Chapter 10 - Application Security Flashcards Preview

Info Security > Chapter 10 - Application Security > Flashcards

Flashcards in Chapter 10 - Application Security Deck (12)
Loading flashcards...

What are the main categories of software development vulnerabilities?

The main categories of software development vulnerabilities include buffer
overflows, race conditions, input validation attacks, authentication attacks,
authorization attacks, and cryptographic attacks


Describe Buffer Overflows

Buffer overflows, occur when we do not
properly account for the size of the data input into our applications. If we are taking data into an application, we specify the amount of data we expect to receive, and set aside storage for that data. If we do not set a limit on the amount of data we take in, we may receive 1,000 characters of input where we had only allocated storage for 50 characters.


Describe Race Conditions, give an example

Race conditions occur when multiple processes or multiple threads within a process
control or share access to a particular resource, and the correct handling of
that resource depends on the proper ordering or timing of transactions.
For example, if we are making a $20 withdrawal from our joint bank account via an


Describe Input Validation Attacks, give an example

If we are not careful to validate the input to our applications, we may find
ourselves on the bad side of a number of issues, depending on the particular
environment and language being used. Format strings are an example, or htmlspecialchars


Briefly give an example of an authentication attack, an authorization attack, and a cryptographic attack

Authentication: attacker cracks our password
Authorization: attacker steals our SessionID and acts as admin
Cryptographic: attacker figures out decryption key


What is a client-side attack, give examples

Client-side attacks take advantage of weaknesses in the software loaded on our
clients, or those attacks that use social engineering to trick us into going along
with the attack.

Cross-site scripting (XSS), cross-site request forgery (XSRF), Clickjacking


What is a server side attack, give some examples

On the server side of the Web transaction, a number of vulnerabilities may
cause us problems as well. Such threats and vulnerabilities can vary widely
depending on our operating system, Web server software, various software versions,
scripting languages, and many other factors.

SQL injection, easily accessible config files, extra/unneeded files are examples of server side attacks/vulnerabilities


What are some of the security issues surrounding Databases?

Protocol issues:
-unauthenticated flaws in network protocol
-authenticated flaws in network protocols
-flaws in authentication protocols

Unauthenticated Access:
-unauthenticated access to functionality

Arbitrary code Execution:
-arbitrary execution in intrinsic SQL elements
-arbitrary execution in securable SQL elements

Privilege Escalation:
-privilege escalation via SQL injection
-local privilege escalation issue


What is a sniffer?

sniffers can be of great use in a variety of
security situations. We can use them at a very high level to examine all the traffic
traveling over the portion of the network to which we are attached, presuming we
can get our sniffer placed properly to see the traffic in question. We can also use
such tools very specifically in order to watch the network traffic being exchanged
with a particular application or protocol.

Wireshark is an example of a sniffing tool.


What are Nitko and Witko?

Nikto is a free and open source Web server analysis tool that will perform
checks for many of the common vulnerabilities we might face in web security (both client and server side)


What is a fuzzer

In addition to all the tools we can use to look over our software for various
known vulnerabilities, there is another category of tools we can use to find
completely unexpected problems, a process referred to as fuzz testing. The
tools we use for this technique, referred to as fuzzers, work by bombarding our
applications with all manner of data and inputs from a wide variety of sources,
in the hope that we can cause the application to fail or to perform in unexpected


What are the main categories of software development vulnerabilities?

The main categories of software development vulnerabilities include:
buffer overflows

race conditions

input validation attacks

authentication attacks

authorization attacks

cryptographic attacks