4 - Application-Layer Security (Web Security) Flashcards
Explain SQL Injection.
Poorly developed systems do not validate user input properly, making it possible for the user (attacker) to type commands as input for a command (query) to be executed on the server.
How to prevent injection attacks?
Never trust any incoming data:
- Check all incoming strings for executable code.
- Replace special characters with their respective escape sequence.
- Whitelist of specific set of characters.
- Parameterized queries in SQL statements
How a system can store its users passwords securely in a database?
Only store a hash h = H(password) of the password and check H(input) == h to authenticate the user. Hash functions are non-reversible.
How does dictionary attacks on hashed passwords work?
The attacker pre-computes a vast amount of password-hash pairs and stores them in a lookup table (dictionary). Given a hash, the attacker can simply look the plain text
password up in the dictionary .
What is the limitation of dictionary attacks on hashed passwords?
Does not scale. The size of the dictionary grows exponentially with the length of the passwords. Storing and querying this amount of data is expensive, if not
infeasible.
Explain rainbow tables.
Set of chains. Each chain of fixed length K. A chain is creating by alternating plain-text passwords of a dictionary and hash values, obtained by applying the hash function H and a reduce function R:
passwd –H–> hash –R–> passwd –H–> hash –R–> passwd
The database stores only the first and last plain-text passwords of a chain.
Given a hash value, to find its equivalent password, we apply a reduce function to get a password from the dictionary. If this password is in the list of “last words” in the database, this chain contains the password we are looking for. Apply H and R until find the hash value we are looking and then take the previous password.
Why use rainbow tables?
Compared to dictionaries, rainbow tables offer a trade-off between time (more processing) and memory (less).
How can we protect against rainbow tables?
Using salted hashes. We append a random sequence of characters with the user password and then we apply the hash function. The random sequence (salt) is stores in the database along with the hash value. By doing this we force the attacker to recalculate the rainbow table for each password on a set of passwords.
How can sessions be implemented?
Hidden values: values are stored as invisible elements embedded in HTML and send by the browser with each request.
Cookies: key-value pairs sent by the server and stored in the user’s browser. Cookies are sent back to the server whenever the user loads a website from the same server.
How can an attacker hijack a victim’s session?
By getting hold of a client‘s session ID, an attacker can identify the victim and perform actions on behalf of the victim.
Attack #1: sniffing a client‘s traffic reveals the session ID.
Attack #2: Cross-Site Scripting (XSS) consists of injecting malicious code into third party pages viewed by others.
Which are the three types of XSS?
Reflected XSS:
- Malicious code is passed to the server as parameter (e.g. in the URL) and is inserted into the website by the server.
- The server sends the modified site back to the client which then executes the code.
- Attacker needs to lure the victim to his side or distribute a obscure link containing the XSS code (Links are usually distributed in forums or emails).
Persistent XSS: Malicious code directly stored on the vulnerable website ( comment sections, guest books, forums). Usually delivered to any visitor of the legitimate web page.
Local or DOM-based XSS: similar to reflected, but malicious code runs locally on the victim, without exploring server-side flaws.
How to prevent XSS attacks?
- Sanity check of user inputs and escape characters
- Blacklist: disallow certain characters and strings
- Whitelist: restrict user input on a certain set of characters.
What is Cross-Site Request Forgery?
It is a method that allows the attacker to act on behalf of a victim by triggering HTTP request via the victim’s browser.
Which are the countermeasures for CSRF?
Secret Validation Token: embed a token as a hidden value in the original webpage and store it as session information on the server. When the request is triggered by the correct webpage, the client will send the correct token (the attacker does not know the correct token to use in its submission).
Check Refer/Origin: browsers send the URL which initiated the request in their header.
How to prevent an attacker from sniffing a client’s traffic to steal its session ID?
Using E2EE (SSL/TLS).
