Lecture 8 - Web App Security

Question 1

What is a web application?

Answer 1

an application program that is stored on a remote
server and delivered over the internet through a
browser interface

• the app may or may not be interactive

Question 2

What does a web application typically have (related to link)

Answer 2

Query parameters and schemes within the URL.

Question 3

What is a webpage?

Answer 3

a single document which can be displayed in a web browser. Often one part of the web application.

Question 4

What is HTTP?

Answer 4

Hypertext Transfer Protocol (HTTP), an application-layer protocol used to transmit hypermedia between web browsers and web servers. It is stateless and based on the client-server model (client opens connection and waits for response).

Often labelled a ‘carrier’ protocol.

Question 5

What does hypermedia include?

Answer 5

images
videos
HTML
CSS
JS

Question 6

What is FTP?

Answer 6

File Transfer Protocol
Standard communication protocol used for transfer of computer files from a server to a client

By default the traffic is not encrypted, so it can be read by any sniffer, use SFTP instead

Question 7

What is HTTPS?

Answer 7

encrypted extension of HTTP, encryption is used for traffic to be transferred over a network. TLS (used to be SSL) is used to enforce encryption.

Question 8

Is HTTPS widely supported?

Answer 8

YES, it is widely supported with browsers usually notifying if secure connection has been compromised

Question 9

What are sessions?

Answer 9

Since HTTP is stateless, we cannot use it to store data between requests. Sessions are used for just that. Sessions are a conceptual idea for interaction between server and client. Cookies are used to actually store data client and server side regarding the session.

Question 10

What is a session cookie?

Answer 10

A session cookie contains a random number identifier (key) used to
index the server’s session cache (get the data regarding the session).

Question 11

What are cookies?

Answer 11

Cookies are small files of information that a web server generates and sends to a web browser. Web browsers store the cookies they receive for a predetermined period of time, or for the length of a user’s session on a website. Cookies help inform websites about the user, enabling the websites to personalize the user experience. Cookies help to store data between requests -> so we can remember past user interaction and data e.g. what has been added to the cart

Question 12

What are the 3 main web application vunerabilities (or most prominent attacks)?

Answer 12

• SQL Injection
• CSRF
• XSS

Question 13

What is SQL Injection?

Answer 13

The sending of malicious SQL commands to the server via input mechanisms on the site or webapp, these are executed on the server. It is mainly allowed by poor input checking.

Question 14

What can happen when SQL injection takes place?

Answer 14

attacker may be able to act as database administrator , view records or alter them -> anything possible with sql

Question 15

What is command injection?

Answer 15

execution of arbitrary code on the server, often by posting. Commands can be placed as query parameters or within input forms for example. This is again a vulnerability due to the fact there is bad input checking.

Question 16

What would this do when passed and executed on a server?

ok= execute (SELECT …
WHERE user = ‘ or 1=1 – …)

Answer 16

The query would always succeed -> we could login , get all members in db etc.

Question 17

How to prevent SQL Injection?

Answer 17

• never build sql commands yourself -> use parameterized / prepared SQL
• use an ORM framework -> so that there is an abstraction layer between application code and the database

DO NOT USE RAW SQL QUERIES, only let people interact via high level OOP code

Question 18

What is CSRF?

Answer 18

Cross Site Request Forgery
This is an attack against web applications where web browsers send an authentication token with a request. This usually leverages user’s session at victim sever

Question 19

What are other names for CSRF?

Answer 19

• oneclick attack
• session riding

as attack takes advantage of previously established sessions

Question 20

Process of CSRF?

Answer 20

• user logs in and gets authentication credentials and cookie
• user visits malicious site with HTML form
• when form is submitted attacker sends forged request disguised as a legitimate communication
• this request is handled by the server as if it came from a legitimate entity

Question 21

How to prevent CSRF?

Answer 21

• do not click malicious links
• use https
• use csrf session tokens ( Token needs to be unique per user session
  and should be of large random value to make it difficult to guess)

Question 22

What is XSS

Answer 22

Cross Site Scripting
An attack which is based on the attacker injecting scripting code into a web application in some way. Attacker’s malicious code executed on victim machine. Usually used to steal information and data.

Question 23

What are the 2 types of XSS?

Answer 23

1. reflected xss (The attacker script is reflected back to the user as
   part of a page from the victim site)
2. stored xss (The attacker is able to inject malicious code into a
   web application that is stored permanently on the server, such as in a database. This code is then served to users who view the affected page.)

Question 24

Process of a reflected XSS?

Answer 24

• attacker send script-injected link to victim
• victim clicks on the link and requests legitimate website
• Victim’s browser loads legitimate site, but also executes malicious script
• usually valuable data is sent back to the attacker

Question 25

Process of stored XSS?

Answer 25

• attacker injects malicious script onto the web application server
• victim requests content
• victim receives and executes the malicious script
• usually valuable data is sent to the attacker

Question 26

How to defend yourself against XSS?

Answer 26

• proxy based defense (analyze the HTTP traffic exchanged
  between user’s web browser and the target web
  server by scanning for special HTML characters and
  encoding them before executing the page on the
  user’s web browser)
• application level firewall (naylze browsed HTML
  pages for hyperlinks that might lead to leakage of
  sensitive information)
• auditing system ( monitor execution of JavaScript
  code and compare the operations against high level
  policies to detect malicious behaviour)