Web Application Security
Homework Questions & Answer Key
Lecture 1: Introduction
1. What is the key step in initiating an HTTP connection?
The first step is a query to the Domain name system to transform a URL into an IP
address.
2. One danger is pharming: what is that?
Pharming occurs when a Domain name server gives the "resolver" an IP address different
from the
legitimate one, sending the user to a malicious site.
3. What does the HTTP protocol codify?
The HTTP protocol codifies the exchanges between clients and servers.
4. The HTTP protocol involves "methods" and "status codes". What are those?
Requests from the clients can have several methods: the two most common are GET and
POST. The
server replies to the request with a number (status code). If the resource requested is
available, for
example the number is 200 (or 20x, where x can be any number), meaning OK, if it
requires a redirect the
status code is 30x. If for some reason the request cannot be fulfilled, the answer is 40x.r
5. In what language is the source code of a webpage written?
HTML and Javascript.
6. What are the key steps of an SSL connection?
Authentication (with a certificate to be recognized by the Browser) and choice of
encryption for the
subsequent communication.
7. By what kind of mechanisms can a user be sent to a malicious website?
Pharming or Phishing.
-----
Lecture 2: OWASP Top Ten
1. What is OWASP?
The Open Web Application Security Project.
2. What does the OWASP "top ten" refer to?
OWASP produces a list of what they deem the ten most serious threats every few years.
3. What is the most prominent "threat" according to OWASP?
Code injection (in particular SQL injection) is number one.
4. What does "Insecure Direct Object" refer to?
It is when the URL of the object is designed in such a way that it is possible for a
malicious user to access
resources he should not be allowed to access.
5. What does "unvalidated" redirect refer to?
�It is when an automatic redirect from a legitimate site sends a user to a malicious site.
6. What are the criteria used by OWASP to choose the top ten?
Prevalence of the attack and severity of its consequences.
7. Why have the top ten changed slightly with time?
OWASP has changed its criteria somewhat, to put more importance on severity.
-----
Lecture 3: Introduction to Cross Site Scripting
1. What is Cross Site Scripting (XSS)?
Injecting a HTML or Javascript code into a webpage.
2. Why is that somewhat of a misnomer?
Because originally it referred to the ability of a site to modify the script of another site
(cross site
scripting...), but XSS does not necessarily involve any cross site scripting, just the
scripting.
3. How does one typically establish that a site is vulnerable to an XSS attack?
By trying to inject some HTML or Javascript code in the page.
4. What is a persistent (stored) XSS attack?
When the injected code permanently changes the content of the webpage.
5. What is a reflected XSS attack?
When the injected code does not persist in the webpage. Typically the attacker uses the
attack to acquire
information.
6. What is the name of the third form of XSS?
DOM (Document Object Model) based XSS.
7. What can an attacker accomplish with an XSS attack?
He can access confidential information (cookies), deface the webpage, infect the webpage
with malware,
or compromise the webpage otherwise.
-----
Lecture 4: How to Avoid XSS
1. What HTML tags tend to be used in XSS attacks?
Many. But <iframe> (which allows the import of a whole web page within the attacked
webpage) or
<script> which allows Javascript programs to run, are among the most used.
2. What is the Document Object Model?
This is a system of conventions or formats to build a webpage. It was developed to
facilitate the design
and downloading of a webpage with complicated content.
3. How does DOM based XSS work?
It uses DOM calls to inject new script.
4. How does one defend against XSS?
By avoiding XSS vulnerability (!) and sanitizing inputs.
�5. What is the "Same Origin Policy"?
The goal of same origin policy is to prevent cross site scripting, by not allowing two
different sites reach a
user to influence each other.
6. What does AJAX stand for?
Asynchronous Javascript and XML.
7. What is the "key" technology underlying AJAX?
XMLHttpRequest (XHR).
-----
Lecture 5: Cross Site Request Forgery (CSRF)
1. Describe an example of Cross Site Request Forgery (CSRF) attack?
A user, while engaged in a trusted session with a bank, is lured to download some
resource from a
malicious site which hijacks the trusted session to access the Bank account of the user.
2. Propose a general characterization of CSRF attacks?
When an attacker manages to use the credentials of a user to abuse the trust of a website.
3. In what sense is CSRF different from XSS?
In a CSRF attack, the trust the website has for the user is abused, whereas in XSS, the
trust the user has in
the website is abused.
4. How does one defend against CSRF attacks? (on the server side and on the client side)
On the server side, it is possible to prevent many scenarios of a CSRF attack by requiring
a new
authentication for each new transaction. On the clientside, one needs a tool monitoring
the browser and
filtering the activity.
5. Describe the Facebook CSRF "worm"?
A photo appears in the public page of a Facebook user. When a user clicks on it, he is sent
to a malicious
site which proceeds to put the photo on the private wall of the user. The friends of the
user then try to
understand what the photo is, click on it and are also sent to the same website and the
photo appears on
their wall.
