CS 253 Web Security Youtube Pt2 Flashcards

1
Q

What is the purpose of UI Denial-of-service attacks?

A
  1. You override the browser defaults - This is in order to make it harder to escape from the site.
  2. You implement scareware - Implementing threats of virus or something to make the user buy a product or trapping them.
  3. Trolling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How many levels are the web APIs divided in when we talk about the level of restrictions they have?

A

Level 0, 1, 2 and 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the restrictions for Level 0 web APIs?

A

No restrictions. APIs can be used immediately and indiscriminately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some examples of web APIs with Level 0?

A

DOM, CSS,
window.move()
file download
hide mouse cursor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the restrictions for Level 1 web APIs?

A

User interaction is required.

API cannot be used unless it is in response to a user’s action, like a click or a keypress.
Scrolling does not count for example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some examples of web APIs with Level 1?

A

Element.requestFullscreen()
navigator.vibrate()
Copy text to clipboard
Speech synthesis API
window.open()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the restrictions for Level 2 web APIs?

A

User “engagement” is required.

API cannot be used until user demonstrates high engagement with a website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some examples of web APIs with Level 2?

A

Autoplay sound
Prompt to install website to homescreen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the restrictions for Level 3 web APIs?

A

User permission is required.
API cannot be used until user grants explicit permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some examples of web APIs with Level 3?

A

Camera, microphone, geolocation, USB, MIDI device access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is tabnabbing?

A

Its an attack that consists in reloading the original tab after opening a new tab. This is possible because of the way window.open() works, which still points to the original tab.

When reloading that tab one can reload said tab into any given URL. This is specially useful for phishing attacks, because you can replace the previous page with an exact copy and simulate a logout scenario and showing a login form to the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some tabnabbing defenses you can set up?

A
  1. Add rel=”noopener” attribute to all a tag elements with target=”_blank” attribute

This will make window.opener to be null instead of pointing to our window.

2.Add the new HTTP header: Cross-Origin-Opener-Policy: same-origin

This makes it so the browser will use a separate OS Process to load the site.
This prevents cross-window attacks an process side-channel attacks by severing references to other browsing contexts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly