CS 253 Web Security Youtube Pt2 Flashcards
(116 cards)
1
Q
What is the purpose of UI Denial-of-service attacks?
A
- You override the browser defaults - This is in order to make it harder to escape from the site.
- You implement scareware - Implementing threats of virus or something to make the user buy a product or trapping them.
- Trolling
2
Q
How many levels are the web APIs divided in when we talk about the level of restrictions they have?
A
Level 0, 1, 2 and 3
3
Q
What are the restrictions for Level 0 web APIs?
A
No restrictions. APIs can be used immediately and indiscriminately.
4
Q
What are some examples of web APIs with Level 0?
A
DOM, CSS,
window.move()
file download
hide mouse cursor
5
Q
What are the restrictions for Level 1 web APIs?
A
User interaction is required.
API cannot be used unless it is in response to a user’s action, like a click or a keypress.
Scrolling does not count for example.
6
Q
What are some examples of web APIs with Level 1?
A
Element.requestFullscreen()
navigator.vibrate()
Copy text to clipboard
Speech synthesis API
window.open()
7
Q
What are the restrictions for Level 2 web APIs?
A
User “engagement” is required.
API cannot be used until user demonstrates high engagement with a website.
8
Q
What are some examples of web APIs with Level 2?
A
Autoplay sound
Prompt to install website to homescreen
9
Q
What are the restrictions for Level 3 web APIs?
A
User permission is required.
API cannot be used until user grants explicit permission.
10
Q
What are some examples of web APIs with Level 3?
A
Camera, microphone, geolocation, USB, MIDI device access.
11
Q
What is tabnabbing?
A
Its an attack that consists in reloading the original tab after opening a new tab. This is possible because of the way window.open() works, which still points to the original tab.
When reloading that tab one can reload said tab into any given URL. This is specially useful for phishing attacks, because you can replace the previous page with an exact copy and simulate a logout scenario and showing a login form to the user.
12
Q
What are some tabnabbing defenses you can set up?
A
- Add rel=”noopener” attribute to all a tag elements with target=”_blank” attribute
This will make window.opener to be null instead of pointing to our window.
2.Add the new HTTP header: Cross-Origin-Opener-Policy: same-origin
This makes it so the browser will use a separate OS Process to load the site.
This prevents cross-window attacks an process side-channel attacks by severing references to other browsing contexts.
13
Q
What is phishing?
A
It is acting like a reputable entity to trick the user into divulging sensitive information such as login credentials or account information.
It is easier than attacking the security of a system directly since it consists of jus making the user give their credentials willingly.
14
Q
What is Punycode?
A
Punycode is a representation of Unicode with the limited ASCII character subset used for internet hostnames.
Therefore a url like this:
müller-büromöbel.com
becomes thi
xn–mller-brombel-rmb4fg.
15
Q
What is the advantage of using punycode?
A
It allows to a certain extent to help against IDN homograph attacks
16
Q
What is domain typosquatting?
A
It consists of using a similar-looking name to an established domain to fool the user.
As the name implies this relies on typos.
For example if the target domain name is santander.com then the domain typosquatting alternatives could be:
santnder.com
sntander.com
satnander.com
santnader.coom
etc
17
Q
What is an IDN homograph attack?
A
IDN stands for Internationalized Domain Name
An Internationalized Domain Name homograph attack consists in taking advantage of the fact that in Unicode there are a lot of codes that represent different letters but visually they look very similar to the users.
By using these other letters from other alphabets, attacker can host domain names that looks similar to the real ones and redirect the user to their own servers. Usually for phising purposes.
18
Q
What can be done against IDN homograph attacks?
A
Browsers use puny code and as a user you can use a password manager, since the password manager won’t be fooled by the domain name.
Make sure you are connecting through https.
19
Q
What kind of techniques exist to fool the user into thinking they navigated to the webpage they wanted but in reality redirect them to another?
A
Domain typosquatting
IDN homograph attacks
Use subdomains to confuse the users, since users do not know how to read the domain name.
For example: paypal.com-webapp12233122sexample.com
Picture in picture attack - Use a picture of the website as background and control that as a new window. Most users do not notice that it is a fake.
20
Q
Other noteworthy attacks that can be done to users?
A
Cookiejacking
File jacking - Upload data but instruct the user as if they were downloading
21
Q
What are some examples of client side, denial of service attacks?
