Security (Week 6, part #1)

Question 1

What does OWASP stand for?

Answer 1

Open Web Application Security Project

Question 2

What is OWASP used for?

Answer 2

Tracking web development issues around security

Question 3

What are the top 10 security problems?

Answer 3

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

Question 4

What is the security problem ‘Injection’?

Answer 4

Any time sending untrusted data and received by interpreter –> could trick and send malicious code

Question 5

What is the security problem ‘Broken Authentication’?

Answer 5

Authentication and session management broken

Question 6

What is the security problem ‘Sensitive Data Exposure’?

Answer 6

Occurs when an application, company, or other entity inadvertently exposes personal data.

Question 7

What is the security problem ‘XML Eternal Entities (XXE)’?

Answer 7

XML external entities are a type of custom XML entity whose defined values are loaded from outside of the DTD (document type definition) in which they are declared.

External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL

Question 8

What is the security problem ‘Broken Access Control’?

Note what access control enforces and what failures lead to.

Answer 8

Access control enforces policy such that users cannot act outside of their intended permissions.

Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

Question 9

What is the security problem ‘Security Misconfiguration’?

Answer 9

Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk.

Basically, any poorly documented configuration changes, default settings, or a technical issue across any component in your endpoints could lead to a misconfiguration

Question 10

What is the security problem ‘Cross-Site Scripting (XXS)?

Answer 10

Found in websites and/or web applications that accept user input.

Cybercriminals exploit this vulnerability by inputting strings of executable malicious code into these functions.

This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website.

Question 11

What is the security problem ‘Insecure Deserialization’?

Answer 11

Vulnerability in which an untrusted or unknown data is used to either inflict a denial of service attack (DoS attack), execute code, bypass authentication or further abuse the logic behind an application.

Serialized objects can be structured in text such as JSON, XML or YAML.

Question 12

What is the security problem ‘Using Components with Known Vulnerabilities’?

Answer 12

occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges.

If a vulnerable component is exploited, it makes the hacker’s job easier to cause a serious data loss or server takeover.

Question 13

What is the security problem ‘Insufficient Logging and Monitoring’?

Answer 13

occur when the security-critical event is not logged off properly, and the system is not monitored.

Lack of such functionalities can make malicious activities harder to detect and in turn affects the incident handling process.

Question 14

When is there a danger of introducing an injection vulnerability?

Answer 14

Any time an application uses an interpreter of any type

Question 15

When must information be scrubbed?

Answer 15

When a web application passes information from an HTTP request through as part of an external request

Question 16

What is SQL injection?

Answer 16

Web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.

A particularly widespread and dangerous form of injection

Question 17

What is command injection?

Answer 17

cyber attack that involves executing arbitrary commands on a host operating system (OS).

Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation

Question 18

What are the three basics of all injections?

Answer 18

1. All injection flaws are input-validation errors. •i.e. you’re not checking the input properly
2. Input is not just text fields
3. All external input is a source of a threat. -> The input contains the data with the threat

Question 19

What are the different types of input that can be used for injection attacks? (10)

Answer 19

text fields, 
list boxes, 
radio buttons, 
check boxes, 
cookies, 
HTTP header data, 
HTTP post data, 
hidden fields, 
parameter names,
parameter values

Question 20

Where should you validate data? Why?

Answer 20

Both client and backend/server sides.

Cannot assume that client has sufficient validation.

Question 21

Define authentication

Answer 21

establish claimed identify –> establish someone has the identity they claim to have e.g. have correct password

Question 22

Define authorisation

Answer 22

establish permission to act –> the person has the ROLE to access the e.g. file

Question 23

Does authentication proceed authorisation? ( proceed = before )

Answer 23

YES

Question 24

Why should we authenticate?

Answer 24

1) control access

2) log user activity and monitor

Question 25

What are the three factors that we can use to authenticate?

