Web Security Flashcards Preview

Web Technologies, Users, and Management > Web Security > Flashcards

Flashcards in Web Security Deck (15)
Loading flashcards...
1
Q

Why would an attacker target my site?

A
  • Read private data (user names, passwords, credit card numbers, grades, prices)
  • Change data (change a student’s grades, prices of products, passwords)
  • Spread viruses and other malware
  • Damage or shut down the site, so that it cannot be successfully used by others
  • Harm the reputation or credibility of the organization running the site
  • Spoofing (pretending to be someone they are not)
2
Q

Some Security Recommendations:

A
  • Examining page source code on the server-side script
  • Examine network traffic and AJAX requests
  • Listen to white hat hackers
  • Assume that the attacker knows about web dev and has the same tools you have
  • COMPLEXITY INCREASES SECURITY RISK

Awareness + Protection = Security

assume nothing; trust no one

3
Q

A selection of attack types

A
  • Denial of Service (DoS): Making a server unavailable by bombarding it with requests
  • Social Engineering: Tricking a user into compromising the security of a site (e.g. phishing)
  • Privilege Escalation: Causing code to run as a “privileged” context (e.g. “root”)
  • Information Leakage: Allowing an attacker to look at data meant to be confidential
  • Man-in-the-Middle: Intercept, and read and/or manipulate that traffic
  • Session Hijacking: Stealing another user’s session cookie to masquerade as that user
    • an attacker can listen to the network, get your session ID cookie, and make requests to the same server with that same session ID cookie to masquerade as you (example: Firesheep)
  • Cross-Site Scripting (XSS) or HTML Injection: Inserting malicious HTML or JavaScript content into a web page
    • injected script code can:
      • masquerade as the original page and trick the user into entering sensitive data
      • steal the user’s cookies
      • masquerade as the user and submit data on their behalf (submit forms, click buttons, etc.)
  • SQL Injection: Inserting malicious SQL query code to reveal or modify sensitive data
4
Q

Securing against HTML injection / XSS / SQL injection

A
  • disallow harmful characters
    • HTML injection is impossible without < >
  • allow them, but escape them
    • preventing blank values (such as for email)
    • ensuring the type of the value (integer, date, etc.)
    • ensuring the format and the range of the values (e.g., postcode format)
    • ensuring certain combinations of values fit together properly
5
Q

Securing against SQL injection specifically

A
  • escape the string before you include it in your query
  • replaces ‘ with ', etc., and surrounds with quotes
  • sanitising user input
  • using prepared statements (i.e. pre-compiled SQL query template that can be filled)
  • limiting database permissions (e.g. principle of least privilege)
6
Q

Client-Side Validation vs. Sever-Side Validation

+ what is used respectively

A

Client-Side Validation

Two ways:

  • Implicit: Having the browser automatically enforce certain limitations (e.g. choosing a buttons rather than a text field).
  • Explicit: the validation is done by the page’s author through JavaScript.

Server-Side Validation

  • Regular Expressions are used in server-side validation. (A sequence of characters that define a search pattern.)
7
Q

definition and characterstics of SSL and TLS

A

asymmetric cryptographic protocols designed for secure communication over a computer network.

  • To use SSL a certificate by a certain authority is required and can cost up to couple of hundred dollars.
  • Using SSL may have an impact on performance because encrypting and decrypting messages consume CPU time and memory.
8
Q

explain the SSL or TLS handshake

between an SSL client and SSL sever

A
  1. Client contacts sever
  2. Server responds with server certificate
  3. Client checks certificate and cryptographic parameters
  4. Client sends secret key encrypted by public key + client certificate
  5. Server verifies client certificate
  6. Client and server signal that everything is checked
  7. Message is shared with shared secret key
9
Q

list 3 types of certificates

A

Domain Validation (DV) - Certificate Authority (CA) checks only the domain name.

Organisation Validation (OV) - CA checks domain and vets some information about organisation.

Extended Validation (EV) - CA checks domain and conducts thorough vetting of multiple aspects of the organisation, according to strict guidelines.

10
Q

How are the HTTP POST and GET methods related to security?

A

In forms,

HTTP POST requests supply additional data from the client (browser) to the server in the message body.

GET requests holds all data in URL, which is much less secure.

11
Q

What might different error messages in browsers reveal to attackers?

A

error 403 shows that the source exist and but is forbidden

this information can be useful for attackers

12
Q

How can the page source be used for an attack?

A

the page source of websites might reveal valuable information for hackers, like commented out sections revealing person data

13
Q

server-side vs. client-side security

A

server side languages are not seen by users — more secure

(JavaScript is both sever and client slide)

14
Q

What are botnes?

(NOT NEEDED FOR EXAM)

A

When a hacker gained access to your computer/website, it will build in a backdoor for future access - creating an army of zombie computers that can perform any kind of task like data crunching, theft, etc.

15
Q

In order to write secure code, we must assume:

A
  • invalid input
  • evil users
  • incompetent users
  • everything that can go wrong, will go wrong
  • everybody is out to get you
  • botnets, hackers, script kiddies, KGB, etc. are out there