A
Infinite alert loop
22
Q
What was the browser’s solution to the infinite alert loop attack?
A
Browsers are multiprocess now, so even if an infinite loop runs , the browser’s tab close button is not blocked by it, and this user can close it whenever he likes.
23
Q
What is Google Safe Browsing?
A
Its a list maintained by Google which contains known malware/phising URLs.
The idea is that the browser queries this list on every navigation, and in case it finds anything in shows a warning by Google about the risks of navigating to said page.
24
Q
What is the Google Safe Browsing Lookup API?
A
Its the public API Google provides precisely to send URLs to the Google Safe Browsing server to check their status.
25
What are the drawbacks of using the Google Safe Browsing Lookup API?
Sent URLs are not hashed, so the server knows which URLs you look up.
Additionally, since every lookup request is processed by the server, there are no guarantees provided on lookup response time.
26
What is the Google Safe Browsing Update API?
Its a public API Google provides that allows you get a list of hash prefixes.
When Google sees a suspicious URL, it takes that endpoint and hashes it. It first chops off the end path and leaves the prefixes, then it hashes it and sends the lists of prefixes to al browsers.
With that list you can take a URL, chop the end path and hash the prefixes the same way Google does and then you can compare your prefix hash with the list provided by Google.
27
What is a cryptographic hash function?
Its an algorithm that maps data of arbitrary size to a bit string of a fixed size.
The source data is commonly referred to as "the message".
The resulting bit string is commonly referred to as "the hash value"
28
What are some characteristics a cryptographic function must meet in order to be considered one?
- It must be a a "one-way function". Meaning you cannot calculate the origin string based on the resulting one.
- It must be deterministic. Meaning the same message always results in the same hash value.
- It must be quick to compute. Since hash functions are called thousands of times.
- It must not have collisions. Meaning it is infeasible to find different messages with the same hash value.
- It must have an avalanche effect. Meaning that even a small change to a message must change the hash value extensively.
29
What is a side channel attack?
Its an attack based on information gained from the implementation of a computer system, rather than from the weaknesses in the implemented algorithm itself.
Some possible sources of leaks of this information are:
- Timing Information
- Power Consumption
- Electromagnetic Leaks
- Sound
30
What is an example of a side channel attack (non-web based)?
Imagine there is a soundproof room made of glass. The glass has been adequately tested and there is absolutely no way sound leaks out of it.
However sound works by emitting vibrations in the air. This vibrations can then interact with objects within the room and if they are light enough (like the leaves of a plant or an empty bag of chips, or some earbuds playing music while on the table), they can move them. Of course this movement is so small that it is imperceptible to the naked eye.
So if you were to record a video from outside this room, even if the video does not capture any sound, you could analyze it afterwards and extract an approximation of the sounds within the soundproof room. All just based on the imperceptible movements that the vibrations have on the objects within the room.
31
What is a classic CSS side channel attack and what does it consists in?
CSS History Leak
It consists on checking the color of the links displayed on a user's pc in order to determine which sites have already been visited.
32
How were the CSS History Leaks fixed?
1. Preventing layout-based attacks
This was done by makin the CSS pseudo-selector :visited unable to load a resource, change position or change size.
2. Preventing some timing attacks
By making the code paths for visited and unvisited links the same length
3. Preventing computed style attacks
The DOM APis always report link styles as if link was unvisited.
33
How can you detect visited links on a PC based on redraw timing?
Visited links in theory will take less to redraw since they already have information on cache. So by measuring the timing of the drawing of the page in each case you could estimate which links were already visited.
34
How can cross-origin images can leak data?
For example if there is an image that changes whether you are logged in or not. Maybe it changes width or height.
As an attacker you can analyze how is the layout affected by that element and use that information to know if you are logged in or not.
35
What is a side channel attack that existed based on ambient lightning and that is useful for getting the browser history?
With the use of an ambient lightning API you could detect the ambien lightning in the room. This was done by showing first a white screen and detecting the lightning and then showing a black screen and calibrating based on that.
Then the API could show a white/black screen based on whether the a link was visited or not.
You don't get the actual visited links, but you get the urls alongside the color variations, which in practice will be the same.
36
What is a side channel attack based on QR codes and ambient lightning?
