Part 3 - Websockets, REST, Auth, and Security Flashcards

3rd Quarter of the course - Design Principles, Security, and Auth

1
Q

How is TCP stream based communication?

A

Data is sent and received as a continuous stream of bytes.
This is useful for scenarios where data integrity, reliability, and ordering matter - e.g. file transfer, web page loading, emails, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How is UDP message based communication?

A

UDP sends discrete, independent messages rather than a continuous stream. Each message is treaded as a separate unit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are WebSockets?

A

Start as regular HTTP connections, but “upgrade” to a WebSocket connection.

Allows WebSockets to use HTTP infrastructure while enabling full-duplex communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which ports do WebSockets operate on? Why is this beneficial?

A

The same ports as HTTP, 80(http) and 443(https)

Avoids additional port management, works within existing firewalls and network configurations designed for HTTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do WebSockets start?

A

Use HTTP to establish connection initially, then once the handshake is complete, connection switches to WebSocket mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are HTTP proxies? How do they relate to WebSockets?

A

intermediaries that handle HTTP requests and responses

Since WebSockets begin as HTTP, they try to work with HTTP proxies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Full-Duplex message based communication?

Why is it beneficial?

A

Full-duplex communication allows both the client and the server to send and receive messages simultaneously.

real-time, two way communication, rather than request/response based.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the overall benefits of WebSockets?

A

Full-Duplex communication
Both sides can send data at the same time
Connection stays open
- Websockets maintain single open connection, reduces overhead of repeatedly opening and closing connections
No need for Polling
No HTTP headers for each meassage
Reuse existing technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Polling?

A

Polling is a technique where the client repeatedly sends HTTP requests to check if new data is available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WebSockets do not use ports, how do they specify which Websocket?

A

WebSockets begin with a GET request to the server to specify which WebSocket service to connect to.

Then the connection header is set to Upgrade. This tells the server that the client wants to upgrade the HTTP connection to WebSocket connection.
Replaces default ‘keep-alive’ behaviour of HTTP.

The Upgrade header specifies the protocol to upgrade to
Upgrade:websocket
If the server supports WebSockets, it responds with 101 Switching Protocols to confirm the upgrade.

Optionally, they can set
Sec-WebSocket-Protocol: wamp
that allows clients to specify a sub-protocol they want to use on top of websockets

TLDR: With a GET request, specifying the Connection: Upgrade and Upgrade: websocket headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the the Sec-WebSocket-Key and Accept process?

A

a “test” to verify that the server understands the WebSocket protocol and has properly upgraded the connection.
Brown M&M test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the process of the Sec-WebSocket-Key and Accept process?

A

Client generates a random key (Sec-WebSocket-Key).
Server:
Appends the fixed string GUID.
Hashes the result with SHA-1.
Base64-encodes it.
Sends it back as Sec-WebSocket-Accept.
Client verifies the returned key to confirm the server is ready for WebSocket communication.
This process ensures proper protocol support and guards against misuse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of the Sec-WebSocket-Key header?

A

It is a random key sent by the client to verify the server’s WebSocket capability during the handshake.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are WebSocket frames?

A

In the WebSocket protocol, data is transmitted in “frames”, which are small units of information. The frames are categorized into control frames and data frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are control frames?

A

Control frames are used for managing the connection and are not part of the main data stream. These are sent “out of band” alongside regular data frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the types of control frames?

A

Close Connection (0x8)
- Sent by either the client or server to gracefully close the WebSocket connection.
- After this, no further messages are exchanged, and the connection terminates.
Ping (0x9) and Pong (0xA)
- Ping: A heartbeat message sent by one party (e.g., the server) to check if the other party is still responsive.
- Pong: The response to a ping, ensuring the connection is alive.
- This mechanism prevents idle connections from being closed unexpectedly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are data frames?

A

Data frames contain the actual application-level data exchanged between the client and server.
Data frames carry payload data that fulfills the main purpose of the WebSocket connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How do the control and data frames work together?

A

Control frames work on keeping the connection afloat(closing, pings, and pongs), and data frames send the data while the connection stays afloat (payload).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How are messages sent in WebSockets?

A

Messages are sent in data frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What types of data can WebSocket messages contain?

A

WebSocket messages can contain text (UTF-8) or binary data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Why is knowing the message size ahead of time in WebSockets important?

A

It allows for efficient buffering and memory allocation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How does WebSocket handle large messages?

A

Large messages can be fragmented into multiple data frames and reassembled at the receiving end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does the FIN bit in the WebSocket header indicate?

A

Whether the frame is the final fragment of a message (1 = final, 0 = more frames follow).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the possible values of the WebSocket opcode?

A

Examples include 0x0 (Continuation), 0x1 (Text), 0x2 (Binary), 0x8 (Close), 0x9 (Ping), 0xA (Pong).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How do websocket uris work?

A

You can use ws://yourserver.com:9090/websockethandler/
wss: is websocket secure
Inherits TLS from the HTTPS connection used intially
Same format as HTTP URI
GET only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How are errors handled in Websockets?

A

Bad UTF-8 Encoding → Close Connection
No real prescription other than to close the connection
Closing is done by control frame, TLS, and TCP close

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What does REST stand for?

A

REpresentational
- Describe, name, show
State
- The current values of variables, properties, fields
- Accumulation of the results of past changes
Transfer
- Sent from computer to computer, or from service to service
- Communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is REST?

A

Architectural style
Think design patterns for a software system architecture
Introduced by Fielding’s Dissertation
Now so common, it’s usually just implied and not discussed explicitly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What model does the REST architecture follow?

A

Client/Server model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Is the REST Architecture Stateless? Why?

A

Yes, it improves scalability because the server does not need to manage or remember client sessions.
Makes REST APIs simpler and more reliable.
Failure recovery is easier since requests are independent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Is the REST Architecture Cacheable? Why?

A

Yes, REST APIs allow responses to be cached by the client of intermediate browsers
Reduces the load on the server.
Improves client performance by avoiding redundant requests for the same resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the REST basics?

A

Use URIs (URLs) to “name” objects
- Java/JS/Python/database objects!
Use HTTP methods as verbs to manipulate them
- GET - get the state of an object
- PUT - set the (entire) state of an object
- PUT - create an object
- DELETE - delete an object
- POST - manipulate an object some other way

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How is REST not RPC (remote procedure calls)?

A

Unlike RPC, REST does not focus on calling functions over the network.
REST operates on resources (objects), not methods or functions.
RESTful APIs treat everything as a resource, identified by a URL.

34
Q

In RESTful APIs, how can clients avoid making redundant requests?

A

In RESTful APIs, clients can cache responses to avoid making redundant requests.
If a resource has not changed, the client can use the cached response instead of requesting it again.
Example:
A browser caching a GET request to /api/products/1 avoids re-fetching the same product details.

35
Q

Are all methods cacheable?

A

GET: Yes!

GET requests are idempotent (they don’t change server state).
Responses to GET requests are safe to cache.
POST: No :(

POST requests are not idempotent because they create or modify resources.
Caching POST responses can lead to incorrect behavior (e.g., duplicate resource creation).

PUT and DELETE: Generally not cached because they modify server state.

36
Q

What is the layered system principle in REST architecture?

A

It separates components (e.g., authentication, routing) into distinct layers to improve modularity and scalability.

37
Q

Which methods are repeatable?
What does it mean by repeatable?

A

GET/PUT/DELETE/Maybe POST
doing it twice in a row is same as doing it once

38
Q

Which methods are stateless?
What does it mean by stateless?

A

GET/PUT/DELETE/Maybe POST
the request/response itself contains all necessary state information

39
Q

Which methods are cacheable?
What does it mean by cacheable?

A

GET/PUT/DELETE/
the results are the same for some period of time

40
Q

Which methods are safe?
What does it mean by safe?

A

GET
doesn’t cause any change

41
Q

Why are session cookies not RESTful?

A

They require the server to store client state, violating REST’s stateless principle.

42
Q

How does session based authentication work?

A

process uses cookies to track client state across requests

  1. Initial Request (Browser → Server):
    a. The client (browser) sends a request to access a resource.
    b. The server generates a session cookie, stores it in a database, and sends it back to the client.
  2. Authentication Required
    a. The client requests a protected resource (somepath) and sends the session cookie.
    b. The server validates the cookie and finds that the client is not logged in.
    The server redirects the client to the login page.
  3. Login
    The client sends the username, password, and session cookie to the server.
    The server verifies the credentials, updates the session in the database, and sets the session to reflect the logged-in state.
    The server redirects the client back to the original somepath.
  4. Access Resource
    The client again requests somepath with the session cookie.
    This time, the server validates the session cookie, finds the client is logged in, and serves the resource content.
43
Q

How is the REST framework reliable?

A

Allow more than 1 machine to handle the same task
If 1 machine dies, we can send requests to another
Server doesn’t have to track client state
Can’t get out of sync

44
Q

How does REST deal with latency?

A

Caching decreases latency, but adding multiple layers will increase latency.

45
Q

Is REST efficient?

A

Overall yes, but it does require higher bandwidth as every request needs to contain all relevant state and context

46
Q

What is faster to do operations, client or server?

A

Client side, you should do operations on the client side.

47
Q

What HTTP codes should you use?

A

GET → 200 OK
New object via PUT or POST → 201 Created
DELETE → 204 No Content
Needs authentication → 401 Unauthorized
Bad JSON or missing/extra properties or bad value → 400 Bad Request
POST to an endpoint that only understands GET & PUT → 405 Method Not Allowed

48
Q

What should keep track of application state?

A

Hypermedia!
Hypermedia As The Engine of Application State (HATEOS)
Include hyperlinks in your REST API responses! To keep track of objects

49
Q

What is HTTP Basic Auth?

A

HTTP Basic Authentication sends the user’s username and password in an encoded format (Base64), but not encrypted.
The credentials are passed in the Authorization header of the HTTP request.
You must use another encryption layer (TLS) below HTTP (HTTPS) for security

50
Q

What are the characteristics of HTTP Basic Auth

A

Easiest to implement
Stateless
Response: 401 Unauthorized & WWW-Authenticate: Basic header.
Request: Authorization: Basic header

51
Q

What are the limitations of Basic Auth?

A

Cannot customize username/password prompt
Once a user enters valid credentials, the browser remembers the Authorization: Basic header.
- meaning you no longer have to re-enter credentials repeatedly

All files and subdirs at or below will be considered authenticated

52
Q

What is HTTP Digest Auth?

A

Instead of sending the username and password in plain text (even Base64-encoded), Digest Auth uses cryptographic hashing to obscure credentials during transmission.

53
Q

What are the problems with HTTP Digest Auth

A

MD5 is Broken
SHA-256 Support Came Late
Still Requires HTTPS
To ensure security, you must still use TLS (HTTPS).

54
Q

How does signed token auth (JWT) work?

A

Signed tokens (e.g., JWT) are stateless and secure authentication mechanisms.
The server generates and signs a token upon successful login.
The client sends the token in the Authorization header for protected requests.
Tokens are validated by verifying their signature and checking expiration.

55
Q

How does the server ensure the integrity of a signed token?

A

By signing it with a secret key and validating the signature.

56
Q

What are the three parts of a JWT?

A

Header, Payload, and Signature.

57
Q

What is OAuth?

A

OAuth allows a user to grant limited access to their resources to a client application.
Access is authorized via an authorization server.
OAuth does not share the user’s credentials (like username/password) with the client application.
The client receives a token that allows access to specific resources on the resource server.

58
Q

What is an example of OAuth?

A

Client: email application
Authorization server: accounts.google.com
Resource server: gmail.com

59
Q

How is OAuth 1 and OAuth 2 different?

A

OAuth 1
More complicated
More secure
Slower
Should be used over TLS
RFC 5849

OAuth 2
Easier to implement
Less secure
Faster (fewer steps)
Must be used over TLS
RFC 6749

60
Q

What are the goals of web security

A

STOP These things:
RCE on Server
XSS - Cross Site Scripting.
Cross-Site Request Forgery.
SSRF- Server-Side Request Forgery
DoS - Denial of Service

61
Q

What are the high value targets of web security?

