pentest+ Flashcards
What is a race condition
occurs when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, which then failed to execute intheorder and timing intended by the developer; happens where multiple threads attempt to write to a variable or object at the same memory location
Dereferencing
occurs when the code attempts to remove the relationship between a pointer and the thing it points to
TOCTOU
occurs when there is a change between when an app checks a resource and when the app uses the resource
Mutually Exclusive Flag (Mutex)
acts as a gatekeeper to a section of code so that only one thread can be processed at a time
deadlock
occurs when a lock cannont be removed from the resource
buffer overflow
when a process stores data outside the memory range allocated by the developer
Stack
reserved area of memory where the program saves the return address when a function call instruction is received
stack smashing
Stack smashing is a type of security vulnerability that occurs when an attacker is able to overwrite the contents of a program’s call stack; occurs when attacker fills up the buffer with NOP instructions
Non-Operation(NOP) instruction
tells the system to do nothing and simply go to the next instruction; a NOP instruction is an assembly language instruction that does not perform any operation and takes up one clock cycle.
ASLR (address space layout randomization)
prevents an attacker’s ability to guess where the return pointer for a non-malicious program has been set to call back to
data execution protection (DEP)
blocks applications that attempt to run from protected memory locations
integer overflow
occurs when a computed result from an operation is too large to fit into its assigned variable type for storage
insecure direct object reference
used to manipulate URLs to gain access to a resource without requiring proper authentication
HTTP strict transport security (HSTS)
allows a web server to notify web browsers to only request using HTTPs and not HTTP
HTTP public key pinning
allows https websites to resist impersonation by attackers using mis-issued or fraudulent certificates
X-frame options
prevents clickjacking from occurring
X-XSS-Protection
enables cross-site scripting filter in the web browser
X-Content-Type-Options
prevents the browser from interpreting files as something other than what they are
Content-Security-Policy (CSP)
impacts how web browsers render pages
X-Permitted-Cross-Domain-Policies
sends a cross-domain policy file to the web client and specifies if the browser has permission to handle data across domains
Referrer-Policy
governs which referrer information should be included with requests made
Expect-CT
indicates browsers to evaluate connections to the host emitting the header for Certificate Transparency compliance
Feature-Policy
allows developers to selectively enable and disable use of various browser features and APIs
Representational State Transfer (REST)
a client/server model for interacting with content on remote systems over HTTP
JavaScript Object Notation (JSON)
a text-based message format used with RESTful web service
Simple Object Access Protocol (SOAP)
used for exchanging structural information for web services ; conduct inspection and sanitization of inputs and outputs to the application
Asynchronous JavaScript and XML (AJAX)
a grouping of related technologies used on the client side to create asynchronous web applications; uses same-origin policy; considered more secure than some other methods
Bytecode
an intermediate form of code produced by a complier that can be translated into machine code