You can generate a QR code for the user with private information. You cannot query that image or information but what you can do is zoom in to each pixel of the QR code and use the ambient lightning API to detect whether the pixel is black or white. This will let you reconstruct the full QR code image.
37
What is a side channel attack that was discovered through the gyroscope of the mobile phones?
It was discovered that the gyroscopes found on modern smartphones were so sensitive that they could measure acoustic signals in the vicinity of the phone. Even if a site did not have mic permissions this could be achieved.
Using this data with signal processing and machine learning, the attacker could identify speaker information and even parse speech.
Since iOS and Android require no special permissions to access gyro this means that any apps and active web content can use the gyro to eavesdrop on any speech that is on the vicinity of the phone.
This has been updated in later years and permission is now required to access the gyroscope.
38
What is command injection?
Its when an attacker attempts to pass unsafe user supplied data (forms, cookies, HTTP Headers, etc) to a system shell.
This is done with the goal of executing arbitrary command on the host operating system.
39
What is an example of command injection through a request?
Let's say you have a form with some inputs and you use those inputs to run code directly on the shell. An example would be queryng for a file by receiving the filename as an input.
Then this form could be used to inject undesired code to be run in the shell.
Example:
Windows
1234.txt & echo. > attacker_was_here.txt
Linux
1234.txt;touch attacker_was_here.txt
In this examples the shell would receive the filename and then process an additional command. Which in this case is the creation of a txt file.
40
What is the solution to avoid command injection when you need to run the user's inputs on the terminal?
You need to escape the provided string. The way to do this differs from language to language, but the idea is to omit unwanted characters.
41
What is SQL Injection?
Its an injection attack that executes arbitrary queries to the database via a vulnerable application
42
What is the most common way to test if a site is vulnerable to SQL injection?
Try to inject the command:
SELECT * FROM users WHERE username = "" OR 1=1
43
What is Blind SQL Injection?
It occurs when the database does not output data to a webpage or app. Said web app may be configured to show generic error messages instead of returning useful data to the user. However it may still be vulnerable to SQL injection.
The goal of the attacker is to find out more information based on "yes or no" questions. This "yes or no" questions can be approached via 2 methods>
Content-based
See if the page reacts differently depending on if a query matches something or not.
Time-bases
Make the database pause for a specified amount of time when the query matches something and otherwise return immediately.
44
What is an example of a time-based blind SQL injection?
SELECT 123=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(100000/2))))
The idea is that the query takes a noticeable amount of time
45
What are the common defenses against SQL Injection?
Using parameterized SQL
Using Object Relational Mappers (ORMs)
46
What does TLS stands for?
Transport Layer Security
47
Why is HTTP not secure?
Because in HTTP all the data from request or response is visible. So it lets potential hackers see the information and prepare appropriately for an attack.
It also makes it easier for an attacker to pose as the server to the client and as the client to the server. Acting as an intermediary for the request and response and manipulating both input and output in order to deliver malicious code either to client or server.
48
What are the 3 properties that secure communication requires?
Privacy: No eavesdroping
Integrity: No tampering
Authentication: No impersonation
49
How is TLS related to HTTPS?
HTTPS is basically the name given when TLS is used with HTTP
HTTPS relies on TLS (Transport Layer Security) encryption to secure connections.
50
What is a Certificate Authority (CA)?
Its an entity that issues digital certificate.
A certificate certifies that a named subject is the owner of a specific public key.
51
What is the most important field in a certificate and what is it used for?
Its the "Common Name" property.
It is used to verify if a certificate matches the url that is using it.
52
What are the "Common Name" rules?
A common name can include or not the wildcard character "*" which will be used like in regex, to match any character. Example:
- cs.stanford.edu
- *.stanford.edu
- cs*.stanford.edu
Additionally:
- The wildcard character must only occur in the leftmost subdomain component.
- The wildcard character does not match the "." character
Example:
"Common Name" : *.a.com
x.a.com = MATCH
y.x.a.com = NO MATCH
53
What is an Alternate Subject Name in a certificate?
Its just a way to add additional explicit Common Names in a certificate
54
What are the requirements for HTTPS to show the lock icon on a page?
- All the elements on the page must be fetched using HTTPS
Additionally for all elements:
1. HTTPS certificate must be issued by a CA trusted by browser.
2. HTTPS certificate must not be expired.
3. HTTPS certificate CommonName or SubjectAlternativeName must match the URL
55
What is an SSL Strip or TLS strip attack?
