Cross-Site Scripting (XSS) Explained

Questions and Answers

Which of the following accurately describes Cross-Site Scripting (XSS)?

• A method attackers use to directly access server files.
• A technique to bypass authentication using stolen cookies.
• A process of encrypting data transmitted between the user and the server.
• A vulnerability allowing attackers to inject malicious scripts into a website. (correct)

In the context of XSS, what does sanitizing input primarily prevent?

• Validating the length and format of user input fields.
• Preventing the execution of JavaScript on the server-side.
• Ensuring that user-submitted data does not contain malicious scripts. (correct)
• Encrypting user input to protect against data theft.

How does Reflected XSS primarily differ from Stored XSS?

• Reflected XSS requires the attacker to have direct access to the web server.
• Reflected XSS exploits vulnerabilities in the client's browser directly, without server involvement.
• Reflected XSS injects scripts that are permanently stored on the server.
• Reflected XSS is less dangerous because it does not persist on the server. (correct)

What is the primary characteristic of DOM-Based XSS?

It modifies the webpage's structure directly in the user's browser using JavaScript. (D)

Which of the following is a potential outcome of a successful XSS attack?

Data theft, session hijacking, or malware injection. (D)

How can attackers typically trick users into executing malicious Reflected XSS scripts?

By sending phishing emails containing malicious links. (C)

Which type of XSS attack poses the greatest risk to website visitors, even without them clicking any links?

Stored XSS (A)

What is the first step a subject takes during the authentication process?

Identifying themselves. (A)

After a subject identifies themselves, what is the subsequent step in proper authentication?

Subject provides a 'Credential set'. (B)

What is the primary action an attacker performs during a Cross-Site Scripting (XSS) attack?

Injecting malicious scripts into a website. (D)

Which of the following is a potential consequence of a successful XSS attack on a website?

Session hijacking, data theft, or phishing attacks. (D)

In the context of XSS, what is the most direct implication of a website failing to sanitize user inputs?

The website becomes susceptible to having malicious scripts injected into its pages. (B)

In Reflected XSS, how is the malicious script typically delivered to the victim?

Through a URL or form input. (C)

Which characteristic is unique to Stored XSS compared to other types of XSS attacks?

The malicious script is permanently saved on the website's server. (D)

What is a key characteristic of DOM-Based XSS that distinguishes it from Stored and Reflected XSS?

It is primarily executed on the client-side, with the browser modifying the page structure. (D)

What makes Stored XSS generally considered more dangerous than Reflected XSS?

It can affect all users who visit the infected page without needing to click a malicious link. (A)

What is the underlying principle behind the concept of 'Something You Know' in authentication methods?

Using a challenge-response method where the subject provides a knowledgeable answer. (D)

Among the basic authentication methods, which one is typically considered the easiest to implement but also the weakest?

'Something You Know' (B)

What is the key characteristic of 'Type II' authentication methods?

They require the user to possess a physical token or device. (D)

Which of the following authentication factors falls under the category of 'Something You Are'?

A fingerprint scan. (C)

What technology is used in 'Type IV' authentication?

Geo-location or location-based access control (C)

What is the primary function of dynamic passwords?

They change at regular intervals, often generated by software or hardware tokens. (C)

What is a key benefit of using passphrases over traditional passwords, according to the slides?

Passphrases are typically longer and more memorable for humans, yet harder for computers to crack. (A)

Why are hybrid drives not suitable for clearing by degaussing?

The slides do not cover Hybrid Drives (D)

How is data primarily recorded on hard disks (HDDs)?

Magnetically, on rotating platters. (B)

Which statement best describes how data is accessed in Solid State Drives (SSDs)?

Data is accessed directly without mechanical movement, using flash memory. (C)

When considering data remanence in Solid State Drives (SSDs), what is the most effective method for ensuring data is unrecoverable?

Physically destroying the chips. (B)

Why is overwriting data not as effective for Solid State Drives (SSDs) as it is for Hard Disk Drives (HDDs)?

SSDs have wear leveling, which distributes writes and makes complete overwriting uncertain. (B)

In the context of data security, what is the primary purpose of 'degaussing' a storage device?

