XXS & XSRF

Question 1

What is XXS?

Answer 1

Cross-Site Scripting

Injects a malicious script into a trusted site to compromise the sites visitors

Question 2

What is the first step of a XXS attack?

Answer 2

the attacker identifies an input validation vulnerability within a trusted website

Question 3

What is the second step of a XXS attack?

Answer 3

the attacker crafts a URL to perform the code injection against that trusted website

Question 4

What is the third step of a XXS attack?

Answer 4

the trusted site will return a page containing the malicious code injected,

Question 5

What is the fourth step of a XXS attack?

Answer 5

Malicious code runs in the clients browser with permission level as the trusted site

Question 6

What is a Non-Persistent XXS?

Answer 6

This type of attack only occurs when its launched because your clicking the link and it happens once

Question 7

What is a Persistent XXS?

Answer 7

allows an attacker to insert code into the backend database used by that trusted website

Question 8

What is a DOM XXS?

Answer 8

Document Object Model

exploit the client’s web browser using client-side scripts to modify the content and layout of the webpage.

Question 9

For the exam, anytime your looking at a log snippet or captured URLs that have the script or any kind of Javascript inside of them, its most likely a what?

Answer 9

XXS Attack

Question 10

For the exam, if you see something with document dot something in it, like document dot or document dot right, this should tell you what?

Answer 10

DOM-based cross-site scripting attack

Question 11

What is Session Management?

Answer 11

Enables web applications to uniquely identify a user across several different actions and requests

Question 12

What is a Cookie?

Answer 12

Text file used to store information about a user when they visit a website

Question 13

What is a Non-Persistent Cookie?

Answer 13

Known as a session cookie, which resides in memory and is used for a very short period of time

Question 14

What is a Persistent Cookie?

Answer 14

stored in the browser cache, until they’re either deleted by a user or they expire

Question 15

What is Session Hijacking?

Answer 15

type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP

Question 16

What is Session Prediction?

Answer 16

type of spoofing attack where the attacker attempts to predict the session token in order to hijack your session.

Question 17

What is XSRF?

Answer 17

Cross-Site Request Forgery

Malicious script is used to exploit a session started on another site within the same web browser

Question 18

For the exam, remember, that if somebody is trying to get a victim to unintentionally carry out an action on a website this is normally going to be what?

Answer 18

XSRF

Cross-Site Request Forgery