The attack is a man-in-the-middle attack where the attacker takes advantage of an HTTP request that is made with the intention to redirect to HTTPS.
Thus they ar able to rewrite the HTML to keep the user on the HTTP version of the site.
56
How do servers work in order to make a TLS Strip attack possible?
Most servers which support HTTPS implement an HTTP to HTTPS redirect.
When the user omits the protocol in the url, the browser asumes the http:.// protocol.
Its in this first unencrypted HTTP request that the TLS Strip attack can occur.
57
What is the way to defend against TLS Strip attacks?
HTTP Strict Transport Security (HSTS)
58
How does HSTS work?
It provides a header to the browser that basically tells it to to use HTTPS forcefully regardless of what user specifies. This is done alongside an expiration time.
"Strict-Tranport-Security: max-age=31536000"
This forces the browser to use the HTTPS header for a year.
You can also include some directives:
"Strict-Tranport-Security: max-age=31536000; includeSubDomains"
Includes the subdomains as stated
59
What is one downside of using the HSTS header?
That is only useful after the first call to the server, since that is the moment the user will receive the server's response with the actual header to enforce the use of HTTPS.
60
What is a possible solution for HSTS being not enforced during the first call to a server?
Using the HSTS Preload list
61
What is the HSTS Preload list?
Its a list that is provided to the browsers that tells them to always use HTTPS for certain domains, even before accesing them.
62
What is a downside of the HSTS Preload list?
It is very difficult and practically impossible to be removed from the list. Even if a browser does remove you from their list it will only do so on their next releases. The local browsers if the users (which they normally don't update) will still keep the HSTS Preload list.
63
What is a restriction around the "includeSubDomains" on HSTS?
There is no way to set the HSTS to a subset of subdomains. Its either all or none.
This is problematic for larger organizations which sometimes have subdomains operated by different entities and therefore do no necessarily need or have the requirements in all of them to force the use of https.
64
What is authentication?
It is the process in whcih we verify the user is who they say they are.
65
What are the 3 factors that authentication systems classically use?
Something you know (like a password)
Something you have (like your phone, a badge, a cryptographic key)
Something you are (like a fingerprint, or other biometric data)
66
What is authorization?
The act of deciding if a certain user has permission to access a certain resource
67
What is the difference between authentication and authorization?
One verifies the user's existence and validity, the second one verifies the places he is allowed to access.
68
What are some common ways of implementing authentication?
- Login form
- Ambient authority (HTTP cookies)
- HTTP authentication
69
What are some common ways of implementing authorization?
- Access control llists (ACLs)
- Capability URLs
70
What are some common username mistakes?
Username duplication and usernmae case-sensitivity
71
What are the best practices for password requirements?
- Minimum password length of at least 8 characters
- Maximum password length of 64 characters
- Check passwords against known breached data
- Rate-limit authentication attempts
- Encourage/require the use of a 2nd factor authentication
72
Why is setting up a 64 maximum password length considered best practice?
To avoid long passwords denial of service attacks/
Also, some common ways to encrypt data like bcrypt, has a max length of 72 ASCII characters
73
What are some common implementation mistakes during authorization implementation?
- Silently truncating long passwords
- Restricting characters (Unicode and whitespace chars should be allowed)
- Including passwords in plaintext log files
- Using TLS for all trafic
74
What are the 3 primary types of network-based guessing attacks?
- Brute force
- Credential stuffing
- Password spraying
75
What does a network-based guess, brute force attack consists in?
Testing multiple passwords from dictionary or other source against a single account.
76
What does a network-based guess, credential stuffing attack consists in?
Testing username/password paris obtained from the breach of anothers site.
77
What does a network-based guess, password spraying attack consists in?
Testing a single weak password against a large number of different accounts.
78
What are some examples of defenses one can take against network-based guessing attacks?
- Limit the rate at which an attacker can make authentication attemprts, or delay incorrect attempts.
- Keep track of IP addresses and limit the number of unsuccesful attempts
- Temprarily ban the user after too many unsuccesful attempts
79
What is a Captcha and what does it stand for?
It is a way to verify the user we are dealing with is a human and not an automated.
