Application Security

Question 1

What are five typical attack surfaces in modern browsers?

Answer 1

1. JavaScript execution
2. The Document Object Model (DOM)
3. XMLHttpRequests (AJAX)
4. Web Sockets
5. Multimedia ( tags, etc.)

6.858, 8. Web Security Model

Question 2

Why is an example of a parsing context attack in a browser?

Answer 2

When executing JavaScript, if code uses input from an untrusteed source that gets stored in a string, for example

var x = “untrusted”

One example of an attack would for the untrusted user input to include a quotation mark, meaning the JavaScript parser will prematurely terminate the string, causing a parsing context switch to the JS execution environment, meaning the user can inject code by inserting statements following the string, e.g.

”; alert(‘got you’)

6.858, 8. Web Security Model

Question 3

How does composition in modern systems lead to an increase in attack surface for modern web systems?

Answer 3

As modern, complex systems utilise a number of different languages and technologies, data travels through many different contexts, each with their own potential attack vectors and individual security concerns. This means that more area exists for exploits at various layers in the system (e.g. SQL, JavaScript, CSS, HTML, .NET all in the same application)

6.858, 8. Web Security Model

Question 4

What are five key concerns that have increased in importance in modern web security?

Answer 4

1. Composition: Multiple languages and frameworks form one app
2. Incoherence: Complex/inconsistent specifications for standards like HTML, JPEG, etc. leading to difference in actual browser behaviour versus expected
3. Same-Origin Policy: Content from typical commercial websites comes from a multitude of sources, each with their own scripts, dependencies and attack surfaces and potential interactions
4. DNS Rebinding: Impersonating a victim’s domain to execute code with the same-origin authority as the victim’s origin
5. Clickjacking: Attacks targeting the way frames are rendered in a certain browser context

6.858, 8. Web Security Model

Question 5

What is the same-origin policy in browser security?

Answer 5

In essence, the goal of the same-origin policy is that content from different websites should not be able to tamper with content from other websites, unless there is an explicitly-defined reason content from these two websites can interact.

Each resource is assigned an origin, and by default, resources can only access resources from that same origin.

6.858, 8. Web Security Model

Question 6

What is the general definition of an origin when referring to the same-origin policy in browsers?

Answer 6

Scheme + Host + Port

e. g. http://foo.com:1234 or https://foo.com
6. 858, 8. Web Security Model

Question 7

What are some typical resources associated with an origin in a browser?

Answer 7

1. Cookies
2. DOM storage (browser key-value store)
3. JavaScript namespace (isolates functions, objects, etc.)
4. Document Object Model (DOM) tree
5. Visual display area on the page

6.858, 8. Web Security Model

Question 8

What are the four main ideas behind the same-origin policy

Answer 8

1. Each origin has its own set of resources
2. Each frame in a page has its own origin (e.g. like Unix process)
3. Scripts execute within the authority of the origin
4. Passive content has no authority

6.858, 8. Web Security Model

Question 9

What is a MIME sniffing attack?

Answer 9

• As the same-origin policy determines that passive content, such as an image, has no authority
• Browsers can be lax with security around passive content, so an attacker could inject HTML into something it misattributes as an image by changing special bytes in the file header that the browser uses to interpret the MIME type of a file
• This can lead to things that are really scripts being considered images, leading to coercion into something it outputs to the page
  6. 858, 8. Web Security Model

Question 10

How does a browser handle the origin of the window object in the DOM?

Answer 10

The window is a top level element in the DOM below the document itself, and the window inherits one of two origins:

1. The origin of the of the document
2. A suffix of the origin of the document, e.g the window for ads.facebook.com can be set to facebook.com using the document.domain DOM property, but not account.facebook.com or google.com

6.858, 8. Web Security Model

Question 11

What is one method in which two frames can communicate messages across origins in a browser context?

Answer 11

The window.postMessage() function in JavaScript can be used to pass values between origins, provided both origins opt into communicating via this method.

Question 12

When can two frames in a browser context interact?

Answer 12

1. Both frames explicitly set the document.domain property to the same value
2. Neither of the two frames explicitly set the document.domain property, but the windows inherit the same origin from the browser URL

6.858, 8. Web Security Model

Question 13

What is an example of a frame origin policy exploit that could lead to an attack within a domain and how does the same-origin policy combat it?

Answer 13

A compromised subdomain, e.g. ads.facebook.com that is the origin of a frame within facebook.com could try setting its own document.domain property to facebook.com, thus allowing it to interfere with the context of facebook.com.