To remove or reduce magnetic fields on a drive, thereby erasing data. (C)

According to the slides, which data remanence countermeasures are ineffective toward a virtual and dynamic environment such as a Cloud environment?

Overwriting (B)

Which of the following best describes the function of memory in a computer system?

A series of 'on' and 'off' switches used to represent the binary digits (0 and 1). (D)

What is the primary characteristic of volatile memory?

It loses its data when the power is turned off. (C)

Which of the following is an example of non-volatile memory?

ROM (Read-Only Memory). (A)

How does the CPU access data stored in RAM?

Directly, allowing for quick and efficient data retrieval. (D)

According to the information from the slides, what is 'Cache' memory used for?

To store instructions and data frequently used by the CPU for quicker access. (C)

Which type of memory is used for the fastest portion of the CPU cache?

Static Random-Access Memory (SRAM). (B)

How does DRAM differ to SRAM?

DRAM has lower cost (B)

What is a primary distinction between Solid State Drives (SSDs) and Hard Disk Drives (HDDs)?

SSDs have faster data access speeds compared to HDDs. (B)

What term describes the residual representation of data that remains even after attempts to remove or erase it?

Data remanence. (C)

Access Control Vulnerabilities occur when what happens on a web application?

A web application improperly restricts user access to resources or functions (A)

In the concept of Broken Object-Level Authorization (BOLA), what action do attackers typically perform?

Attackers modify object IDs in requests to access another user's data. (A)

In Broke Function-Level authorization, what is an example of what regular users access without the write premissions?

/admin/delete-user?id=45 (D)

What type of Access Control Vulnerabilities involved with directly accessing files, database records, or API endpoints by modifying request parameters?

Insecure Direct Object References (A)

What access control vulnerability describes attackers accessing hidden but unprotected URLs?

Forced Browsing (C)

What access control vulnerability is it when attackers upgrade their user permissions by modifying roles in requests?

Privilege Escalation (C)

Flashcards

What is Cross-Site Scripting (XSS)?

A web security vulnerability that allows attackers to inject malicious scripts (JavaScript) into a website.

How Does XSS Work?

The attacker injects a malicious script into a webpage. The website fails to sanitize the input. When another user visits the page, the browser executes the injected script. The attacker steals sensitive data, modifies page content, or redirects the user.

Reflected XSS

The malicious script is injected via a URL or form input but is not stored on the server. It executes only when the victim clicks a malicious link.

Stored XSS

The malicious script is saved in the website's database and loads whenever users view the infected page.

DOM-Based XSS

The browser itself modifies the webpage's structure using JavaScript, leading to an XSS attack.

Proper Authentication

Subject identifies oneself, provides assurance, gives credentials, system validates, access granted.

Type I Authentication

Testing the subject with a 'challenge-response' method.

Type II Authentication

Requires users to possess something such as a token.

Type III Authentication

Uses you own bio characteristics for indentification.

Type IV Authentication

Geo-location or location-based access control using technologies such as GPS.

Static Passwords

Typically user-generated and reusable passwords that may expire.

Passphrases

Long static passwords that are composed of several words or a long sentence.

One-Time Passwords

Single authentication, one-time only use passwords. Secure but hard to maintain.

Dynamic Passwords

Passwords that change at regular intervals, usually in the form of software or hardware tokens.

What is Data Remanence?

The residual representation of Data that has been in some way nominally erased or removed

Data Remanence in Hard Drives

Data is recorded magnetically on platters. Mechanical - the read/write heads move and the platter rotates. Magnetic data is not erased, only the indexes

Data Remanence in Solid State Drives

Uses Flash memory (chips) to store data. Data Accessed directly (no mechanically moving parts). New data is typically written to a new location.

Overwriting for Remanence

Writing a sequence of zeros, ones or random data on all sectors of a hard disk.

Degaussing for Remanence

Using a special equipment (Degausser) to remove or reduce magnetic fields on a drive.

Encryption for Remanence

Encrypting data before storing in cloud servers. Saving keys in local or virtual private server.

Destruction for Remanence

Using physical or chemical destruction techniques.

What is Memory?

Fundamentally a series of 'on' and 'off' switches used to represent the binary digits (0 and 1)

Volatile Memory

Memory where data is lost when the computer is turned off.

