day3 Web Application Security Flashcards
Security Considerations
- Web browser: Client-side security
- Web server: Hardening and configuration, Logging and monitoring
- Application server: Secure coding practices, Authentication and authorization
- Database: Access Control and Encryption, Monitoring and Auditing
…………… is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the same server with later requests.
It remembers stateful information for the stateless HTTP protocol.
HTTP cookie
Cookies are mainly used for three purposes:
Session management: Logins, shopping carts, game scores, or anything else the server should remember
Personalization: User preferences, themes, and other settings
Tracking: Recording and analyzing user behavior
Security: HttpOnly, Secure, SameSite attributes help mitigate common security issues like
XSS, CSRF.
SET COOKIE
Set-Cookie: <cookie-name>=<cookie-value>
Attributes?</cookie-value></cookie-name>
- Domain
- Expires
- Max-Age
- Path
- Secure
- HttpOnly
- SameSite
T/F If the Domain attribute is specified, the cookie becomes available to the
specified domain and all its subdomains. This makes the cookie less restrictive
T
T/F The Path attribute in a cookie specifies the URL path that must be present in
the requested URL for the cookie to be sent to the server
T
T/F : A cookie with secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.
T
T/F A cookie with HttpOnly attribute is inaccessible to the JavaScript (document.cookie API)
T
T/F The SameSite attribute is used to control when and how cookies are sent
with cross-site requests
T
T/F Sessions are typically represented as associative arrays of keys and values,
used to track web application data and objects.
A session ID is a long, randomly generated number or string – exchanged between the client and server during each transaction
T
…………….is the process of verifying the identity of a user, system, or entity attempting to access resources.
Authentication
Common Types OF Authentication
Knowledge based - Something you know
Possession based - Something you have
Inheritance based - Something you are
AUTHENTICATION TESTING
Map the entire authentication attack surface
Login interfaces, account recovery / password resets, registration, MFA processes, session management, third-party SSO integrations
-Create multiple accounts
-Check for lack of brute-force protection
-Is the application using a standard library/framework?
-Check for logic issues
-Inspect tokens
ACCESS CONTROL
What you’re allowed to do - also known as authorization
Principle of least privilege
Users and processes should have a minimum level of access
Access control types
Horizontal, Vertical, Context dependant
…………. is a type of access control vulnerability that occurs when an application exposes a reference to an
internal implementation object—like a file, database record, or user ID—
without properly validating whether the user is authorized to access it.
Insecure Direct Object Reference (IDOR)
………………. is a security vulnerability that occurs when an application fails to properly enforce access control at the level of specific functions or actions.
Broken Function Level Authorization (BFLA)
What’s the difference between IDOR and BFLA?
BFLA :User can access functions or actions they’re not allowed to (like admin features).
IDOR: User can access objects (like files, accounts, etc.) they shouldn’t by changing an ID.
WEAK OR MISSING ACCESS
CONTROLS
Sometimes applications use user input that we can control for access control, such as HTTP methods or headers.
Check to see if modifying the HTTP request will lead to unintended behaviour.
HTTP Method
Headers (e.g. Referrer, X-Origin-URL)
…………….. is a common attack vector that injects malicious code into a vulnerable web application.
Cross site scripting (XSS)
T/F XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk.
T
……………– malicious script is stored on the web server, typically in a database, and is then executed by other users viewing the stored content – More dangerous than reflected.
Persistent / Stored XSS
……………malicious script is reflected off a web server in an immediate response
Reflected XSS
………………..occur entirely on the clientside. Malicious script is executed as a result of client-side manipulation of the DOM.
DOM Based XSS
IMPACT OF XSS
Session hijacking
Credential theft
Data exfiltration
Propagation of malware
Unauthorized redirection
PREVENTING CROSS-SITE SCRIPTING
Encoding, which escapes the user input so that the browser interprets it only as data, not as code.
Validation, which filters the user input so that the browser interprets it as code without malicious commands.
INJECTION ATTACK APPLY TO
MANY TECHNOLOGIES
SQL statements
File path names
Regular expressions (as a DoS threat)
XML data (specifically, XXE declarations)
Shell commands
Interpreting strings as code (for example, JavaScript’s eval function)
………………… is a type of security vulnerability that occurs when an attacker is able to manipulate a web application’s SQL queries by injecting malicious input into a query.
This happens when user inputs, such as form fields or URL parameters, are not properly sanitized, allowing an attacker to insert or “inject” additional SQL commands into the database query
SQL injection (SQLi)
CAUSES, IMPACTS AND
CONSIDERATIONS FOR SQL INJECTION
User input data not validated or saniztized
Incorrect data validation technique
Dynamic SQL statement generation
Application doesn’t conform to the principle of least privilege
Insufficient restrictions at the data layer
Easy to locate and exploit
SQL INJECTION DEFENSE AND MITIGATION
Escape Sequences and
Regular Expression Pattern Matching
Typically used in legacy systems to detect and avoid malicious patterns
Difficult to maintain; Incomplete coverage
Stored Procedures
Pre-defined SQL statements in the database
Better than character escaping - User input cannot alter it in the same way dynamic SQL can
Stored procedures, if incorrectly written, can be exploited to run system commands
Parameterized queries (prepared statements)
Better solution - the SQL query is defined with placeholders (? or :param)
Always performs correct escaping and treats all arguments as simple text strings
Faster and more efficient than dynamic SQL
Encourage better application development strategy by defining all possible queries
Other mitigation strategies
Applying least privilege (ex. Don’t give the web app DB user account “drop table” privileges)
Don’t connect as DBA
…………………is a vulnerability where an attacker gains unauthorized access to the filesystem by navigating to unintended directories
Path Traversal
Potential Impacts: PATH TRAVERSAL
Access to sensitive files
Disclosure of application data
Execution of malicious code
…………., is a type of malicious exploit where unauthorized commands are submitted from a user that a web application trusts
Tricks a web browser into executing unwanted actions on a web application to which the user is logged in
Cross-Site Request Forgery (CSRF) attack, also known as XSRF
XSS VS CSRF
CSRF (Cross-Site Request Forgery): Malicious website causes a user’s browser to
perform unwanted actions on a trusted website. Examples:
Transfer money out of user’s account; Harvest user IDs; Compromise user accounts
XSS (Cross-Site Scripting): Malicious website leverages bugs in trusted website to
cause unwanted actions on user’s browser (circumventing the same-origin policy).
Examples:
Reading cookies; Stealing authentication information; Code injection