A

Personal Information
Private Information
Ransom-able Information
Compute Resources (Mining)
Network Resources (Proxy/Botnets)

62
Q

What is XSS (Cross Site Scripting)?

A

Doesn’t need to come from another site
Inclusion of unauthorized HTML/CSS/JavaScript in page.
Malicious code that runs in the browser.
Malicious code that runs on the server is not XSS, it’s RCE.

63
Q

What is RCE On server?

A

Remote Code Execution
Prevent code that is unauthorized/unknown/dangerous/etc. from being run on the server by people outside of the organization/business.

e.g. Ransomware, Miners, Proxies

64
Q

What are the XSS types?

A

Reflected (Type 1)
Provided by a single server response as an immediate response to a malicious request.
Persistent (Type 2)
Provided by any number of server responses. The malicious code is stored on the server.

65
Q

How do we prevent server XSS?

A

Check incoming POST/GET parameters, paths, & uploads for validity.
Apply HTML/CSS/JS escaping to anything filled in.
* Special Characters are displayed as text instead of being interpreted as code
Avoid “unsafe sinks” - use safe sinks instead

66
Q

What is Cross Site Request Forgery?

A

Trick a user or user-agent into executing malicious requests.
Hijack weak authentication measures.
Repeat actions unnecessarily.

67
Q

How do we mitigate server-side CSRF?

A

Check Referer header.
Request tokens
Include bearer auth with AJAX that isn’t public GET.
Make sure unsafe actions (actions that change state) aren’t GET.
Apply XSS prevention (often combined with CSRF)

68
Q

Naive Double-Submit Cookie

A
  1. Server sets random cookie on first visit.
  2. When any request is made, browser always sends cookie.
  3. Also send cookie as a hidden form field or with custom header in AJAX request.
  4. Server double-checks they match.
69
Q

Path Traversal Exploit

A

An attacker manipulates the input to “traverse” directories outside the intended path.

Using Relative paths

70
Q

How do we mitigate path traversal

A

Reject / in things like names in the first place.
Reject sequences such as .., /.., ./
Don’t use regular expressions to check these
Use path library to convert relative path to absolute path, and check that it’s still in the correct folder

71
Q

What is SQL injection?

A

a type of security vulnerability that allows an attacker to manipulate a database query by injecting malicious SQL code into input fields.

72
Q

How do we prevent SQL injection?

A

Never construct an SQL query from strings!
Use placeholders instead!

73
Q

What is Shell Injection

A

Like SQL injection
But with shell commands (command-line commands)

74
Q

How do we prevent shell injection

A

Validate paths and names
Don’t execute commands as shell commands, do direct exec…

75
Q

What is DoS (Denial of Service) ?

A

An attacker makes a service unavailable
Common methods:
- Spamming
- Flooding
- Filling queues with large requests
- Sending useless expensive jobs
- Using all available Resources

76
Q

What is DDoS? (Distributed Denial of Service)

A

Same thing as DoS when the attacker has:
- Many computers (lightbulbs)
- or computers all over the world
- or computers that will Reflect requests
- or some way to redirect or reroute legitimate traffic to the target

77
Q

How do we mitigate DoS?

A

Limit CPU time/RAM/disk per request
Limit request size
Limit requests per second per user
Limit users per IP or network
Limit clients per user

78
Q

How do we mitigate DDOS?

A

Look for patterns in traffic and filter out that pattern
Maintain white-lists of known-good request sources
Pay for cloud-based caching & DDoS defense reverse-proxies
Host your own caching & defense reverse-proxy…

79
Q

What is an example of reflected XSS?

A

The attacker sends a specially crafted URL to the victim.
The victim clicks the URL, and the browser sends a request to the server.
The server includes the malicious script in its response without proper sanitization.
The script runs in the victim’s browser.

80
Q

What is an example of persistent XSS?

A

The attacker injects a malicious script into a website’s database or other storage.
The server retrieves the stored script and serves it to users as part of a web page.
The script runs automatically in the victim’s browser.