Web Security Best Practices Quiz

Questions and Answers

What is the purpose of escaping untrusted input before inserting it into an HTML page?

To facilitate inline JavaScript execution.

To enable server-side scripting capabilities.

To improve loading speed of the page.

To convert exploitable characters into corresponding HTML encoding. (correct)

What is a key characteristic of Ad-Hoc mode in WiFi networking?

It provides extensive network management features.

It supports advanced security protocols like WPA2.

Devices connect directly to each other without a central access point. (correct)

It requires a router for device connectivity.

Which is a common method to prevent XSS vulnerabilities related to cookie security?

Using weak encryption algorithms for cookie contents.

Allowing direct JavaScript access to cookie data.

Storing cookies in plain text format.

Setting the Secure and HttpOnly flags on cookies. (correct)

Which statement is true about WEP as a WiFi security protocol?

WEP has known vulnerabilities due to a short and reused IV.

What distinguishes Infrastructure mode from Ad-Hoc mode in WiFi networks?

Infrastructure mode relies on a central access point for connectivity.

Which of the following describes a common type of XSS attack?

Stored XSS where malicious scripts are permanently stored on a server.

What is a recommended practice for input sanitization to avoid XSS?

Regularly conducting security testing for vulnerabilities.

What is a primary advantage of Monitor mode in WiFi?

It allows a device to listen to all traffic on a channel without connecting.

What is a primary reason why wireless networks are generally considered less secure than wired networks?

Intruders can intercept wireless signals without physical access.

Which of the following is a recommended practice to prevent file inclusion vulnerabilities?

Utilize static file inclusion instead of dynamic input.

In ad-hoc mode for wireless networking, what is true about its operation?

It allows for direct communication between wireless adapters.

What is the main function of monitor mode in wireless networking?

To capture traffic from all nearby wireless networks

What is one of the primary roles of the RADIUS server after successful authentication?

To manage session usage and enforce access policies.

In Open System Authentication (OSA) mode, what does the client send to the access point for authentication?

An authentication request frame including the SSID

Which input sanitization technique is not recommended for protecting against file inclusion vulnerabilities?

Allowing user input to define file paths.

What is the purpose of the Message Integrity Code (MIC) in the four-way handshake?

To ensure the integrity of messages

What distinct advantage does infrastructure mode offer compared to ad-hoc mode in a wireless network?

It supports a larger number of clients efficiently.

Which type of Cross-Site Scripting (XSS) attack occurs when a malicious script is injected into a web application and stored for subsequent users?

Stored XSS

How is a MIC attack typically executed on the four-way handshake?

By capturing the handshake messages between client and AP

Which of the following security protocols is essential for enhancing the security of a wireless network?

WPA2

What is the derivation process of the Pairwise Master Key (PMK) in wireless security?

Formed by brute-forcing the pre-shared key

What is the initial step a client must take when connecting to an access point in the OSA mode?

Send an authentication request frame to the AP

What protocol is used for client authentication when sharing a key with an AP?

Challenge and response protocol

Which of the following correctly describes the function of the SSID in the context of wireless networks?

It identifies the wireless network for authentication

Study Notes

Security Best Practices for Web Applications

• Escape untrusted input to prevent exploitation by converting characters to HTML encoding.
• Set HttpOnly and Secure flags on cookies to restrict access via JavaScript and ensure data is sent only over HTTPS.
• Avoid inline JavaScript and direct embedding of user inputs to mitigate vulnerabilities.
• Regularly conduct automated and manual security tests to identify and address potential XSS vulnerabilities.

Basics of WiFi Networking

• Ad-Hoc Mode:

  • Allows peer-to-peer connections directly between devices, bypassing routers or access points.
  • Ideal for temporary networks, such as file sharing between laptops.
  • No central management; devices communicate independently within range.

• Infrastructure Mode:

  • Devices connect to a central access point (router) that manages network traffic.
  • Common use in homes and offices, providing better range and effective management.
  • Access points help optimize connectivity and traffic handling.

• Monitor Mode:

  • Enables a device to listen to all traffic on a channel without connecting to any network.
  • Used for network analysis, debugging, and security audits—limiting data transmission.

Wireless Security Protocols

• WEP (Wired Equivalent Privacy) was an early security protocol to secure wireless networks but is highly vulnerable.
  • Known weaknesses include a short 24-bit Initialization Vector (IV) and weaknesses in the RC4 encryption algorithm.
  • The integrity check algorithm CRC-32 is also considered weak.

RADIUS Authentication

• RADIUS servers manage authentication and session control for wireless networks.
• Upon successful authentication, these servers help establish encryption keys for securing wireless communications.
• They track usage for accounting and enforce access policies.

File Inclusion Vulnerability

• This vulnerability occurs when attackers manipulate file paths to access unintended files or directories.
• Can lead to unauthorized file access or code execution, posing a serious security threat.
• Prevention strategies include utilizing static file inclusion and avoiding the use of $_GET[] for page parameters.

Wireless Network Security Challenges

• Wireless networks broadcast data over radio waves, making them more susceptible to interception compared to wired networks.
• Attackers can capture signals without physical access, complicating network security.

Wireless Networking Modes Overview

• Ad-hoc mode only requires wireless adapters, making it simple for small networks.
• Infrastructure mode uses an access point (AP) for connectivity, requiring knowledge of the SSID, which can be easily sniffed.
• Monitor mode captures traffic across all nearby wireless networks without connecting.

Authentication Methods in Wireless Networks

• Open System Authentication (OSA):

  • Clients send an authentication request to the access point, including SSID verification.
  • Successful authentication leads to association with the AP for network access.

• Shared Key Authentication:

  • Requires pre-shared keys for client authentication and encrypts traffic post-authentication.

MIC Attack on Four-Way Handshake

• Involves intercepting messages exchanged between the client and AP during the authentication process.
• The Message Integrity Code (MIC) ensures the integrity of messages, calculated using the Pairwise Transient Key (PTK) and client’s nonce.
• Attacker aims to discover the correct PTK by performing a brute-force attack on the Pairwise Master Key (PMK), derived from the pre-shared key.

Description

Test your knowledge on essential web security measures to protect against vulnerabilities. This quiz covers critical topics like input sanitization, cookie security, and JavaScript practices. Assess your understanding of security testing and preventive techniques.