Week 7

Question 1

What are the 3 ways of authenticating users after log-in?

Answer 1

IP address-based: NAT can cause users to share same IPs, DHCP can allow user to have different IPs.

Certificate-based

Cookie-based

Question 2

How do cookies work?

Answer 2

Let server store a string on a client, based on server name.

Used to identify user, store username and preferences, track the user.

Question 3

What is Eavesdropping?

Answer 3

If connection is not encrypted, it is possible to eavesdrop by ISP, anyone on the route or anyone on your local network (e.g. using the same Wi-Fi).

Question 4

What are some issues that occur with log-in systems?

Answer 4

No session time outs.

Passwords not hashed.

Question 5

What is sensitive data exposure?

Answer 5

Sensitive data transmitted/stored in clear text.

Question 6

What is XSS?

Answer 6

Cross-site scripting.

Allows an attacker to inject client side code (JS) into web pages.

Stored XSS: Code is stored on website and served to visitors.

Used to steal cookies and run exploits on user.

Question 7

What is the solution for injection?

Answer 7

Sanitisation - any input from clients needs to be properly sanitised.

Question 8

What are some features in a security misconfiguration?

Answer 8

Public error messages.

Viewable files in directory.

Public admin panels.