Non Volatile Memory

Memory where the data is not lost when a computer is switched off.

Real (Primary) Memory

A Real or ‘Primary' memory. Directly accessible by the CPU. Holds instructions and data for currently executing processes. ‘Scratch Pad' Memory

Cache Memory

Fastest system memory. Keeps up with the CPU as it fetches and executes instructions. Data most frequently used by CPU is stored here

RAM

Volatile: data is lost when computer is powered done. Can be directly accessed by the CPU. Used to store temporary information in a finite time.

ROM

Non-Volatile: data is retained even when power is turned-off. Cannot be directly accessed by the CPU. Stores permanent information (e.g., BIOS)

Pros of using SRAM

SRAM has lower access time, so it is faster compared to DRAM. SRAM is costlier than DRAM.

Pros of using DRAM

DRAM has higher access time, so it is slower than SRAM. DRAM costs less compared to SRAM.

SSD (Solid State Devices)

Combination of Flash Memory (EEPROM) and DRAM. SSDs are logical and writes on unused portions and marks previous ones as unallocated

What is Access Control Vulnerability?

Access Control Vulnerabilities occur when a web application improperly restricts user access to resources or functions.

Broken Object-Level Authorization

Attackers modify object IDs in requests to access another user's data.

Broken Function-Level Authorization

Unauthorized users gain access to restricted functionality

Insecure Direct Object References

Attackers directly access files, database records, or API endpoints by modifying request parameters.

Forced Browsing

Attackers access hidden but unprotected URLs.

Privilege Escalation

Attackers upgrade their user permissions by modifying roles in requests.

Study Notes

Cross-Site Scripting (XSS)

• XSS is a web security vulnerability where attackers inject malicious scripts, often JavaScript, into a website.
• These scripts execute in the victim's browser when they load the affected webpage.
• Outcomes of successful XSS attacks include: session hijacking, data theft, phishing, or malware injection.

How XSS Works

• An attacker injects a malicious script into a webpage through a search bar, comment box, or URL.
• The website fails to sanitize the input, incorporating the script into the page.
• When another user visits the page, their browser executes the injected script.
• Consequentially, the attacker can steal sensitive data, modify page content, or redirect the victim.

Types of XSS Attacks

Reflected XSS (Immediate Execution)

• The malicious script is injected via a URL or form input
• Scripts are not stored permanently on the server
• Execution occurs only when the victim clicks a malicious link.
• Attackers can use phishing emails to trick users into clicking malicious links.

Stored XSS (Persistent, More Dangerous)

• In stored XSS, the malicious script is saved in the website's database.
• The script loads whenever users view the compromised page.
• Comment sections, forums, and profile fields are common targets.
• Every visitor to the infected page is at risk without clicking any links.

DOM-Based XSS (Client-Side Vulnerability)

• The browser modifies the webpage's structure using JavaScript, leading to an XSS attack.
• If an attacker sends a URL like https://example.com#<script>alert('XSS')</script>, the browser executes the script without server involvement.

Proper Authentication of Subjects

• Step 1: A subject identifies themselves.
• Step 2: The subject provides assurance that their claimed identity is valid.
• Step 3: The subject presents a set of credentials.
• Step 4: The system validates the supplied credentials.
• Step 5: Access is granted upon successful validation.

Basic Authentication Methods

• Type I: Something You Know (e.g., password).
• Type II: Something You Have (e.g., a token).
• Type III: Something You Are (e.g., biometrics).
• Type IV: Somewhere You Are (e.g., geolocation).

Type I - Something You Know

• This method uses a challenge-response system.
• Access is granted if the response is correct.
• A classic example is username/password or PIN.
• It's the easiest and weakest form of authentication.

About Passwords

• There are four types of passwords to consider when implementing access controls.
• Static Passwords: User-generated, reusable passwords that may or may not expire, often combined with other authentication.
• Passphrases: Long static passwords composed of several words or a sentence. Typically don't expire.
• One-Time Passwords: Used for a single authentication instance and are secure but hard to maintain.
• Dynamic Passwords: Change at regular intervals. Combined with static passwords for added security.

Type II - Something You Have

• Requires users to possess a token to prove their identity.
• A token is a device that helps verify the user's claim to an identity.
• Dynamic Tokens are usually synchronous and asynchronous.