The same-origin policy prevents this if facebook.com does not set its own document.domain property explicitly. If only the frame sets the property and facebook.com’s window object does not explicitly set it and inherits its origin from the browser context, then the same origin-policy prevents these two frames from communicating.

6.858, 8. Web Security Model

Question 14

Where do DOM nodes obtain their origin?

Answer 14

DOM nodes inherit the origin from the frame within which they exist.

6.858, 8. Web Security Model

Question 15

What are three elements of a cookie with respect to the same-origin policy?

Answer 15

1. The domain, which can be a suffix of the window’s origin
2. A path, which is a suffix of the hostname, e.g. / or /abc
3. A secure flag, to distinguish https cookies that should not be accessible by http content

If a cookie is set at a path /, this indicates all pages should be able to access it, whereas the server setting the path at /abc would mean only /abc or /abc/* are able to access that cookie.

6.858, 8. Web Security Model

Question 16

What are two methods in which a cookie can be set?

Answer 16

1. JavaScript can set cookies using the document.cookie property
2. The server can set cookies using the HTTP Cookie response header

6.858, 8. Web Security Model

Question 17

How are XHR calls isolated within a certain context by a same-origin policy?

Answer 17

An XHR request originating from an origin set by the containing window or frame can only target a URI within that same origin, unless the destination server implements Cross-Origin Resource Sharing (CORS) [using the Access-Control-Allow-Origin response header]

6.858, 8. Web Security Model

Question 18

How are access to images and CSS from other origins protected in a same-origin policy?

Answer 18

Frames can embed passive content from any origin, but they cannot directly inspect the data within the resources that are embedded from another origin.

[Note: this protection does not work effectively as malicious code can infer details about these objects as black boxes]

6.858, 8. Web Security Model

Question 19

How does the single-origin policy handle JavaScript from remote origins, and what is the fundamental flaw with this approach?

Answer 19

JavaScript embedded from remote sources can be executed by a frame, but the embedding frame cannot directly access the source code contained within the script.

However, as functions are first-class objects in JavaScript, malicious code can simply call toString() on any function object and retrieve its source code. That, and you can just request resource like that directly.

6.858, 8. Web Security Model

Question 20

What is an example of a Cross-Site Request Forgery (CSRF) attack?

Answer 20

Say a bank, bank.com, has a cookie for authenticated user data that it sends along with every request. A malicious frame embedded on bank.com can set its origin to bank.com, hence make XHRs to the bank’s server within the same browser context, so the authenticated user cookie will be sent along with these malicious requests, thus authenticating the attacker as the victim.

6.858, 8. Web Security Model

Question 21

What is the most common way to mitigate CSRF attacks?

Answer 21

Generate a random token on the server side and append that to the form as a hidden field or as an additional parameter that must be sent along with the URI, so in order for an attacker to impersonate a user, they must be able to predict what this random value will be in order to send a valid request. This element of randomness can prevent an attacker from spoofing requests easily.

6.858, 8. Web Security Model

Question 22

What is a DNS rebinding attack?

Answer 22

The basic sequence is as follows:

1. An attacker establishes a temporary domain, say attacker.com
2. A user requests the attacker.com address through something e.g. phishing email
3. On the first request to attacker.com, the attacker’s DNS config responds with a pointer to the attacker’s real IP address with a short TTL to send code to the client
4. On a subsequent request to that address, the attacker’s DNS refreshes, but this time responds with a record pointing to a victim’s website, victim.com
5. All subsequent calls made from attacker.com will actually be sent by the browser to victim.com’s server, thus circumventing the victim’s same-origin authority

6.858, 8. Web Security Model

Question 23

What is the most common method of circumventing DNS rebinding attacks?

Answer 23

Use HTTPS, as requests made on behalf of an attacker’s server would not be decipherable by the responding server, unless the attacker has the private key of the victim’s TLS certificate and can spoof secure requests, which is a much bigger problem in general.

An alternative is to use DNS pinning, where the browser holds a DNS record’s resolved IP for longer than the TTL of the DNS record as reported by an attacker’s maliciously-configured DNS.

6.858, 8. Web Security Model

Question 24

What is a click-jacking attack?

Answer 24

By exploiting the way frames embedded from other origins are positioned within a malicious parent frame, and by obfuscating the appearance of this child frame (e.g. making it invisible in CSS and positioning it precisely where a button on the attacker’s site will be, clicking the button on the attacker’s site actually results in a button press within the child frame’s context.

