Web Security - Basics, SOP, Sessions

Question 1

Define

Uniform Resource Identifier (URI)

Web Security

Answer 1

Identifies a resource (string)

Question 2

Define

Scheme

Web Security

Answer 2

Protocol and framework

Question 2

Components of Uniform Resource Identifier (URI)

Web Security

Answer 2

• Scheme
• Authority
• Path
• Query

Question 3

Define

Authority

Web Security

Answer 3

Qualifying name (typically DNS host server or IP address)

Question 4

Define

Path

Web Security

Answer 4

Pathname consisting of “/” separated strings

Question 5

Define

Query

Web Security

Answer 5

Application-specific information

Question 6

Define

Uniform Resource Locator (URL)

Web Security

Answer 6

The identifier that contains information on how to locate a existing/available resource

Question 7

Define

Uniform Resource Name (URN)

Web Security

Answer 7

Identifies an entity regardless of availability/existence

Question 8

Define

Hypertext Markup Language (HTML)

Web Security

Answer 8

A language that uses tags and attributes to display a webpage

Question 9

Define

Javascript

Web Security

Answer 9

Powerful script to manipulate client-side data and provides object support

Question 10

Why is Javascript suitable for HTML?

Answer 10

Javascript is weakly and dynamically typed

Question 11

Define

HTML Frames

Web Security

Answer 11

The tag that allows for multiple separate views/pages associated with separate URLS on the same page

Question 12

Directly visiting a page will lead to which frame?

Web Security

Answer 12

Main frame

Question 13

What does the parent frame do?

Web Security

Answer 13

Specify its own style and the placement of the child frame within itself

Question 14

Define

Hypertext Transfer Protocol (HTTP)

Web Security

Answer 14

An application-layer protocol to transfer information between web client and server (typically port 80)

Question 15

What does a client do during HTTP?

Web Security

Answer 15

Opens a connection and sends requests

Question 16

What does a server do during HTTP?

Web Security

Answer 16

Accept client’s connection and sends replies as a response to the requests

Question 17

HTTP Request Headers specify

Web Security

Answer 17

• Method
• Resource
• Protocol version

Question 18

HTTP Methods

Web Security

Answer 18

• GET()
• HEAD()
• POST()
• PUT()

Question 19

Define

HTTP Method: GET()

Web Security

Answer 19

Reads data from the URL

Question 20

Define

HTTP Method: HEAD()

Web Security

Answer 20

Fetches information about the data resource from the HTTP header

Question 21

Define

HTTP Method: POST()

Web Security

Answer 21

Submits “data” and stores data as value in a variable

Question 22

Define

HTTP Method: PUT()

Web Security

Answer 22

Uploads data to a stored variable under a specific resource

Question 23

What specifies a resource?

Web Security

Answer 23

An absolute URI or relative path

Question 24

How does an absolute URI request a resource?

Web Security

Answer 24

Through proxy

Question 25

How does a relative path request a resource?

Web Security

Answer 25

Through a server that owns the resource

Question 26

Define

HTTP Response

Web Security

Answer 26

The answer or data read by the server

Question 27

Define

Web Servers

Web Security

Answer 27

Something that loops forever to receive HTTP requests and send HTTP responses

Question 28

Outline a TCP connection

Web Security

Answer 28

1. Client requests to connect with a server
2. Server accepts connection
3. Client sends HTTP Request
4. Server reads and processes HTTP Request
5. Server writes back HTTP Response
6. Connection closed

Question 29

Define

Common Gateway Interface (CGI)

Web Security

Answer 29

Protocol for web servers to execute programs and generate pages dynamically

Question 30

Define

HTML Forms

Web Security

Answer 30

Collects data using GET and POST methods

Question 31

Where is data collected from when an HTML form uses GET()?

Web Security

Answer 31

Query

Question 32

Where is data collected from if an HTML form uses POST()?

Web Security

Answer 32

Body

Question 33

How is data sent back in an HTML form?

Web Security

Answer 33

Name-value pair

Question 34

What happens if data from an HTML form is an empty string?

Web Security

Answer 34

Neither name nor value is present

Question 35

Define

Hypertext Processor (PHP)

Web Security

Answer 35

Executes the page on the server side

Question 36

Define

Clientside Javascript

Web Security

Answer 36

APIs that control web client in an object-oriented way

Question 37

Define

User Agent

Web Security

Answer 37

Client side that retrieves and displays web data

Question 38

Define

Document Object Model (DOM)

Web Security

Answer 38

Documentation that treats an HTML like a tree structure

Question 39

List the parts of a Document Object Model (DOM)

Web Security

Answer 39

• Node
• Browser Object Model (BOM)

Question 40

Define

Node in a DOM

Web Security

Answer 40

Part of the document

Question 41

Define

Browser Object Model (BOM) in a DOM

Web Security

Answer 41

The API to browser properties

Question 42

Javascript security is much like

Web Security

Answer 42

Sandbox

Question 43

What is part of Javascript security?

Web Security

Answer 43

• No access to files/network resources or browser history
• Windows must be bigger than 100x100 px

Question 44

Describe

Frame Isolation

Web Security

Answer 44

Each site is isolated from one another (exception: if it’s the same site)

Question 45

List the types of frame isolation relationships

Web Security

Answer 45

Frame-Frame and Frame-Principal

Question 46

Describe

Frame-Frame

Web Security

Answer 46

• canScript(A, B) - can A execute scripts on B?
• canNav(A, B) - can A change B’s origin?

