P2L12: Web Security

Question 1

What are cookies used for?

Answer 1

To store state - specifically user data

Question 2

What threats do cookies have?

Answer 2

They can be used as spyware

Question 3

What is Cross Site Scripting?

Answer 3

It’s where variables are substituted with malicious bits of code. Cookies can be stolen in this manner to help impersonate the user.

Question 4

How do you defend against XSS?

Answer 4

Clean variables and make sure they aren’t scripts

Question 5

What is Cross Site Request Forgery? (XSRF)

Answer 5

It’s where malicious code idly sits on a browser and steals cookies from legitimate sites so they can reuse them before they time out to do malicious things.

Question 6

What are the differences between XSS and XSRF?

Answer 6

• In XSS
  
  • User trusts —> bad implemented website
  • Attacker gets script in trusted website
  • User’s browser executes the script
• In XSRF
  
  • Bad implemented website —> trusts user
  • Attacker tricks browser into issuing requests
  • Website executes script

Question 7

In XSS and XSRF where is each script executed?

Answer 7

XSS - User’s browser

XSRF - Website

Question 8

In XSS and XSRF who trusts who?

Answer 8

XSS - User trusts badly implemented website

XSRF - Badly implemented website trusts user

Question 9

In XSS and XSRF how does the attacker attack?

Answer 9

XSS - script is put in trusted website

XSRF - tricks browser to issuing requests

Question 10

How do you prevent SQL injections?

Answer 10

Sanitize your variables/data and only allow whitelist of acceptable inputs