XSS, Hardware vulnerabilities, Cloud-specific, Supply chain

Question 1

XSS (Cross-site scripting)

Answer 1

Takes advantage of a trust a user has for website.
**commonly uses JavaScript

Question 2

Reflected XSS

Answer 2

Script is embedded in URL executes in the victim’s browser.
User is the person who executes the code.

Question 3

Persistent (stored) XSS

Answer 3

attacker injects malicious code into web app, and the app then stores and serves that malicious code to other users

Question 4

Protecting against XSS include:

Answer 4

-Careful clicking untrusted links
-Consider disabling JavaScript
-Update browser/apps
-Don’t allow users to add their own scripts

Question 5

Why are hardware potential security risks?

Answer 5

perfect entry point form an attack

Question 6

Firmware

Answer 6

software inside of hardware

Question 7

End of Life (EOL)

Answer 7

manufacturer stops selling, marketing, and developing the product.

Question 8

End of service life (EOSL)

Answer 8

○ manufacturer ceases providing all support services
○ Support is no longer available

Question 9

List some virtualization vulnerabilities?

Answer 9

-Local privilege escalation
-Command injection
-Info disclosure

Question 10

Hypervisor

Answer 10

Manages the relationship between physical & virtual resources.

Question 11

True or false: RAM is allocated and shared between VMs

Answer 11

True

Question 12

True or false: Data can be inadvertently be shared between VMs

Answer 12

True

Question 13

Cloud specific vulnerabilities (attacking the service) include:

Answer 13

-Authentication bypass
-Directory traversal
-Remote code execution

Question 14

Authentication bypass

Answer 14

Take advantage of weak or faulty authentication

Question 15

Directory traversal

Answer 15

Ability to manually move around the structure of that web server into folders & sub-directories

Question 16

Remote code execution

Answer 16

Take advantage of unpatched systems

Question 17

XSS

Answer 17

takes advantage of poor input validation

Question 18

Out of bounds write

Answer 18

Write to unauthorized memory areas

Question 19

When looking at service providers, consider-

Answer 19

ongoing security audits of all providers

Question 20

When looking at hardware providers, consider-

Answer 20

1. Using a small supplier base; tighter control
2. Strict control over policies & procedures
3. Security should be part of overall design.

Question 21

When looking at software providers, consider-

Answer 21

Initial installation; digital signature
Updates & patches
Look at source code (someone who has access, has ability to make changes)