6. In what sense is this a CSRF attack as opposed to a Phishing attack?
It looks like a phishing attack since a user is lured to a malicious site. But the fact that the
malicious site
uses the credentials of the user to post the photo on the private wall of the user, makes
that a CSRF
attack.
-----
Lecture 6: SQL Injection (1): Intro
�1. What is SQL? What is it used for?
Structure Query Language. This is a language commonly used in the management of
databases.
2. What is an SQL injection attack?
An attack using SQL commands to penetrate a network or database.
3. Why are SQL injection attacks considered the worst threat by OWASP?
Because most attacks leading to the compromise of credit card numbers are SQL attacks.
4. How does an injection typically proceed?
SQL has some "vulnerability". Apostrophes in SQL precede or end statements. 1=1 for
example is
interpreted as "true" and can be used to illegally enter when one does not have a
username or password.
5. Is it easy to avoid SQL injection attacks?
It is easy to avoid simple attacks. But attacks can be quite sophisticated.
6. What is the typical defense against SQL injection?
Sanitization and filtering of inputs are by far the most common measures.
7. How does one circumvent "filters"?
One obfuscates the input to conceal its real content. Another possibility is to use unusual
inputs. There is
a long list of possibilities.
-----
Lecture 7: SQL Injection (2): More Advanced
1. What are the different stages of a SQL injection attack?
Entering (input validation), information gathering, and attack (which can take several
forms: reading or
modifying the database).
2. How does an attacker proceed to progressively discover the database?
Making a lot of queries and learning from the error message about the database
3. What is a "Blind" SQL injection attack?
When the error messages do not say anything, except it is an error.
4. There are different kinds of DBMS's. What are the most important?
MySQL, MS SQL, Oracle, etc...
5. What is "metadata"?
Metadata is general information about the database.
6. What is an LDAP injection attack?
It is an injection in the Light Directory Access Protocol, which carry information about
passwords.
7. Are the dangers associated with SQL attacks decreasing?
No.
-----
Lecture 8: Browser Security(1): How Do Browsers Enter in the Security Equation?
1. What is the role of Browsers and how do they work?
�Browsers are the interface between users and websites. They transform HTML programs
into the
webpage seen by the user. They send the queries from the users to the webpage.
2. What kind of Browser was involved in the Aurora attack and how?
Internet Explorer 6 and 7. It carried a vulnerability Z(dangling pointer) which was
exploited to introduce
some malware.
3. What is ASLR?
Address Space Layout Randomization. A technique whereby the way the address space is
used in the
memory is randomized to confuse attackers.
4. What is DEP?
Data Execution Prevention: a technique to prevent some malicious program using a mix
of data and
executables (to exploit a buffer overflow for example) from running.
5. What is JIT? Why is it there? What kind of security concern does it bring?
Just In Time compiling. The goal of JIT is to speed up the compiling of Javascript
bytecode into machine
code. Since the machine code it generates is directly executable, its input is important to
control.
6. What is a "hijackware"?
A malware which "hijacks" browsers by changing its settings, for example.
7. What is URL blacklisting?
A list of malicious websites where the users should not go.
-----
Lecture 9: Browser Security (2): Why Are Attacks Like Man in the Browser Possible?
1. What does RIA stand for and refer to?
Rich Internet Application. New Internet Applications can be large programs which have
to run within
Browsers.
2. What are "lay-out engines"? How do they differ between Browsers?
Browsers have two components: User Interface and the lay-out Engine or "Internet
Suite", which does
most of the work. Internet Explorer lay out engine is Trident (proprietary), whereas
Chrome and Safari
have the same engine, the open source WebKit and Firefox uses another open source
engine: Gecko.
3. What is the role of DOM?
DOM codifies the design of a webpage.
4. What does XHR actually accomplish?
XHR in the background make queries to a webpage, to update parts of the page the user
is viewing,
without the need to re-download the whole page.
�5. Why are plug-ins needed?
Some functionality (like running movies) requires additional programs (like Flash),
called Plug-ins.
6. What kind of security concerns do they bring?
Some plug-ins bring malware with them. Flash is an example of that.
7. What is special about Flash?
Flash is a target for the distribution of malware, because it is one of the most popular
plug-ins.
-----
Lecture 10: Browser Security(3): What Difference Browsers Do and Can Do?
1. What are the main Browsers? How is their market share evolving?
Internet Explorer, Firefox, Chrome, Safari, Opera. The first three have most of the
market. The market
share of Chrome is growing at the expense of Internet Explorer.
2. What does the "Browser war" refer to?
There was a "war" between Internet Explorer and Netscape, which led to the demise of
Netscape. Then
Firefox grew at the expense of Internet Explorer.
3. Smartphones also access the internet: what is the market share of the different
smartphone OS and
Browsers?
The market share for the telephones is very different from Browsers in PCs. Google
(Android) and Apple
(iOS) are becoming the most prevalent, with RIM (Blackberry) and Nokia, losing their
previous
dominance. Windows has a very limited presence in smartphones.
