
Q

● What are the mitigation strategies against an XSS attack?

A

○ User data must be sanitized before inserting into HTML

○ HTTP-only Cookies

18
Q

● What is the Content Security Policy?

A

○ HTTP header
○ Specify the legit sources for resource loading
○ Report violations to a specified URL
○ By default:
■ Don’t allow inline script tags
■ Don’t allow eval()
○ Further examples:
■ Only load scripts, images and objects from certain domain
■ Specify which pages can embed this page in frames

19
Q

● What are the most common browser vulnerabilities?

A

○ Most browser vulnerabilities are memory corruption bugs
○ Stack/heap buffer overflow
■ Overwriting the return address on the stack
■ Overwriting heap control structures or browser data on the heap
○ Integer overflow
■ Negative signed integer interpreted as very large unsigned
■ After overflow: bounds checking fails → buffer overflow
○ Use after free (UAF)
■ Multiple memory management systems work together
■ Reference counting, (multiple) garbage collector
■ Interference between them: an already freed data is used
■ By the time, there’s another data there (potentially attacker controlled)

20
Q

● Why could URL spoofing be a problem?

A

○ Showing a false URL to the user

21
Q

● What is an Universal Cross Site Scripting?

A

○ Browser bug that enables
○ XSS to any domain
■ Steal any cookies on any site
■ Do actions requiring auth. on any site in name of user
○ Potentially XSS to privileged frames
■ May lead to privileged API access
■ Not trivial to execute attack since privileged pages
● usually not frameable (unless other bug)
● usually use Content Security Policy (CSP) for XSS protection

22
Q

● How is the severity of the vulnerabilities reduced in Chrome?

A

○ Exploit mitigation
■ ASLR (Address Space Layout Randomization)
● Randomizing the mapping location of key system components
■ DEP (Data Execution Prevention)
● Marking memory pages as non-executable
■ SafeSEH (Safe exception handlers)
■ Heap Corruption Detection
■ Stack Overrun Detection using canaries
○ Using an OS-level sandbox

23
Q

● How is the window of the vulnerabilities reduced in Chrome?

A

○ Warn the user before visiting malicious sites