Q12 World Wide Web Security (Cookies & XSS)

Question 1

World Wide Web (WWW): (a) Explain one case of security/privacy issues related to HTTP cookies.

Answer 1

◦ What are Cookies? Small pieces of text sent by a web server and stored by the browser to maintain state in the stateless HTTP protocol. Used for things like authentication (remembering login), personalization, shopping carts, and tracking user activity.
◦ One Case of Security/Privacy Issue (Choose One):
▪ Session Hijacking (Security): An attacker could steal a user’s session cookie (e.g., through XSS, sniffing on an insecure network, or if stored insecurely). If the cookie contains session identifiers that authenticate the user to the website, the attacker can then use that cookie to access the website as if they were the legitimate user, without needing their password.
▪ Tracking (Privacy): Websites and third-party advertisers can use cookies to track a user’s browsing activity across their site and potentially across multiple sites (if they use shared third-party cookies). This allows them to build detailed profiles of user behavior, interests, and potentially link this to personal information if provided, raising significant privacy concerns.

Question 2

(b) What is a cross-site scripting attack (XSS)? Explain how you can prevent XSS attacks.

Answer 2

◦ What is XSS? Cross-site scripting is a web security vulnerability that allows an attacker to inject malicious scripts (typically JavaScript) into web pages viewed by other users. When a victim user views the compromised page, their browser executes the injected script, believing it is legitimate script from the website.

Types of XSS:
▪ Non-persistent (Reflected) XSS: The malicious script is part of the URL sent to the server (often via a link crafted by the attacker). The server includes the script in its response (e.g., in an error message or search result page) without proper sanitization, and the victim’s browser executes it.
▪ Persistent (Stored) XSS: The attacker injects the malicious script into the website’s database or storage (e.g., via a forum post, comment, or profile field). The script is permanently stored on the server and is served to any user who views the compromised content.

How to Prevent XSS Attacks:
▪ Input Validation/Sanitization: Filter or sanitize user input on the server-side to remove or neutralize potentially malicious code. This includes removing HTML tags like

, <object>, and <link></link>.
▪ Output Escaping: This is the most effective prevention. Before displaying user-provided data on a web page, escape special characters (<, >, ", ', &) so they are treated as literal text rather than executable HTML or script code. For example, < is converted to &lt;.
▪ Cookie Security: Use security flags like HttpOnly on cookies. This prevents client-side scripts (including malicious ones injected via XSS) from accessing or stealing the cookie, mitigating the impact if XSS occurs.
▪ Disable Scripts (Client-Side): While not a primary defense for the website owner, users can configure their browsers to disable JavaScript or use browser extensions that block scripts, reducing their vulnerability to XSS, though this often breaks website functionality.</object>