4. How does Symantec quantify Browser security?
By the number of documented vulnerabilities.
5. What are the main findings of its latest report (2010)?
Because Google gives a bounty to those who find vulnerabilities in Chrome, Chrome is
the one that had
the largest number of vulnerabilities that year. That suggests that the number of known
vulnerabilities
measures the degree of security awareness of a Browser.
6. How does JIT "hardening" proceed?
A lot of complicated measures to protect against "JIT" spraying and its consequences.
7. What is a Man in the Browser attack?
It is when somehow the Browser is "controlled" by a malware, typically a proxy.
-----
Lecture 11: OWASP Top Ten Other Than Injection, XSS and CSRF
1. How does OWASP make its recommendation for defense or prevention of web attacks?
It produces "Cheat sheets". They are typically designed for developers.
�2. What does, "Broken Authentication and session management" refer to?
It is when a trusted session is tampered with.
3. What defense does OWASP suggest?
Strong authentication... i.e. there is no obvious defense other than taking precautions.
4. In what sense do A-4 (Insecure object references) and A-8 (Failure to restrict URL
access) differ?
They differ very marginally (the place of the URL one acts on). But the fact that this kind
of attack
appears twice in the top ten was a deliberate attempt by OWASP to emphasize its
importance.
5. What does OWASP recommend to avoid unvalidated redirect?
Whitelisting the possible redirects.
6. What does "Insecure Cryptographic Storage" refer to?
This is when there is a glitch in the functioning of a database and confidential data is
exposed as a result.
7. Are Security Misconfigurations easily avoidable?
Depends. Some are, but one should not assume that it is easy to avoid missing something.
-----
Lecture 12: AJAX, Web 2.0, and Web Application Security
1. What does XHR stand for and do?
XMLHTTPRequest
2. Does XHR support only one method? Which one?
XHR supports GET and POST requests. The GET requests are faster.
3. What is the security concern associated with XHR?
XHR queries take place in the background (asynchronously) and lead to exchange of data
between a
client and server. One security concern is the possibility that this leads to the injection of
malicious
content.
4. What exactly is DOM and what is its general structure?
DOM is structured as a tree. The whole web page is described as a tree, all the
components of the page
have an identity in the tree, this makes it easier for the developer to design scripts to
modify local pages.
5. Why was DOM deemed useful/necessary? Who proposed DOM? Do all browsers
support DOM?
The need for DOM came with the appearance of sophisticated and complicated websites.
Originally W3C
proposed DOM to facilitate the design of complicated websites. All Browsers are
compliant with DOM.
That took a few years.
6. What is JSON?
Javascript Object Notation. An open standard to represent data.
�7. What does "serialization" refer to? What kind of security concerns does it promote?
It refers to conversion of data to be able to transport and store them more efficiently.
There is a concern
that malicious data can be included.
-----
Lecture 13: Defense: Security Tools for Web-Applications
1. What is a "penetration tester"?
A program or individual, testing the vulnerability of websites to code injections.
2. What does sqlmap do?
It checks SQL databases for vulnerability to SQL injections. It can perform a variety of
attacks.
3. What is the "Burp Suite"?
It is a tool that analyzes websites (makes a map, crawl it, scan it and automatically
perform some
attacks against it)
4. When it acts as a proxy, what does Burp do?
It intercepts all the HTTP queries originating from the browser.
5. What do the "spider" and the scanner do?
They "crawl" (i.e. identifies all the URLs) and scan the website for known vulnerability.
6. What is BeEF? When paired with Burp or sqlmap, what kind of attack does it allow?
The Browser Exploitation Framework, is a tool that can "hook" a browser and perform
attacks through
the Browser. In its attack, it can use Burp to attack other websites and sqlmap to perform
SQL injections.
7. Can these tools be used by attackers?
Yes.
-----
Lecture 14: Mobile Devices and the Cloud
1. What was the market share of the different smartphones as of 2011?
iOS, Android, RIM and Nokia had similar market shares. But iOS and Android are
growing.
2. What is ENISA?
The European Network Information Security Agency. It is the agency reporting to the
European
commission dealing with cybersecurity.
3. What are the three most serious security threats associated with smartphones,
according to ENISA?
Loss of the device, disclosure of data, decommissioned devices.
4. How does this list compare with lists commonly published in magazines?
Other lists do not focus on the device. They mention SMShing, war-texting, WIFI
hijacking (not specific to
smartphones), hidden URLs, or BlueTooth snooping, for example...
�5. What is the "one minute attack"?
It exploits the fact that smartphones tend to always be on. A smartphone infected with a
spyware could
see its content revealed in one minute, unbeknownst to the owner.
6. What was the Droiddream incident, and what did it emphasize?
50 different Android applications got infected at the same time. This shows how web
apps can be used as
vectors to distribute malware.
7. What kind of security concerns does cloud computing typically raise?
The fact that important personal data and other important web activities are taking place
remotely from
the person concerned.
