Vulnerabilities

Question 1

Cross-Site Request Forgery

Answer 1

• Web application accepts state-modifying requests (typically GET) without any sort of user authentication
• As a result, any web page running in the same browser can make those requests on the user’s behalf

Question 2

Cross-Site Request Forgery Mitigations

Answer 2

Modifying state only through POST requests is good practice but only makes attacks a little harder, not impossible

Better mitigations operate using tokens:

• Embed pseudo-random token (nonce) into form or cookie
• Check token when request is received at server
• Problem: requires additional, often stateful logic on the server

Question 3

SQL Injection Mitigation

Answer 3

Escaping “bad” characters

• Used character sets might change over time
• Restrictions can degrade strength of passwords

Use Prepared Statements

• Separate the logic of the query from the input parameters
• User input will not be part of the executable code

Question 4

Cross-site Scripting (XSS)

Answer 4

Injecting code such that this code is executed by the clients browser as
valid HTML / JavaScript code.

Question 5

Kinds of XSS

Answer 5

Reflective, Persistent/Stored, DOM-Based/local

Question 6

Reflective XSS

Answer 6

Injected input is sent back to the client, e.g., using GET parameters in a URL the victim got from an attacker

Question 7

Persistent/Stored XSS

Answer 7

Injected input is sent stored on server side and delivered in future request, e.g. guest books or user profiles

Question 8

DOM-Based / local

Answer 8

Exploit is interpreted/executed on the client machine. No server interaction needed, but some other attack vector is needed.

Question 9

XSS Mitigation

Answer 9

Escaping “bad” characters via built-in function

Question 10

Log Overflow

Answer 10

DoS by PCI express backend driver by sending a large number of kernel log messages.

Question 11

Log Overflow Mitigation

Answer 11

Limit number of requests per user
Zip backups
Restrict the resources a user can cause a system to use

Question 12

Path Traversal

Answer 12

Read, delete or write files that are not targeted or intended

Question 13

Path Traversal Mitigation

Answer 13

Use the security manager
Restrict file access to reading access within specified directory

Question 14

Buffer Overflow

Answer 14

Overwrite stack

Question 15

Buffer Overflow Mitigations

Answer 15

Stack Canaries

Question 16

Harcoded Credentials

Answer 16

Have credentials in the code or stored in plaintext

Question 17

Hardcoded Credentials Mitigations

Answer 17

Never store credentials in plaintext, only hashes of those
Also store credentials in external file with proper permissions

Question 18

Unsalted hashes

Answer 18

Unsalted hashes are vulnerable to brute force attack, dictionary attacks and rainbow tables

Question 19

Uncontrolled Format String Mitigation

Answer 19

Set format string explicitly
Sanitize

Question 20

OS Command Injection

Answer 20

Unsanitized input is forwarded to an OS command using a pipe attack

Question 21

OS Command Injection Mitigations

Answer 21

Try restricting the OS call to a single command
Generally avoid OS calls whenever possible
Ideally restrict inputs to those command via a whitelist

Question 22

Cache Poisoning

Answer 22

Vulnerability to cause specific data to be cached that aids the attacker’s objective

Question 23

Compression Bomb

Answer 23

DoS by filling up RAM or hard disk when uncompressing a compressed file

Question 24

Compression Bomb Mitigations

Answer 24

Inspect compressed input
Keep track how many bytes have been decompressed, or limit rounds
Limit Resources for Process