6. Web Security

Question 1

stateless HTTP

Answer 1

http request and response pairs is independent and has no memory. Does not know if user is already logged in

Question 2

sessions

Answer 2

1. data structure to store data only during time user is interacting with website
2. used to manage states
3. session data stored in server
4. session id stored on client using cookies
5. session id is passed to server to retrieve stored data
6. when closed, lose session

Question 3

session hijacking

Answer 3

1. session starts when user logs in and return session id to user
2. attacker steals the session id that will remain unchanged after authentication
3. attacker is then able to hijack the session using the session id

Question 4

GET vs POST

Answer 4

get is less secure as data can be found in URL

post is more secure as data is in body

Question 5

OWASP top web security risks

Answer 5

1. sql injection
2. broken authentication
3. sensitive data exposure
4. broken access control
5. security misconfiguration
6. cross site scripting
7. insecure direct object reference

Question 6

sql injection

Answer 6

tricks server into executing wrong command
fred’ OR ‘1’=’1’
‘OR 1=1 –

problem
- allowing characters with special meaning

defense

• prepared statements
• stored procedures

Question 7

broken authentication

Answer 7

error in implementation

• what if user forget to logout
• what if password is not hashed and salted
• is the session id encrypted

Question 8

cross site scripting

Answer 8

1. reflected
   - non persistent
   - script passed using URL
   - trick the user to clicking
2. stored
   - store script on server eg. forum
   - next user becomes the victim
3. DOM based
   - crafts malicious code
   - trick victim to click the link and sends code to server
   - server wraps it with search template
   - server returns and execute real script
   - malicious code gets rendered

defense
- escape before inserting untrusted data

Question 9

insecure direct object reference

Answer 9

unauthorised change in parameter value to refer to another user account
eg https://www.blablabla.com/customerID=1234 ->1233

Question 10

security misconfiguration

Answer 10

can be misconfigured at many levels

• not keeping software up to date
• not patching vulnerabilities
• using default user credentials

defence
- principle of least privilege

Question 11

sensitive data exposure

Answer 11

• database not protected adequately
• data in database not encrypted
• SQLI, sniffing, rainbow tables

defence

• encrypt data
• store password that is salted and hashed
• apply access control
• employee training and awareness

Question 12

missing function level access control

Answer 12

function fulfilled without checking o user privileges

defence

• don’t show function that user not allowed to use
• principle of least privilege

Question 13

cross site request forgery

Answer 13

trick user to execute undesired action when they are already authenticated

• depends on the privilege of the user
• requires social engineering

defence

• use challenge tokens
• for sensitive operations, include challenge token in request. Server checks token to ensure request is valid

Question 14

using components with known vulnerabilities

Answer 14

defence

• keep components up to date
• evaluate vulnerabilities before using
• keep track of attack surface(3rd party software that you are not sure about)

Question 15

unvalidated redirect

Answer 15

defence

• avoid links
• have user confirm redirect
• white list of redirects