Security

Question 1

What are the goals of web security?

Answer 1

Leak prevention and user privacy

Question 2

Leak Prevention

Answer 2

Prevent unauthorized access of information owned by an organization

Question 3

User Privacy

Answer 3

Prevent unauthorized access of other user’s information (legally required)
- Other users by logged-in users
- All users by logged-out users

Question 4

Remote Control Execution (RCE) on Server

Answer 4

Prevent code that is unauthorized/unknown/dangerous from being run on the server by people outside of the organization/business

Question 5

Cross Site Scripting (XSS)

Answer 5

Unauthorized code or actions running on the client, usually the browser

Question 6

Cross Site Request Forgery (CSRF)

Answer 6

Any action that appears to be taken on an authorized user’s behalf but isn’t actually (including GET)

Question 7

Server Side Request Forgery (SSRF)

Answer 7

Any action that appears to be taken on an authorized server/service’s behalf but isn’t actually (including GET)

Question 8

Denial of Service (DoS)

Answer 8

Anything that causes the website or web service to be unable to serve its normal users

Question 9

What web weakness is the inclusion of unauthorized HTML/CSS/JS in a page?

Answer 9

Cross-Site Scripting (XSS)

Question 10

What are the types of XSS?

Answer 10

• Server (URL navigation, script, link, …)
• Client (bad code from an AJAX call)
• DOM (bad code generated by code on the client that modifies the DOM)
• Reflected
• Persistent

Question 11

Reflected XSS (Type 1)

Answer 11

Provided by a single server response as an immediate response to a malicious request

Question 12

Persistent XSS (Type 2)

Answer 12

Provided by any number of server responses. The malicious code is stored on the server