Answer 25

1) Something we know –> knowledge user has e.g. password, shared secrete
2) something we have –> physical, hard to find artifact e.g. blockchain, unique items
3) who you are –> biometric info e.g. finger print

Question 26

What security measures must be taken since HTTP is a “stateless” protocol?

Answer 26

1) means credentials have to go with every request
2) should use SSL for everything requiring authentication –> HTTP + SLL = HTTPS

=> password then auth_token

Question 27

What is SSL?

Answer 27

Secure Socket Layer

Question 28

What is the purpose of HTTPS compared to HTTP?

Answer 28

HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server

Question 29

How is it indicated that a web browser is using an SSL certificate?

Answer 29

displays a padlock icon but it may also display a green address bar

Question 30

What are some session management flaws?

Answer 30

1) SESSION ID used to track state since HTTP doesn’t. And it is just as good as credentials to an attacker.
2) SESSION ID is typically exposed on the network, in browser, in logs, …

Question 31

What are some side-doors for attackers?

Answer 31

Change my password, remember my password, forgot my password, secret question, logout, email address, etc…

Password hint is easy -> compromised, hijacked

Question 32

What is the typical impact of an attacker?

Answer 32

User accounts compromised or user sessions hijacked

Question 33

What are the best practices to verify your architecture? (4)

Answer 33

1) Authentication should be simple, centralized, and standardized
2) Use the standard session id provided by your container
3) Be sure SSL protects both credentials and session id at all times
4) use something like Google service to verify reliable and build web page/app that offloads user info to Google, say if user is logged in correctly then have session going on

Question 34

What are the best practices for verifying implementation? (5)

Answer 34

1) Forget automated analysis approaches
2) Check your SSL certificate
3) Examine all the authentication-related functions
4) Verify that logoff actually destroys the session
5) Use OWASP’s WebScarab to test the implementation

Question 35

Explain the process of cross-site scripting (XSS)

Answer 35

General idea: spoof user into thinking you are talking to expected web page server instead of attacker

1) Attacker sets the trap -update my profile.

Attacker enters a malicious script into a web page that stores the data on the server

2) Victim views page -sees attacker profile

Script runs inside victim’s browser with full access to the DOM and cookies

3) Script silently sends attacker Victim’s session cookie

Question 36

What is DOM-based XSS Injection?

Answer 36

allows an attacker to use the Document Object Model (DOM) to introduce hostile code into vulnerable client-side JavaScript embedded in many pages.

Browser interprets .js, HTML, the DOM etc

Question 37

How easy is it to mitigate DOM based XSS? Why?

Answer 37

Extremely difficult to mitigate against because of its large attack surface and lack of standardization across browsers

To do with interpreting data that you don’t trust.

Question 38

What measures can be taken to mitigate DOM based XSS injection? (2)

Answer 38

1) Untrusted data should only be treated as displayable text. Never treat untrusted data as code or markup within JavaScript code.
2) Always JavaScript encode and delimit untrusted data as quoted strings when entering the application (Jim Manico and Robert Hansen)

Question 39

How can we secure HTTP? (ideal approach)

Answer 39

Each request needs authenticating before authorising e.g. establish identify before serving up a resource

Question 40

What does each HTTP request contain?

Answer 40

All the information needed for the server to service that request - Remember: GET, POST, PUT, DELETE etc.

Question 41

How can we secure HTTP? (other approaches ) (5)

Answer 41

(not prioritised)

1) Hash username and password
2) Require users to change their passwords regularly
3) Use multi-factor authentication
- > Username & password
- > Code sent by phone
4) Salt the username and password -> Add additional elements to the ID information
5) Use HTTPS (HTTP + TLS)

Question 42

What is TLS?

Answer 42

Transport Layer Security

Question 43

What is HTTPS sometimes referred to as?

Answer 43

HTTP over TLS, or HTTP over SSL

Question 44

What is the difference between XSS and SQL injection?

Answer 44

XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application’s database.

Question 45

What is a DoS attack?

Answer 45

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.