6.858, 8. Web Security Model

Question 25

What are two common methods for implementing protections against click-jacking attacks?

Answer 25

1. Frame-busting code, where the victim child frame executes JS that validates whether the current frame is in fact the top frame in the browser window. If the victim’s page determines that it is a child frame, it can refuse to provide a valid response that can be rendered in the attacker’s parent frame.
2. Sending the X-Frame-Options (or the newer CORS frame-options header) to stipulate how and where a site can be embedded as a frame.
3. 858, 8. Web Security Model

Question 26

How does a cross-site scripting attack work?

Answer 26

1. If a server side component takes form input or query parameter input directly, a malicious user can inject code that intends to run on a target site like a user’s browser
2. By sending a link with injected code, the user unwittingly executes the code by visiting the link
3. By using custom code via an XSS vector, the user executes unauthorised code on behalf of the attacker, for example to steal a cookie that belonged to that user

Question 27

What is one way in which a browser will prevent an XSS attack and why is this method not alone enough to prevent them?

Answer 27

1. Modern browsers use heuristics to determine whether code has been injected using an input or query parameter and will make attempts to negate the attack, e.g. by tampering with parameters, stripping HTML tags or corrupting the data.
2. The problem with this approach is that there are many methods to deceive these heuristic parsers and bypass the protections they provide, so they should not be trusted alone.

Question 28

What is one mechanism a server can use to protect cookies from XSS attacks and what attacks does not prevent?

Answer 28

1. By setting a HTTP only flag on cookies that are set in the server’s response headers, certain cookies can be flagged to only get sent over HTTP requests, but cannot be modified by client-site code.
2. It doesn’t prevent CSRF attacks because the cookie will still be sent to the server, so executing malicious code that utilises the cookie value as-is will work.

Question 29

What is one method of server-side input sanitation that is more effective than simply trying to strip malicious inputs out of submitted values?

Answer 29

Use a less expressive language or a restricted subset of one to define the grammar of marking up a comment, which gets translated to HTML server side, as it is easier to control the behaviour of a well-defined, more restrictive grammar.

Question 30

How can separation of concerns be used in web application design to prevent cross-site scripting attacks, and why is this approach generally insufficient alone?

Answer 30

1. By hosting code that primarily deals with user-submitted content on a separate origin to code that implements important business logic, if user-submitted content is compromised, then the breach is isolated to that sepatate origin.
2. For complex web applications, it is likely that these supposedly separate environments will share common dependencies and the main site is indirectly exposed to attack.

Question 31

What is a header a browser can send that will prevent a browser from inadvertently triggering a MIME-sniffing attack?

Answer 31

The X-Content-Type-Options HTTP response header can be set to a value ‘nosniff’ to indicate that the browser should not automatically attempt to determine the MIME type of media from its type signature bytes.

Question 32

What is a response header a browser can send to ensure that scripts and static content come from a trusted list of sources?

Answer 32

The Content-Security-Policy is a blanket header for restricting the sources of content (in general or for specific content types), and also for preventing common JavaScript execution vectors like eval() to prevent dynamic code generation.

Question 33

What is one method of implementing authentication with a cookie without having to use a stateful session cookie?

Answer 33

By using a stateless authentication token like a JWT, the authorisation details of the token have all of the user’s privileges in them, rather than an ID pointing back to the server-side store. As long as both the client and the server have the encryption key (which can be dynamically generated), then both the client and the server can decrypt that cookie and use its data.

Question 34

What is one method of storing client-side data that is ostensibly more secure than using a cookie and what is its main tradeoff?

Answer 34

1. Using local storage instead of cookies has more consistent behaviour in terms of the same-origin policy as it is strictly tied to one origin.
2. Its main drawback is that unlike cookies, local storage key-value pairs are not sent along with every request, so client-side code must specifically inject it into a request for that data to be sent to the server.

Question 35

What is an example of a covert-channel attack?

Answer 35

A cache-based attack can be used to determine which sites a user has visited by trying to request resources from those sites (e.g. CSS from the site) and time how long it takes. if it comes back quickly, it is likely to come from a

Question 36

What are the steps involved in a challenge-response protocol in user authentication?

Answer 36

1. The user sends their user identifier to the server, but not their password
2. The server, in response, generates a unique challenge token that is sent in the response to the user
3. The user client concatenates the challenge with their password and hashes the result, then sends that to the server
4. The server then uses its known, unique challenge key and its hash of the user password to recompute the same hash as was sent from the client, authenticating the user

Question 37

What is an anti-hammering defence?

Answer 37

Two examples include:

1. Rate limiting the number of passwords accepted per given period
2. Using account lockout after a certain number of failed attempts

Question 38

What is a limitation of enforcing constraints on passwords, such as requiring punctuation, numbers or uppercase letters?

Answer 38

With knowledge of these constraints, attackers can leverage certain biases that occur in the distribution of passwords in passwords forced to meet those constraints (e.g. putting punctuation at the beginning or the end), reducing password entropy overall.

Question 39

What is offline guessing in the context of determining user passwords?

Answer 39

If an attacker requests a resource with known or predetermined content that is encrypted by the server with a user’s password and sent back to the attacker’s client without first validating the source of the request, the attacker can attempt to reverse-engineer the key by using the expected decrypted response and guesses of the user’s password to reconstruct the encrypted response and determine which password was used to encrypt the server’s response.

Question 40

What are two common reasons that password-based authentication schemes are typically easily broken.

Answer 40

1. Users tend to choose predictable passwords with low entropy, even when forced to choose more complex passwords
2. Security questions tend to have very low entropy (small set of questions, small set of answers), and can generally be socially engineered or researched

Question 41

What are three key metrics for comparing user authentication schemes?

Answer 41

1. Usability: Can users adopt this scheme with little difficulty, use it correctly across services, and recover access if they have lost it?
2. Deployability: Is this scheme workable with current server and client standards and is it accessible to users with disabilities?
3. Security: How good this scheme at resisting compromise by attackers?

Question 42

What are some key factors when assessing the security of a password scheme?

Answer 42

1. How resistant the scheme is to observing someone authenticating that scheme (i.e. not passwords)
2. How resistant the scheme is the attacker knowing or impersonating the target
3. Resistance to brute-force attack with and without brute-force rate-limiting defences
4. How resistant the scheme is to sniffing (keylogging, traffic interception) and phishing attacks
5. Whether the system depends on a trusted third party whose compromise results in the whole scheme being compromised

Question 43

What are the steps in a buffer overflow attack?

Answer 43

1. A C-based program has a reference to some buffer, e.g. an array, that is stored on the stack
2. C does not bounds check writes to memory, so if a buffer takes user input, the user can overrun the bounds of the buffer with a large input
3. As the return address is stored just above the stack space allocated for a program, an overflow from the stack can result in the return address being overwritten
4. As a result, the user can redirect to arbitrary code in memory with the privileges of the program it hijacked

Question 44

Why are buffer overflow attacks so important in backend systems security?

Answer 44

Most servers, databases and runtimes are written in C, so buffer overflow attacks can originate from application code, so it is important in the design of our code.

Question 45

What is the best approach to find sources of buffer overflows in a system?

Answer 45

Input fuzzing, whereby you test code by randomising inputs and testing expected versus actual behaviour. Static code analysis can detect typical programming patterns that lead to bugs

Question 46

What are the principals of a Unix system?

Answer 46

The user (uid) and group (gid) are the principal objects in Unix system.

Question 47

What types of objects would you typically try to protect in a Unix system?

Answer 47

1. Files/directories
2. Devices/networking
3. Other processes
4. Values in memory
5. File/process/device descriptors

Question 48

How are the permissions for a file represented in Unix?

Answer 48

In the file’s inode, the following information is stored

1. The uid of the file owner
2. The gid of the group of the owner
3. The permissions bits (r, w and x) for the following categories:
   
   • Owner
   • Group
   • Other (i.e. not the owner, not in the owner’s group)

Question 49

Under what circumstances can a user change the permissions of a file in a Unix system?

Answer 49

the user who is technically the owner of the file (that is, the uid stored in that file’s inode) is allowed to change the permissions of that file and nobody else (except root).

Question 50

How is access to a directory controlled in a Unix system?

Answer 50

Execute permissions must be set on the directory for either a uid or gid. The uid or any user in the specified gid will then be able to enumerate/resolve paths within that directory.

Question 51

In a Unix systems, which ports are privileged to listen on and which processes can listen on these ports?

Answer 51

Ports 1 through 1024 are privileged and only processes belonging to uid 0 (i.e. root) can listen on these ports.