Chapter 10 - Application Security Flashcards

1
Q

What are the main categories of software development vulnerabilities?

A

The main categories of software development vulnerabilities include buffer
overflows, race conditions, input validation attacks, authentication attacks,
authorization attacks, and cryptographic attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe Buffer Overflows

A

Buffer overflows, occur when we do not
properly account for the size of the data input into our applications. If we are taking data into an application, we specify the amount of data we expect to receive, and set aside storage for that data. If we do not set a limit on the amount of data we take in, we may receive 1,000 characters of input where we had only allocated storage for 50 characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe Race Conditions, give an example

A

Race conditions occur when multiple processes or multiple threads within a process
control or share access to a particular resource, and the correct handling of
that resource depends on the proper ordering or timing of transactions.
For example, if we are making a $20 withdrawal from our joint bank account via an
ATM,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe Input Validation Attacks, give an example

A

If we are not careful to validate the input to our applications, we may find
ourselves on the bad side of a number of issues, depending on the particular
environment and language being used. Format strings are an example, or htmlspecialchars

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Briefly give an example of an authentication attack, an authorization attack, and a cryptographic attack

A

Authentication: attacker cracks our password
Authorization: attacker steals our SessionID and acts as admin
Cryptographic: attacker figures out decryption key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a client-side attack, give examples

A

Client-side attacks take advantage of weaknesses in the software loaded on our
clients, or those attacks that use social engineering to trick us into going along
with the attack.

Cross-site scripting (XSS), cross-site request forgery (XSRF), Clickjacking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a server side attack, give some examples

A

On the server side of the Web transaction, a number of vulnerabilities may
cause us problems as well. Such threats and vulnerabilities can vary widely
depending on our operating system, Web server software, various software versions,
scripting languages, and many other factors.

SQL injection, easily accessible config files, extra/unneeded files are examples of server side attacks/vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some of the security issues surrounding Databases?

A

Protocol issues:

  • unauthenticated flaws in network protocol
  • authenticated flaws in network protocols
  • flaws in authentication protocols

Unauthenticated Access:
-unauthenticated access to functionality

Arbitrary code Execution:

  • arbitrary execution in intrinsic SQL elements
  • arbitrary execution in securable SQL elements

Privilege Escalation:

  • privilege escalation via SQL injection
  • local privilege escalation issue
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a sniffer?

A

sniffers can be of great use in a variety of
security situations. We can use them at a very high level to examine all the traffic
traveling over the portion of the network to which we are attached, presuming we
can get our sniffer placed properly to see the traffic in question. We can also use
such tools very specifically in order to watch the network traffic being exchanged
with a particular application or protocol.

Wireshark is an example of a sniffing tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Nitko and Witko?

A

Nikto is a free and open source Web server analysis tool that will perform
checks for many of the common vulnerabilities we might face in web security (both client and server side)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a fuzzer

A

In addition to all the tools we can use to look over our software for various
known vulnerabilities, there is another category of tools we can use to find
completely unexpected problems, a process referred to as fuzz testing. The
tools we use for this technique, referred to as fuzzers, work by bombarding our
applications with all manner of data and inputs from a wide variety of sources,
in the hope that we can cause the application to fail or to perform in unexpected
ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the main categories of software development vulnerabilities?

A

The main categories of software development vulnerabilities include:
buffer overflows

race conditions

input validation attacks

authentication attacks

authorization attacks

cryptographic attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly