day3 Web Application Security

Question 1

Security Considerations

Answer 1

• Web browser: Client-side security
• Web server: Hardening and configuration, Logging and monitoring
• Application server: Secure coding practices, Authentication and authorization
• Database: Access Control and Encryption, Monitoring and Auditing

Question 2

…………… is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the same server with later requests.

It remembers stateful information for the stateless HTTP protocol.

Answer 2

HTTP cookie

Question 3

Cookies are mainly used for three purposes:

Answer 3

 Session management: Logins, shopping carts, game scores, or anything else the server should remember

 Personalization: User preferences, themes, and other settings

 Tracking: Recording and analyzing user behavior

 Security: HttpOnly, Secure, SameSite attributes help mitigate common security issues like
XSS, CSRF.

Question 4

SET COOKIE
Set-Cookie: <cookie-name>=<cookie-value>
Attributes?</cookie-value></cookie-name>

Answer 4

• Domain
• Expires
• Max-Age
• Path
• Secure
• HttpOnly
• SameSite

Question 5

T/F If the Domain attribute is specified, the cookie becomes available to the
specified domain and all its subdomains. This makes the cookie less restrictive

Answer 5

T

Question 6

T/F The Path attribute in a cookie specifies the URL path that must be present in
the requested URL for the cookie to be sent to the server

Answer 6

T

Question 7

T/F : A cookie with secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.

Answer 7

T

Question 8

T/F A cookie with HttpOnly attribute is inaccessible to the JavaScript (document.cookie API)

Answer 8

T

Question 9

T/F The SameSite attribute is used to control when and how cookies are sent
with cross-site requests

Answer 9

T

Question 10

T/F Sessions are typically represented as associative arrays of keys and values,
used to track web application data and objects.
A session ID is a long, randomly generated number or string – exchanged between the client and server during each transaction

Answer 10

T

Question 11

…………….is the process of verifying the identity of a user, system, or entity attempting to access resources.

Answer 11

Authentication

Question 12

Common Types OF Authentication

Answer 12

 Knowledge based - Something you know
 Possession based - Something you have
 Inheritance based - Something you are

Question 13

AUTHENTICATION TESTING

Answer 13

Map the entire authentication attack surface

 Login interfaces, account recovery / password resets, registration, MFA processes, session management, third-party SSO integrations

-Create multiple accounts

-Check for lack of brute-force protection

-Is the application using a standard library/framework?

-Check for logic issues

-Inspect tokens

Question 14

ACCESS CONTROL

Answer 14

What you’re allowed to do - also known as authorization

Question 15

Principle of least privilege

Answer 15

Users and processes should have a minimum level of access

Question 16

Access control types

Answer 16

 Horizontal, Vertical, Context dependant

Question 17

…………. is a type of access control vulnerability that occurs when an application exposes a reference to an
internal implementation object—like a file, database record, or user ID—
without properly validating whether the user is authorized to access it.

Answer 17

Insecure Direct Object Reference (IDOR)

Question 18

………………. is a security vulnerability that occurs when an application fails to properly enforce access control at the level of specific functions or actions.

Answer 18

Broken Function Level Authorization (BFLA)

Question 19

What’s the difference between IDOR and BFLA?

Answer 19

BFLA :User can access functions or actions they’re not allowed to (like admin features).

IDOR: User can access objects (like files, accounts, etc.) they shouldn’t by changing an ID.

Question 20

WEAK OR MISSING ACCESS
CONTROLS

Answer 20

Sometimes applications use user input that we can control for access control, such as HTTP methods or headers.

Check to see if modifying the HTTP request will lead to unintended behaviour.

 HTTP Method
 Headers (e.g. Referrer, X-Origin-URL)

Question 21

…………….. is a common attack vector that injects malicious code into a vulnerable web application.

Answer 21

Cross site scripting (XSS)

Question 22

T/F XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk.

Answer 22

T

Question 23

……………– malicious script is stored on the web server, typically in a database, and is then executed by other users viewing the stored content – More dangerous than reflected.

Answer 23

Persistent / Stored XSS

Question 24

……………malicious script is reflected off a web server in an immediate response

Answer 24

Reflected XSS

Question 25

....................occur entirely on the clientside. Malicious script is executed as a result of client-side manipulation of the DOM.

Answer 25

DOM Based XSS

Question 26

IMPACT OF XSS

Answer 26

 Session hijacking  Credential theft  Data exfiltration  Propagation of malware  Unauthorized redirection

Question 27

PREVENTING CROSS-SITE SCRIPTING

Answer 27

Encoding, which escapes the user input so that the browser interprets it only as data, not as code. Validation, which filters the user input so that the browser interprets it as code without malicious commands.

Question 28

INJECTION ATTACK APPLY TO MANY TECHNOLOGIES

Answer 28

SQL statements File path names Regular expressions (as a DoS threat) XML data (specifically, XXE declarations) Shell commands Interpreting strings as code (for example, JavaScript’s eval function)

Question 29

..................... is a type of security vulnerability that occurs when an attacker is able to manipulate a web application’s SQL queries by injecting malicious input into a query. This happens when user inputs, such as form fields or URL parameters, are not properly sanitized, allowing an attacker to insert or "inject" additional SQL commands into the database query

Answer 29

SQL injection (SQLi)

Question 30

CAUSES, IMPACTS AND CONSIDERATIONS FOR SQL INJECTION

Answer 30

User input data not validated or saniztized  Incorrect data validation technique Dynamic SQL statement generation Application doesn’t conform to the principle of least privilege Insufficient restrictions at the data layer Easy to locate and exploit

Question 31

SQL INJECTION DEFENSE AND MITIGATION

Answer 31

Escape Sequences and Regular Expression Pattern Matching  Typically used in legacy systems to detect and avoid malicious patterns  Difficult to maintain; Incomplete coverage Stored Procedures  Pre-defined SQL statements in the database  Better than character escaping - User input cannot alter it in the same way dynamic SQL can  Stored procedures, if incorrectly written, can be exploited to run system commands Parameterized queries (prepared statements)  Better solution - the SQL query is defined with placeholders (? or :param)  Always performs correct escaping and treats all arguments as simple text strings  Faster and more efficient than dynamic SQL  Encourage better application development strategy by defining all possible queries Other mitigation strategies  Applying least privilege (ex. Don’t give the web app DB user account “drop table” privileges)  Don’t connect as DBA

Question 32

.....................is a vulnerability where an attacker gains unauthorized access to the filesystem by navigating to unintended directories

Answer 32

Path Traversal

Question 33

Potential Impacts: PATH TRAVERSAL

Answer 33

 Access to sensitive files  Disclosure of application data  Execution of malicious code

Question 34

............., is a type of malicious exploit where unauthorized commands are submitted from a user that a web application trusts  Tricks a web browser into executing unwanted actions on a web application to which the user is logged in

Answer 34

Cross-Site Request Forgery (CSRF) attack, also known as XSRF

Question 35

XSS VS CSRF

Answer 35

CSRF (Cross-Site Request Forgery): Malicious website causes a user’s browser to perform unwanted actions on a trusted website. Examples: Transfer money out of user’s account; Harvest user IDs; Compromise user accounts XSS (Cross-Site Scripting): Malicious website leverages bugs in trusted website to cause unwanted actions on user’s browser (circumventing the same-origin policy). Examples: Reading cookies; Stealing authentication information; Code injection