Question 47

Describe

Frame-Principal

Web Security

Answer 47

readCookie(F, D) and writeCookie(F, D) - can frame F perform on domain D?

Question 48

Describe

Same Origin Policy (SOP)

Web Security

Answer 48

Isolation of different pages such that a frame in one origin has no access to the resources of a different origin

Question 49

What is an Origin determined by?

Web Security

Answer 49

Determined by string matching and URL of a loaded frame’s location

Question 50

What is the tuple for an origin?

Web Security

Answer 50

[Protocol, hostname, port]

Question 51

Define

XMLHTTPRequests (XHR)

Web Security

Answer 51

Allows Javascript to send HTTP Requests to a server and receive data responses from the same origin

Question 52

Define

HTTP Responses under SOP

Web Security

Answer 52

Can interact with other frames from different origins but can’t inspect contents on scripts and resources

Question 53

Ways to relax SOP

Web Security

Answer 53

• Set sites from different origins to be from the same domain
• Access-Control-Allow-Origin/Cross-Origin resource sharing
• Cross-document messaging

Question 54

Define

HTTP Authentication

Web Security

Answer 54

Basic authentication to deny access until credentials are sent during verification procedures

Question 55

Where can Access Control Policy be placed?

Web Security

Answer 55

Directory or global configuration file

Question 56

How can a web application keep track of a state if HTTPs are stateless?

Web Security

Answer 56

• HTTP Cookies
• Server side sessions
• Embedding information in returned pages (i.e. hidden vars, modified URLS)

Question 57

Define

Session

Web Security

Answer 57

Sequence of HTTP request and responses associated with a user

Question 58

Define

Basic Authentication

Web Security

Answer 58

Form to send creditionals to server-side and an authenticator is returned for validation (i.e. cookie)

Question 59

Define

HTTP Cookie

Web Security

Answer 59

Small data set from and set by site stored in web broser to maintain a state on client side

Question 60

Where can cookies from domain A send its requests to?

Web Security

Answer 60

To domain A

Question 61

What defines the scope of a cookie?

Web Security

Answer 61

Domain and path

Question 62

What if no domain is set for a cookie?

Web Security

Answer 62

Host-only cookie is set (handled by browser)

Question 63

What happens if a path is specified for a cookie?

Web Security

Answer 63

Cookies are used when requesting a page within the path

Question 64

What happens if no path is specified for a cookie?

Web Security

Answer 64

Cookies are used for the path of the requested resource

Question 65

What controls the lifetime of a cookie?

Web Security

Answer 65

Expires and Max-Age

Question 66

Define

Expires

Web Security

Answer 66

When the broswer will delete the cookie

Question 67

What happens if no expiration or max-age is set for a cookie?

Web Security

Answer 67

Cookie becomes a session cookie and will expire when the session is completed

Question 68

Define

Secure Cookie

Web Security

Answer 68

Tells the browser how to use the cookie in secure/encrypted connections

Question 69

Define

HTTP Only Cookie

Web Security

Answer 69

No exposure of the cookie is allowed besides HTTP requests

Question 70

How can a client access a cookie?

Web Security

Answer 70

• Read in scope
• Sets a new cookie
• Deletes a cookie

Question 71

SOP: Cookies vs. DOMS

abc.com/x ____ receive cookies for abc.com/y

Web Security

Answer 71

Does not receive

Question 72

SOP: Cookies vs. DOM

abc.com/x ____ access the DOM of abc.com/y

Answer 72

Can access

Question 73

SOP: Cookies vs. DOM

Using Javascript, why can abc.com/x see the cookies of abc.com/y?

Web Security

Answer 73

They share the same domain (abc.com)

Question 74

Ways to indirectly bypass SOP

Web Security

Answer 74

• A related domain attacker controls cookies on another domain
• Meeting the fixed storage limit of the cookie jar
• MITM attacks

Question 75

What can a.abc.com do to b.abc.com?

Web Security

Answer 75

Influence and control b.abc.com’s cookies

Question 76

Define

Session Fixation Attack

Web Security

Answer 76

Where a session ID is overwritten and the session is hijacked

Question 77

How does a session fixation attack happen?

Web Security

Answer 77

Attacker gets the ID => victim visits under wrong ID and authenticates => attacker impersonates as victim with the authentication information

Question 78

Defenses against Session Fixations

Web Security

Answer 78

• Update session IDs periodically
• Initalize cross-site scripting

Question 79

Define

Cross-Site Request Forgery (CSRF)

Web Security

Answer 79

Malicious Javascript/server code tricking users to perform acts on a different web application

Question 80

Defenses against Cross-Site Request Forgery (CSRF)

Web Security

Answer 80

• Avoid using GET() when exporting functionality
• Referer Validation
• Secure Token Validation

Question 81

Describe

Referer Validation

Web Security

Answer 81

Header fields that indicates who initated the request

Question 82

Limitation to Referer Validation

Web Security

Answer 82

• Not always available
• May leak information

Question 83

If the Referer Validation is none, what are the types of defaults?

Web Security

Answer 83

• Allow: less secure, more usable
• Deny: more secure, less usable

Question 84

Define

Secure Token Validation

Web Security

Answer 84

A randomly generated invisible token on the server side for every user’s action

Question 85

When is a Secure Token obtained?

Web Security

Answer 85

If the user explicitly visited the right page

Question 86

What are the goals of web security?

Web Security

Answer 86

Protect CIA, privacy, availability, and computing resource