Chapter 4 - The web - user side

Question 1

man-in-the-browser

Answer 1

Code inserted into the browser can read, copy, and redistribute anything the user enters in a browser.

Question 2

keystroke logger (or key logger)

Answer 2

either hardware or software that records all keystrokes

entered.

Question 3

Page-in-the-middle attack

Answer 3

type of browser attack in which a user is redirected

to another page.

Question 4

download substitution

Answer 4

the attacker presents a page with a desirable and seemingly innocuous program for the user to download, What the user does not know is that instead
of or in addition to the intended program, the attacker downloads and installs malicious code.

Question 5

CAPTCHA

an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart

Answer 5

puzzle that supposedly only a human can solve, so a server application can distinguish between a human who makes a request and an automated program
generating the same request repeatedly.

Question 6

phishing

Answer 6

an unsuspecting user submits sensitive information

to a malicious system impersonating a trustworthy one.

Question 7

one-time password

Answer 7

only one use. the two end parties need to have a shared secret list of passwords.

Question 8

Out-of-band communication

Answer 8

transferring one fact along a communication path

separate from that of another fact.

Question 9

website defacement

Answer 9

occurs when an attacker replaces or modifies

the content of a legitimate web site.

Question 10

signed code

Answer 10

Users can hold downloaded code until they inspect the seal. After verifying that the seal is authentic and covers the entire code file being downloaded, users can install the code obtained.

Question 11

web bug, also called a clear GIF, 1x1 GIF, or tracking bug

Answer 11

a tiny image, as small as 1 pixel by 1 pixel (depending on resolution, screens display at least 100 to 200 pixels per inch), an image so small it will not normally be seen. Nevertheless, it is loaded and processed the same as a larger picture. Part of the processing is to
notify the owner, the advertiser, who thus learns that another user has loaded the advertising image.

Question 12

Clickjacking

Answer 12

a technique that essentially causes that prompt box to slide around so that [Yes] is always under the mouse. The attacker also makes this box transparent, so
the victim is unaware of clicking anything.

Question 13

framing, or using an iframe

Answer 13

a structure that can contain all or part of a page, can be placed and moved anywhere on another page, and can be layered on top of or underneath other frames.

Question 14

drive-by download

Answer 14

an attack in which code is downloaded, installed, and executed on a computer without the user’s permission and usually without the user’s knowledge.

Question 15

cross-site scripting

Answer 15

executable code is included in the interaction between client and server and executed by the client or server.

Question 16

persistent cross-site scripting attack.

Answer 16

the server interprets and executes the script or saves the script and returns it to other clients (who would then execute the script).

Question 17

SQL injection

Answer 17

operates by inserting code into an exchange between

a client and database server.

Question 18

server-side include.

Answer 18

The problem takes advantage of the fact that web pages can be organized to invoke a particular function
automatically.

Question 19

spam

Answer 19

fictitious or misleading email

Question 20

spear phishing

Answer 20

the bait looks especially appealing to the prey

Question 21

S/MIME (Secure Multipurpose

Internet Mail Extensions)

Answer 21

the Internet standard for secure email attachments.