L2 - Client-side Attack

Question 1

OWASP Risk Rating Methodology Equation

Answer 1

Risk = Likelihood * Impact

Question 2

Steps in OWASP Risk Rating Methodology

Answer 2

Step 1: Identifying a Risk
Step 2: Factors for Estimating Likelihood
Step 3: Factors for Estimating Impact
Step 4: Determining Severity of the Risk
Step 5: Deciding what to Fix
Step 6: Customizing Your Risk Rating Model

Question 3

Step 1: Identifying a Risk

Answer 3

Identifying a security Risk
– List from OWASP, SANS top 25 e.g

Question 4

Step 2: Factors for Estimating Likelihood

Answer 4

• Skill Level
• Motive
• Opportunity
• Size
• Ease of discovery
• Ease of exploit
• Awareness
• Intrusion detection

Question 5

Step 3: Factors for Estimating Impact

Answer 5

• Loss of confidentiality
• Loss of integrity
• Loss of availability
• Loss of accountability
• Financial damage
• Reputation damage
• Non-compliance
• Privacy violation

Question 6

Step 4: Determining the Severity of the Risk

Answer 6

0 to <3 : low
3 to <6: medium
6 to 9: high

Question 7

Step 5 : Deciding what to Fix

Answer 7

• The most severe risks should be fixed first.
• Not all risks are worth fixing.
• Some loss is not only expected, but justifiable based upon the cost of fixing the issue.

Question 8

Step 6: Customzing Your Risk Rating Model

Answer 8

o Adding factors
o Customizing options

Question 9

Cross-Site Scripting (XSS)

Answer 9

A client-side code injection attack allowing the injection of malicious code into a website

Question 10

When do XSS happen?

Answer 10

XSS flaws occur when an application includes untrusted data in a web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript

Question 11

Impact of XSS

Answer 11

It allows attackers to execute scripts in the victim’s browser.
- He can steal the user’s cookies, allowing for someone to use the website pretending to be that user.
- He can steal the user’s session, steal sensitive data, rewrite webpage, redirect user to phishing or malware sit

Question 11

Types of XSS attacks

Answer 11

• Reflected XSS (non-persistent), where the malicious string originates from the victim’s request. (form field, hidden field, URL, etc…). The website then includes this malicious string in the response sent back to the user.
• DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
• Persistent (Stored) XSS, where the malicious string originates from the website’s database.

Question 11

Reflected XSS Attack

Answer 11

1. The attacker crafts a URL containing a malicious string and sends it to the victim (by various means e.g phishing email, an injected link in a vulnerable website).
2. The victim is tricked by the attacker into requesting the URL from the vulnerable website.
3. The vulnerable website includes the malicious string from the URL in the response.
4. The victim’s browser executes the malicious script inside the response, sending the victim’s cookies to the attacker’s server.

Question 12

Persistent XSS Attack

Answer 12

1. The attacker uses one of the website’s forms to insert a malicious string into the website’s database.
2. The victim requests a page from the website.
3. The website includes the malicious string from the database in the response and sends it to the victim.
4. The victim’s browser executes the malicious script inside the response, sending the victim’s cookies to the attacker’s server.

Question 13

Source

Answer 13

A source is a Javascript property that contains data that an attacker could potentially control.

Question 14

Sink

Answer 14

A sink is a function or DOM object that allows Javascript code execution or rendering of HTML.

Question 15

DOM Based XSS

Answer 15

1. The attacker crafts a URL containing a malicious string and sends it to the victim.
2. The victim is tricked by the attacker into requesting the URL from the
   website.
3. The website receives the request, but does not include the malicious
   string in the response.
4. The victim’s browser executes the legitimate script inside the response,
   causing the malicious script to be inserted into the page.
5. The victim’s browser executes the malicious script inserted into the page, sending the victim’s cookies to the attacker’s server.

Question 16

XSS Prevention

Answer 16

Encoding - which escapes the user input so that
the browser interprets it only as data, not as
code.
Validation - which filters the user input so that the
browser interprets it as code without malicious
commands.

Question 17

Cross-Site Request Foregery (CSRF)

Answer 17

A client-side attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Question 18

Differences between CSRF and XSS

Answer 18

CSRF is restricted to the actions victims can perform. XSS, on the other hand, works on the execution of malicious scripts enlarging the scope of actions the attacker can perform
* XSS requires only a vulnerability, while CSRF requires a user to access the malicious page or click a link.
* CSRF works only one way – it can only send HTTP requests, but cannot view the response. XSS can send and receive HTTP requests and responses in order to extract the required data.

Question 19

CSRF Prevention

Answer 19

• Use anti-forgery tokens in ASP.NET Core
• By including anti-forgery tokens in your application,two different values are sent to the server with each POST.
  – One of the values is sent as a browser cookie
  – The other is submitted as form data.
• Unless the server receives both values, it will refuse to allow the request to proceed.
• Thus the server ensures that all legitimate requests must come directly from the client, not from an external source.