It stands for "Completely Automated Public Turing test to tell Computers and Humans Apart"
80
What are the Problems with CAPTCHAs?
- It takes the average person approximately 10 seconds to solve a typical CAPTCHA
- THey are difficult to use for users with visual impairments
- Attackers can proxy CAPTCHA requests to another user in real-time
- Dark market services offer cheap CAPTCHA solving services powered by humans.
81
What can you do for sensitive feature on your site?
Reauthenticate for those sensitive features, like before:
- Changing a password
- Change an email
- Change a 2nd factor authentication
- Add new shipping information
82
What is a Response discrepancy information exposure?
It is when information is exposed/leaked to an attacker by jus providing different responses on incoming requests. Allowing the attacker to logiaclly deduce system state information.
83
What is a way to combat Response discrepancy information exposure while displaying an error to the user after a login attempt?
Respond with a generic error message for authentication, regardless of whether:
- The username or password was incorrect
- The account does not exist
- The account is locked or disabled
The generic error message for all could be:
"Login failed. Invalid user ID or password"
84
What is a way to combat Response discrepancy information exposure while the user is attempting a password recovery?
Respond with a generic mesage regardless of whether:
- The email address is not registered and therefore cannot initaite a password recovery
- The email addres was found and a link for password-reset was sent.
The generic message could be:
"If that email address is in our database, we will send you an email to reset your password
85
What is a way to combat Response discrepancy information exposure while the user is creating an account?
Respond with a generic message regardless of whether:
- The user ID is already in use and cannot create a new account
- The user is new and the account has been created succesfully
-
The generic message could be:
"A link to activate you account has been emailed to "
86
What is a way in which HTTP status codes can result in Response discrepancy information exposure?
When HTTP status code are not consistent.
For example, you coudl have 2 different Login failed responses but one with http status code 200 and the other one with http status code 403.
Make sure to respond with appropiate and consistent status codes. Have only the HTTP 403 one.
87
What is a way in which timing can result in Response discrepancy information exposure?
When optimizing logic and times in code, the attacker can deduce logic flows.
For example let's say that before making a login you verify if user exists or not in order to decide if you should decide the password validation process or not. If the user exists you start the password validation flow and if the password is valid you allow the login to go on, if not you return a generic error.
On the other hand if the user does not exist you don't even bother to start the password validation and you return a generic error.
The attacker can measure the response times in order to determine what is different. So in this case it is not advised to optimize the code in this way.
In order to solve this you can make the code validate the password regardless of user's existence. You can also try to force more time before returning a response and let it be random in order to mock a lengthy process.
88
What is the main tradeoff that comes with mitigation techniques for Response discrepancy information exposure?
Mitigations make user experience worse:
- Generic error messages are less helpful to the user
- Expanded load times makes them wait more time unnecesarily
89
What is an alternative you can use in order to mitigate authentication attacks while still giving you the benefit of providing more useful information to the end user?
Implement Rate-limiting authentication attempts.
90
What is one great site to check whether your data was on a data breach or not?
https://haveibeenpwned.com/
91
What is the correct way to store passwords on databases?
Save the password hashed and everytime they provide the password, hash it again and compare the result to the one in the database.
92
What are some problems that may occur if you just hash the password in your database?
If anyone has access to the database he can easily find out users who have identical passwords (since hashes will be the same)
An attacker can also prepare with a pre-computed lookup attacks
He can pass a set of common passwords through some hash functions (like SHA-256), generating a rainbow table, and then when he gets access to the database he can just lookup those results to see if he finds any match.
93
What is a rainbow table?
A precomputed table for reversing cryptographic hash functions.
94
What can be used alongside hashing passwords in order to migate the risks you may have if you only use hashes?
Password salts
95
What are password salts?
They are a fixed-length cryptographically-strong random value that is stored alongside the password.
It is usually 16,32, or 64 bytes
It is normally used so it is concatenated with the password before hashing it.
96
Why are password salts effective in mitigating the issues that arise when using only hashes for passwords?
Since they are a random value and are stored alongisde the password before hashing it, even identical passwords will generate a different hash.
It also adds entropy to weak passwords. so pre-computed lookup attacks (which are based on comon passowrds) will be intractable
97
What does TOTP stands for and is it for?
Time-based One-Time Passwords
They are the passwords that you setup through apps like Authenticator and such. Used as an option of Multi-factor authentication.
