Security (Week 6, part #1) Flashcards
What does OWASP stand for?
Open Web Application Security Project
What is OWASP used for?
Tracking web development issues around security
What are the top 10 security problems?
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
What is the security problem ‘Injection’?
Any time sending untrusted data and received by interpreter –> could trick and send malicious code
What is the security problem ‘Broken Authentication’?
Authentication and session management broken
What is the security problem ‘Sensitive Data Exposure’?
Occurs when an application, company, or other entity inadvertently exposes personal data.
What is the security problem ‘XML Eternal Entities (XXE)’?
XML external entities are a type of custom XML entity whose defined values are loaded from outside of the DTD (document type definition) in which they are declared.
External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL
What is the security problem ‘Broken Access Control’?
Note what access control enforces and what failures lead to.
Access control enforces policy such that users cannot act outside of their intended permissions.
Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
What is the security problem ‘Security Misconfiguration’?
Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk.
Basically, any poorly documented configuration changes, default settings, or a technical issue across any component in your endpoints could lead to a misconfiguration
What is the security problem ‘Cross-Site Scripting (XXS)?
Found in websites and/or web applications that accept user input.
Cybercriminals exploit this vulnerability by inputting strings of executable malicious code into these functions.
This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website.
What is the security problem ‘Insecure Deserialization’?
Vulnerability in which an untrusted or unknown data is used to either inflict a denial of service attack (DoS attack), execute code, bypass authentication or further abuse the logic behind an application.
Serialized objects can be structured in text such as JSON, XML or YAML.
What is the security problem ‘Using Components with Known Vulnerabilities’?
occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges.
If a vulnerable component is exploited, it makes the hacker’s job easier to cause a serious data loss or server takeover.
What is the security problem ‘Insufficient Logging and Monitoring’?
occur when the security-critical event is not logged off properly, and the system is not monitored.
Lack of such functionalities can make malicious activities harder to detect and in turn affects the incident handling process.
When is there a danger of introducing an injection vulnerability?
Any time an application uses an interpreter of any type
When must information be scrubbed?
When a web application passes information from an HTTP request through as part of an external request
What is SQL injection?
Web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.
A particularly widespread and dangerous form of injection
What is command injection?
cyber attack that involves executing arbitrary commands on a host operating system (OS).
Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation
What are the three basics of all injections?
- All injection flaws are input-validation errors. •i.e. you’re not checking the input properly
- Input is not just text fields
- All external input is a source of a threat. -> The input contains the data with the threat
What are the different types of input that can be used for injection attacks? (10)
text fields, list boxes, radio buttons, check boxes, cookies, HTTP header data, HTTP post data, hidden fields, parameter names, parameter values
Where should you validate data? Why?
Both client and backend/server sides.
Cannot assume that client has sufficient validation.
Define authentication
establish claimed identify –> establish someone has the identity they claim to have e.g. have correct password
Define authorisation
establish permission to act –> the person has the ROLE to access the e.g. file
Does authentication proceed authorisation? ( proceed = before )
YES
Why should we authenticate?
1) control access
2) log user activity and monitor
What are the three factors that we can use to authenticate?
1) Something we know –> knowledge user has e.g. password, shared secrete
2) something we have –> physical, hard to find artifact e.g. blockchain, unique items
3) who you are –> biometric info e.g. finger print
What security measures must be taken since HTTP is a “stateless” protocol?
1) means credentials have to go with every request
2) should use SSL for everything requiring authentication –> HTTP + SLL = HTTPS
=> password then auth_token
What is SSL?
Secure Socket Layer
What is the purpose of HTTPS compared to HTTP?
HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server
How is it indicated that a web browser is using an SSL certificate?
displays a padlock icon but it may also display a green address bar
What are some session management flaws?
1) SESSION ID used to track state since HTTP doesn’t. And it is just as good as credentials to an attacker.
2) SESSION ID is typically exposed on the network, in browser, in logs, …
What are some side-doors for attackers?
Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
Password hint is easy -> compromised, hijacked
What is the typical impact of an attacker?
User accounts compromised or user sessions hijacked
What are the best practices to verify your architecture? (4)
1) Authentication should be simple, centralized, and standardized
2) Use the standard session id provided by your container
3) Be sure SSL protects both credentials and session id at all times
4) use something like Google service to verify reliable and build web page/app that offloads user info to Google, say if user is logged in correctly then have session going on
What are the best practices for verifying implementation? (5)
1) Forget automated analysis approaches
2) Check your SSL certificate
3) Examine all the authentication-related functions
4) Verify that logoff actually destroys the session
5) Use OWASP’s WebScarab to test the implementation
Explain the process of cross-site scripting (XSS)
General idea: spoof user into thinking you are talking to expected web page server instead of attacker
1) Attacker sets the trap -update my profile.
Attacker enters a malicious script into a web page that stores the data on the server
2) Victim views page -sees attacker profile
Script runs inside victim’s browser with full access to the DOM and cookies
3) Script silently sends attacker Victim’s session cookie
What is DOM-based XSS Injection?
allows an attacker to use the Document Object Model (DOM) to introduce hostile code into vulnerable client-side JavaScript embedded in many pages.
Browser interprets .js, HTML, the DOM etc
How easy is it to mitigate DOM based XSS? Why?
Extremely difficult to mitigate against because of its large attack surface and lack of standardization across browsers
To do with interpreting data that you don’t trust.
What measures can be taken to mitigate DOM based XSS injection? (2)
1) Untrusted data should only be treated as displayable text. Never treat untrusted data as code or markup within JavaScript code.
2) Always JavaScript encode and delimit untrusted data as quoted strings when entering the application (Jim Manico and Robert Hansen)
How can we secure HTTP? (ideal approach)
Each request needs authenticating before authorising e.g. establish identify before serving up a resource
What does each HTTP request contain?
All the information needed for the server to service that request - Remember: GET, POST, PUT, DELETE etc.
How can we secure HTTP? (other approaches ) (5)
(not prioritised)
1) Hash username and password
2) Require users to change their passwords regularly
3) Use multi-factor authentication
- > Username & password
- > Code sent by phone
4) Salt the username and password -> Add additional elements to the ID information
5) Use HTTPS (HTTP + TLS)
What is TLS?
Transport Layer Security
What is HTTPS sometimes referred to as?
HTTP over TLS, or HTTP over SSL
What is the difference between XSS and SQL injection?
XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application’s database.
What is a DoS attack?
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