Type III - Something You Are

• Relies on Biometrics.
• Uses physical characteristics for identification and authentication.
• Examples: Fingerprints, Retina Scan, Iris Scan, Hand Geometry, Voiceprint.

Type IV - Someplace You Are

• This method employs geolocation or location-based access control.
• Technologies such as GPS can accept or deny access based on the current location of the subject.

Data Remanence

• Data Remanence: Data that persists even when deleted by "Non-invasive” means.
• It's often discussed in Digital Forensics and Data Destruction contexts.

Data Remanence in Disk Drives

Hard Disks

• Data is recorded magnetically on platters.
• Mechanical read/write heads move, and the platter rotates.
• Magnetic data is not erased, only the indexes are.
• New data may overwrite deleted data.

Solid State Drives

• Flash memory (chips) is used to store data.
• Data Accessed directly (no mechanically moving parts)
• New data is typically written to a new location
• Destruction Incineration/shredding is best for chips
• Hybrid drives cannot be cleared by degaussing.

Data Remanence Countermeasures

• Overwriting: Writing zeros, ones, or random data on all sectors; not efficient on SSDs or USB drives.
• Degaussing: Using special equipment to remove or reduce magnetic fields; limited to magnetic drives, may render media inoperable.
• Encryption: Encrypting data before storing in cloud servers, saving keys locally; difficult key management, encrypted data cannot be processed in the cloud.
• Destruction: Physical or chemical destruction techniques; not applicable in a cloud environment.

Memory

• Fundamentally a series of 'on' and 'off' switches used to represent the binary digits (0 and 1)
• Volatile Memory loses data when power is turned off
• Data is stored temporarily
• It is faster than non-volatile memory
• The storage capacity is less when compared to non-volatile memory
• Data can be easily trasnferred
• Examples are RAM and Cache Memory

Real (Primary) Memory

• RAM is a Real or ‘Primary' memory
• Directly accessible by the CPU
• Holds instructions and data for currently executing processes
• 'Scratch Pad' Memory

Cache Memory

• Static random-access memory (SRAM) is used for cache memory.
• The next fastest form of cache memory is Level 1 cache, located on the CPU itself.
• Level 2 cache is connected to (but outside of) the CPU.
• Keeps up with the CPU as it fetches and executes instructions
• Fastest system memory
• Data most frequently used by CPU is stored here

RAM vs ROM

• RAM (Random Access Memory): Volatile, can be directly accessed by the CPU, used to store temporary information, larger in size, fast data write speeds
• ROM (Read Only Memory): Non-Volatile, cannot be directly accessed by the CPU, stores permanent information, smaller in size, slow write process

DRAM vs SRAM

• SRAM: Lower access time, costlier, requires constant power supply, lower storage capacity, has low packaging density.
• DRAM: Higher access time, less expensive, reduced power consumption, large storage capacity, has high packaging density.

SSD (Solid State Devices)

• SSD consist of Flash Memory (EEPROM) and DRAM.
• Data is mapped logically
• Writes on unused portions and marks previous ones as unallocated

SSD vs HDD

• SSD: Faster, shorter lifespan, more expensive, non-mechanical, shock-resistant, best for storing OS and gaming
• HDD: Slower, longer lifespan, cheaper, mechanical, fragile, best for storing extra data (movies, photos, docs)

Access Control Vulnerability

• Occurs when a web application improperly restricts user access to resources or functions
• Attackers exploit these weaknesses to access unauthorized data, modify settings, or perform actions as other users or administrators
• Access Control Vulnerabilities Works when: A web application fails to properly enforce restrictions on user actions, An attacker manipulates requests, If the server does not validate permissions correctly, the attacker can access or modify data they shouldn't

Types of Access Control Vulnerabilities

• Broken Object-Level Authorization (BOLA): Attackers modify object IDs in requests to access another user's data.
• Broken Function-Level Authorization: Unauthorized users gain access to restricted functionality
• Insecure Direct Object References (IDOR): Attackers directly access files, database records, by modifying request parameters
• Forced Browsing: Attackers access hidden but unprotected URLs.
• Privilege Escalation: Attackers upgrade their user permissions by modifying roles in requests.