Web Development Security Best Practices

Questions and Answers

PDF Questions PDF Answers

Where should untrusted data not be placed?

In comments (correct)

In a database

In CSS (correct)

Between HTML tags (correct)

What is the recommended header type to prevent XSS attacks?

text/html

text/css

application/javascript

application/json (correct)

What is the primary method of preventing CSRF attacks?

One-time tokens (correct)

Using JS frameworks

Sanitizing HTML markup

Input validation

What is a common goal of a CSRF attack?

Gain access to the website

What is a common way phishing attacks are sent?

Through email

What is the primary method of preventing XSS attacks?

Sanitizing HTML markup

What is a common vulnerability that can lead to CSRF attacks?

Lack of input validation

What is the goal of a phishing attack?

To take control of the user's machine

What is the recommended practice when using untrusted data in HTML?

Escape the data in the HTML body

A CSRF attack can be prevented by using session cookies.

False

What is the goal of a phishing attack?

To gain unauthorized access to a user's machine or credentials

Using a ___________ token can help prevent CSRF attacks.

one-time

Match the following security terms with their descriptions:

XSS = Injection of malicious scripts into a website CSRF = Abuse of legitimate user's credentials Phishing = Social engineering attack to gain unauthorized access

What is a common way for an attacker to initiate a CSRF attack?

Through a phishing email

Sanitizing HTML markup can help prevent XSS attacks.

True

What is the recommended header type to use when transmitting JSON data?

application/json

Study Notes

XSS (Cross-Site Scripting) Prevention

• Untrusted data should only be placed in allowed locations, never in tags, comments, attribute names, or tag names
• Untrusted data should be escaped in the HTML body (e.g., in div's)
• Use application/json headers instead of text/html
• Sanitize HTML markup using proper libraries
• Properly use current JS frameworks

CSRF (Cross-Site Request Forgery) Attack

• A type of attack where a malicious user sends a link to a legitimate user, who is logged in to a website, to gain access to the website using their credentials
• Can be prevented by using one-time tokens
• Common vulnerabilities leading to CSRF attacks:
  • Lack of input validation
  • Trusting user-manipulated parameters
  • Using parameters to track session information
  • Modifying URL or form field data without user authorization

Phishing Attack

• A type of attack where a malicious user sends a fake email or link to trick a user into revealing sensitive information or giving access to their machine
• Attacks are often sent through email, redirecting the user to a malicious website or opening a connection to the originator
• Example of a phishing email: offering a fake refund from a government agency (e.g., CRA)
• Red flags in a phishing email/UI:
  • Suspicious sender address or domain
  • Urgent or threatening tone
  • Misspelled URLs or generic greetings
  • Request for sensitive information or login credentials

XSS (Cross-Site Scripting) Prevention

• Untrusted data should only be placed in allowed locations, never in tags, comments, attribute names, or tag names
• Untrusted data should be escaped in the HTML body (e.g., in div's)
• Use application/json headers instead of text/html
• Sanitize HTML markup using proper libraries
• Properly use current JS frameworks

CSRF (Cross-Site Request Forgery) Attack

• A type of attack where a malicious user sends a link to a legitimate user, who is logged in to a website, to gain access to the website using their credentials
• Can be prevented by using one-time tokens
• Common vulnerabilities leading to CSRF attacks:
  • Lack of input validation
  • Trusting user-manipulated parameters
  • Using parameters to track session information
  • Modifying URL or form field data without user authorization

Phishing Attack

• A type of attack where a malicious user sends a fake email or link to trick a user into revealing sensitive information or giving access to their machine
• Attacks are often sent through email, redirecting the user to a malicious website or opening a connection to the originator
• Example of a phishing email: offering a fake refund from a government agency (e.g., CRA)
• Red flags in a phishing email/UI:
  • Suspicious sender address or domain
  • Urgent or threatening tone
  • Misspelled URLs or generic greetings
  • Request for sensitive information or login credentials

Description

This quiz covers essential security guidelines for web development, including XSS prevention and CSRF protection. Learn how to secure your web applications with these best practices.