Web security

Question 1

What are the goals of web security

Answer 1

Users should be able to visit a variety of websites without incurring harm. Secure web applications

Question 2

List the web threat model

Answer 2

1. Web attacker: - control attacker.com, then the user visits attacker.com
2. Network attacker: - Passive: Wireless eavesdropper -Active: Evil router, DNS Poisoning
3. Malware attacker: - Attacker escapes browser isolation mechanisms and runs separately under the control of OS

Question 3

Examples of Malware attacker

Answer 3

XSS, SQLi, CSRF

Question 4

What are URLs

Answer 4

Global identifiers of network-retrievable documents

Question 5

What are cookies

Answer 5

They are used to store state on a user’s machine. HTTP is a stateless protocol, cookies add state

Question 6

What are cookies used for

Answer 6

1. Authentication
2. Personalization, recognize the user from a previous visit
3. Tracking: follow the user from site to site, learn their browsing behaviour

Question 7

What is the default scope of a cookie

Answer 7

The domain and path of the setter URL

Question 8

What are the allowed and disallowed domains of this host “login.site.com”

Answer 8

Allowed: - login.site.com, site.com
Disallowed: - user.site.com, othersite.com, .com

Question 9

Does secure cookies provide integrity

Answer 9

NO. only confidentiality. Network attacker can re-write secure cookies

Question 10

How can you achieve data integrity

Answer 10

Cryptographic checksums. use secret key to generate a tag for the cookie

Question 11

Explain SQL Injection

Answer 11

Browser sends malicious input to server, bad input checking leads to malicious SQL query

Question 12

Explain CSFR

Answer 12

A Bad website sends browser request to a good web site using the credentials of an innocent victim

Question 13

Explain XSS

Answer 13

A bad website sends innocent victim a script that steals information from an honest website

Question 14

What causes injection

Answer 14

When data and code share the same channel

Question 15

List 2 ways of preventing SQL iNJECTION

Answer 15

1. Input validation (Blacklisting or whitelisting(better))
2. Escaping quotes: use escaper characters to prevent the quote becoming part of the query. i.e convert ‘ to '

Question 16

Describe Cross-site Request Forgery

Answer 16

1. User and server establish a connection
2. The user visits the attackers server
3. the attacker sends the malicious page
4. The malicious page use the users cookie to send a request to the server

Question 17

Drive-by pharming attack is an attack on home router describe it

Answer 17

The user visits a malicious site, then javascript at the site scans the home network looking for broadband router, once it finds it, it logs in to the router and changes the DNS server

Question 18

List some causes of CSRF

Answer 18

1. The server cannot distinguish whether a request is cross-site (other site’s page) or same-site(server’s own page)

Question 19

Can the browser differentiate between cross site and same site

Answer 19

Yes. It knows which site the request generates from

Question 20

How can the server help prevent CSRF

Answer 20

Referer header, same-site cookie

Question 21

How can the server help it’s self

Answer 21

Secure token

Question 22

List and explain 2 methods for injecting malicious code to a web application

Answer 22

1. Reflected XSS (“type 1”): the attacker’s script is reflected back to the user as part of a page from the victim site
2. Stored XSS (“type 2”) : the attacker stores the malicious code in a resource managed by the web application, e.g database

Question 23

Describe Reflected XSS attack

Answer 23

The user visits the attackers server and it receives a malicious link, when the user clicks on the link it is sent to the victim server and the victim server echos sensitive information, the information is then sent to the attackers server

Question 24

Describe Stored XSS

Answer 24

The attacker injects malicious script to the server, the user requests for content from the victim server and receives malicious script, then the script sends sensitive info to the attackers server

Question 25

Differentiate between XSS and CSRF

Answer 25

In XSS the attacker injects a script into the trusted website and the user’s browser executes the attackers script, while in CSRF the attacker tricks the user’s browser into issuing requests.

Question 26

Best way to prevent against XSS

Answer 26

Validate user inputs, headers, cookies etc. Use positive security policy that specifies what is allowed not what is not allowed