98
How do Time-based On-time Passwords work?
1. The server creates a secret key for the specific user.
2. Server shares secret key with the user's phone app (commonly through a QR code)
3. Phone app initializes a counter (which help to reset the password periodically)
4. Phone app generates a one time password using secret key and counter.
5. Phone app changes the counter after a certain interval and regenerates the one time password.
99
What does CWE stand for in cybersecurity sphere?
CWE is the name of a site. Common Weakness Enumeration
100
What is Common Weaknes Enumeration (CWE) in the cybersecurity sphere?
Its a massive long list of all the types of vulnerabilities that there could be.
https://cwe.mitre.org/
Commonly used as reference when you report a problem: "Hey, this is the CWE I think is happening"
101
What does CVE stand for in cybersecurity sphere?
The name of a program/site. Common Vulnerabilities and Exposures
102
What is Common Vulnerabilites and Exposures (CVE) in the cybersecurity sphere?
You can search common issues found with specific prograsm,libraries, utilites, etc.
It is useful to access as a database and now based on programs and versions, what vulbnerabilites and exposures you need to prepare for or you can address with foresight.
103
What does CNA stand for in a CVE context?
It is the CVE Numbering Auhority
104
What does CVSS stands for in a CVE context?
Common Vulnerability Scoring System
Its the score needed to represent how harmful/risky a certain vulenrability is.
105
What is a great way to learn all the different ways you could hack a system?
Go an read the CVE documentation. It is basically a database of proven vulnerabilities and exploits.
106
What is a Zero Day vulnerability?
A vulnerability that has not been patched and not yet disclosed. It can be taken advanteg of.
White hat researchs report them and the countdown starts for the patch and the announcement fo its existence.
107
What are the challenges of projects like NodeJS?
They are a volunteer organization. None of the teams (including the security team) is paid directly by the OpenJS Foundation for the work that they do.
This means that they have to significantly vet anyone who starts working with them. It helps when the person works for Google, Microsoft or some other large company because they can get fired if they screw with the stuff in the organization.
This also means that they have a number of discovered and undisclosed vulnerabilities that they have not been able to solve due to the need of more personnel.
108
What does Embargo mean in cybersecurity sphere? Why is it important?
It is a status in which confidential information is in. Every information sent to the security team is Embargoed until it is publicly disclosed.
It is against the rules of the project (at least in Nodejs) and arguably illegal to disclose the vulnerabilities to a company before they are publicly disclosed.
This would give competitive advantage for the companies.
Going against this policy is serious and can make you lose your position.
109
What does Triage mean in cybersecurity sphere?
It is a process done when vulnerabilities are reported to the project. Normally done through a website called HackerOne.
This helps to validate reports and avoid wasting time on non-issues.
Once a bug is confirmed or cancelled it is considered triaged.
110
What is HackerOne?
A website that allows you to report any found vulnerabilities. It has a management system for those vulnerabilities. They allow you put a CVE and CWEs. They allow to track how quickly are organizations responding as well.
They donate resources to the NodeJS project.
111
What is the Internet Bug Bounty (IBB)?
Its a program that is run by HackerOne
It is a fund of money used to pay bug bounties to security researchers who find bugs in what is considered core infrastructure on the internet, normally open-source projects, like pythn, nodejs, ruby, etc.
The Projects available and bounties are listed on their webpage.
112
What does the lifecycle of a vulnerability looks like?
- Researcher reports a bug
- Bug is triaged in HackerOne
- Communicate back and forth with author if needed and Confirm bug (Or Cancel Bug if applicable)
- Solution is identified (this can take several months to over a year)
- Create a Security Release
- Vulnerability is disclosed
113
Why is it said that complexity is the enemy of security?
An overengineered code may have the intention of making thing easier for the developers. However too many restricitons or knowledge gap or requirements may make the code too complex to understand or modify.
A program is something that continously changes and therefore the more edge cases come up the leakier a tight code might become.
114
Why is it said that explicit code is better than clever code?
Clever code tends to be overengineered and takes advantage of obscure or not widely known patterns or features.
If most developers will have a difficult time understanding it or will take a lot of time learning what is needed to do so, it will increase the tech debt and complexity.
115
What does the expression "Code defensively" mean?
It means that your assumptions may be violated, so always verify them upfront.
116
