Securing Web Apps

Question 1

What are the three components of a web transaction?

Answer 1

Server computer, client computer, network.

Question 2

What is the goal of web app testing?

Answer 2

Gather information, including by attacking the app.

Question 3

What should be attacked in web app testing?

Answer 3

HTML comments, sensitive info, error messages, HTTP responses.

Question 4

Why are HTML comments a security risk?

Answer 4

May reveal insights about code to attackers.

Question 5

How should comments be secured?

Answer 5

Place in server-side code like PHP, not HTML.

Question 6

What sensitive info might HTML source reveal?

Answer 6

Database names, user logins, passwords.

Question 7

What tools map web app pages?

Answer 7

Web crawlers like wget or BlackWidow.

Question 8

Why manually map web app pages?

Answer 8

More efficient for apps with fewer than thousands of pages.

Question 9

How to start manual web app testing?

Answer 9

Click every link from the start page, document all pages.

Question 10

What to check in the homepage source?

Answer 10

Comments for clues about app structure.

Question 11

Why are misplaced server-side comments risky?

Answer 11

May end up in HTML due to errors, like ColdFusion’s 3-dash comments.

Question 12

What is a ColdFusion comment issue?

Answer 12

Uses 3 dashes instead of 2, easily mistaken by programmers.

Question 13

What can old code in comments reveal?

Answer 13

Sensitive app details to attackers.

Question 14

What tool searches for string patterns?

Answer 14

grep, available on *NIX, Cygwin, or MinGW.

Question 15

What is The Regulator?

Answer 15

A tool for creating regular-expression searches.

Question 16

What info might database error pages reveal?

Answer 16

Table names, database names, or code snippets.

Question 17

What happens in ColdFusion/Java Servlet crashes?

Answer 17

Server may reveal function traces or code snippets.

Question 18

How to defend against error message leaks?

Answer 18

Log errors, don’t display queries or code.

Question 19

Why disable PHP error messages?

Answer 19

Prevents exposing sensitive app details.

Question 20

What are the three user access mechanisms?

Answer 20

Authentication, session management, access control.

Question 21

What is the weakest link in user access?

Answer 21

A single defect can compromise the entire app.

Question 22

What is authentication?

Answer 22

Verifying a user’s identity.

Question 23

What is conventional authentication?

Answer 23

Username and password.

Question 24

What enhances authentication security?

Answer 24

Securekey, multistage login, client certificates, smartcards.

Question 25

What are authentication defects?

Answer 25

Username enumeration, password guessing, login bypass.

Question 26

What is session management?

Answer 26

Tracking an authenticated user’s interaction with the app.

Question 27

How does an app handle multiple users?

Answer 27

Processes requests from authenticated and anonymous users.

Question 28

What is a session in web apps?

Answer 28

Server-side data tracking user interaction state.

Question 29

What is a session token?

Answer 29

A unique string mapping to a user’s session.

Question 30

How are session tokens sent?

Answer 30

Via HTTP cookies in each request.

Question 31

Why encrypt HTTP cookies?

Answer 31

Prevents sidejacking, as shown by Firesheep.

Question 32

What is access control?

Answer 32

Deciding whether to approve or reject user requests.

Question 33

How does access control use identity?

Answer 33

Bases decisions on the authenticated user’s identity.

Question 34

What are user roles in access control?

Answer 34

Define specific privileges for different users.

Question 35

Why is access control vulnerable?

Answer 35

Complex requirements lead to developer oversights.

Question 36

How to test for access control issues?

Answer 36

Probe each function repeatedly for missing checks.

Question 37

Why is all user input untrusted?

Answer 37

Can introduce vulnerabilities if not validated.

Question 38

What is input validation?

Answer 38

Restricting input to expected formats, like valid email.

Question 39

Why allow attack strings in input?

Answer 39

Legitimate blog posts may contain such strings.

Question 40

How should apps handle attack strings?

Answer 40

Store and display them safely, not reject them.

Question 41

Why validate cookies and hidden fields?

Answer 41

Detects tampering indicating vulnerability probing.

Question 42

What should apps do with tampered data?

Answer 42

Reject the request and log the incident.

Question 43

What is the reject known bad method?

Answer 43

Blocks blacklisted attack patterns, allows rest.

Question 44

What is a flaw of reject known bad?

Answer 44

May miss new attacks, requires constant updates.

Question 45

What is accept known good?

Answer 45

Allows only predefined safe input, blocks rest.

Question 46

Why is accept known good effective?

Answer 46

Blocks all non-matching input if criteria are strict.

Question 47

What is sanitation in input handling?

Answer 47

Removes or encodes malicious characters.

Question 48

When is sanitation necessary?

Answer 48

When unsafe data must be accepted for processing.

Question 49

What is safe data handling?

Answer 49

Uses inherently safe processing, like parameterized queries.

Question 50

How does safe data handling prevent SQL injection?

Answer 50

Uses parameterized queries for database access.

Question 51

What are semantic checks?

Answer 51

Validate input context, not just syntax.

Question 52

Why are semantic checks needed?

Answer 52

Malicious input may mimic legitimate input.

Question 53

What is an example of a semantic check?

Answer 53

Verify an account belongs to the submitting user.

Question 54

What is boundary validation?

Answer 54

Validates inputs at each app component, not just externally.

Question 55

Why is frontier validation inadequate?

Answer 55

Assumes server-side app is trusted, missing internal threats.

Question 56

How does boundary validation work?

Answer 56

Each component treats inputs as potentially malicious.

Question 57

What is SOAP in web apps?

Answer 57

Simple Object Access Protocol for web services.

Question 58

Why log tampered input incidents?

Answer 58

Aids investigation of potential attacks.

Question 59

What reduces app value if input is rejected?

Answer 59

Blocking legitimate but suspicious input, like blog comments.

Question 60

Why are access control checks complex?

Answer 60

Vary by user role and data subset permissions.