Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

cs6035 Test 2 > Web Security > Flashcards

Web Security Flashcards

1
Q

Cookies

A

Cookies are created by ads, widgets, and elements on the web page the user is visiting.

Cookies are created by websites a user is visiting

cookies are not compile code. They are plaintext.

since cookies are not compiled code they cannot be used as a virus. They cannot replicate themselves, they cannot be executed and are not self-executing. These are all characteristics necessary to be a virus.

cookies can be used as spyware. Cookies store user preferences and browsing history.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cross-Site Scripting (XSS)

A

If a website allows users to input content without controls, then attackers can insert malicious code as well.

Many websites allow users to input data and then display or echo the data back, that is, include the user-input data in the html page to the user’s browser. Such web sites include social networking sites, blogs, etc.

Suppose the browser sends to the site alert(“Hello World”); as his “name”

The script will be included in the html page sent to the user’s browser; and when the script runs, the alert “Hello World” will be displayed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

XSRF: Cross-Site Request Forgery

A

A browser runs a script from a “good” site and a malicious script from a “bad” site

Malicious script can make forged requests to “good” site with user’s cookie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

XSRF vs XSS

A

Cross-site scripting

  • -User trusts a badly implemented website
  • -Attacker injects a script into the trusted website
  • -User’s browser executes attacker’s script

Cross-site request forgery

  • -A badly implemented website trusts the user
  • -Attacker tricks user’s browser into issuing requests
  • -Website executes attacker’s requests
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

methods that can be used to prevent XSRF

A

Checking the http Referer header to see if the request comes from an authorized page.

Use synchronizer token pattern where a token for each request is embedded by the web application in all html forms and verified on the server side.

Logoff immediately after using a web application.

Do not allow browser to save username/password and do not allow web sites to “remember” user login

Do not use the same browser to access sensitive web sites and to surf the web freely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Preventing SQL Injection

A

Use blacklisting to filter out “bad” input
–hard because there can be many possible ways to inject malicious strings.

Use whitelisting to allow only well-defined set of safe values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

cs6035 Test 2 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions