Web Application Security Flashcards
1
Q
What were the OWASP top 6 from 2017?
A
Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration
2
Q
What are some possible defenses to SQL injections?
A
Input Sanitization, Prepared Statements
3
Q
What types of XSS attacks are there?
A
Non-persistent / Reflected XSS, Persistent / Stored XSS, DOM-based XSS
4
Q
What are some difficulties with detecting DOM-based XSS?
A
- Malicious URL exists only at the victim’s side
- Malicious URL exists only at a certain point in time
- Malicious URL is created dynamically
5
Q
What are some defenses against XSS?
A
Input sanitization, CSP
6
Q
What are some defenses against XSRF?
A
XSRF Tokens, Limit Sessions, Multi-factor Auth, Check HTTP Referrer
7
Q
What are countermeasures against Clickjacking?
A
Old: X-Frame-Options, Modern: CSP: frame-ancestors