Web Security Flashcards

1
Q

Network Attacker (Server-Side)

A
  • Überwachung, Herstellung und Störung von Netzwerkverkehr

→ Man-in-the-Middle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Web Attacker (Server-Side)

A
  • spezialisiert auf Webanwendungen
    → Man-in-the-browser
  • XXS attacker (execute JavaScript)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Web Application (Basic Technologie)

A

anschauen!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HTTP and Web Application Basics

A
  • alle HTTP Transaktionen haben das gleiche Format
  • jede Anfrage und Antwort haben 3 Teile:
    1. Anfrage/Antwort line
    2. Header
    3. Body
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Form einer Anfrage

A

Verb Path Protocol

GET, POST, URL (anschauen)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Response Codes

A

2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Web Server Scripting

A

create the HTML Code on the fly by a Programm

Methoden: CGI, Web Server modules, dedicated application server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Web Application (Attacking Web Apps)

A

Client Side Problems (XXS, CSRF)

Server Side Problems (SQL Injection, Remode Code Injection)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Injection Attacks

A

SQL: suche nach unsicheren Code Sequenzen
- Applikation benutzt ein DBS für dauerhafte Datenspeicherung
→ Unsicherheit bei dynamischen Queries
→ Attacker muss ein Parameter finden, dass die Webanwendung zum Konstruieren eines query benutzt
Remote Code:
XSS:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

KERBEROS

A

User, Kerberos System, Ticket Granting Server, Service

  • Passwort des Users nie in Klartext
  • Authentication + Encryption basieren auf geteilten Schlüsseln
  • Schützt vor Spoofing
  • kein Passwort wird über Netzwerke versendet
  • Schutz gegen AntworAttacken
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

OWASP TOP 10

A
  1. Injection
  2. Broken authorisation and session Management
  3. Cross site scripting (XSS)
  4. inject direct object references
  5. security miscondiguration
  6. sensitiv Data exposure
  7. missing function level access control
  8. cross site request forgery
  9. using components with known vulnerabilities
  10. invalidated redirects and forwards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Kerberos ablauf

A

User macht Anfrage an K für Authorisation Ticket, bekommt Authorisation.
User macht Service Access Request und bekommt Ticket for Request Service.
User Request for Service Access with Ticket to service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly