Cross Site Scripting & Cross Site Request Forgery Flashcards

1
Q

What is Cross Site Scripting (XXS) and what are the 3 different types of XXS attacks?

A

Occurs when an attacker embeds malicious scripts onto a trusted website.

There are 3 types of XXS attacks:

Stored/Persistent
Reflected
DOM-Based

Note: The attacker is trying to get elevated privileges, steal information from cookies, or steal other information from the users browser. This is an attack on a user, not a server.

Note: The user is generally attacked via connecting to a compromised trusted website. The user connects, the code on the compromised website is downloaded by the user and the attacker gains access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Stored/Persistent XXS attack?

A

Attempts to get data provided by the attacker to be saved on the web server by the victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Reflected XXS attack?

A

Attempts to have a non-persistent effect activated by a victim clicking a link on the site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a DOM-Based XXS attack?

A

Attempts to exploits the victim’s web browser.

Note: Often called a “client side XXS” attack. The DOM is a part of the users web browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do you prevent XSS attacks?

A

With output encoding and proper input validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Cross-Site Request Forgery? (XSRF/CSRF)

A

Occurs when an attacker forces a user to execute actions on a web server for which the user is already authenticated to.

Note: If you are connected/authenticated to your bank for example, the attacker sends a command to the bank via your authentication and it appears as if the command came from you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you prevent XSRF attacks?

A

Programmers should require special Tokens on web pages such as captcha’s, Encryption, XML file scanning, and Cookie Verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly