Web Security Overview Quiz

Questions and Answers

Which of the following languages is NOT mentioned as part of the web security resources?

JavaScript

Java (correct)

PHP

Python

Web security only concerns static content and does not involve dynamic content.

False

What middleware is frequently used to analyze URLs and compose web pages for Apache and MySQL?

PHP scripts

The _____ attack involves exploiting vulnerabilities in web applications through client-side scripts.

XSS

Match the following web security terms with their descriptions:

XSS = Cross-Site Scripting that injects malicious scripts SQL Injection = Manipulating SQL queries for unauthorized access Slowloris Attack = Overloading a server by opening many connections mod-security = A web application firewall for securing web applications

What is typically required for a web server to create dynamic content?

Connection to a database server

Cookies can be utilized by attackers in XSS attacks to steal user information.

True

What is the first step to execute the CGI script WealthTracker.cgi?

Fire up the Apache web server

The WealthTracker.html file is supposed to send data back to the server.

False

What does the command 'var cookie_info = document.cookie' do?

It retrieves the document's cookie information.

Heap spraying fills up memory with _____ bytes referred to as nop-sled.

no-op

Match the following steps of the Heap Spray Exploit with their descriptions:

Step 1 = Fill memory with no-op bytes Step 2 = Place malicious shell-executable code Step 3 = Dereference memory locations with no-op bytes Step 4 = Execute arbitrary shell code

What could potentially allow malicious attacks on a server when a user submits their credentials?

URL sent in clear text

SQL injection attacks can only occur when input fields are not properly validated.

True

What is the purpose of the PHP package 'php7.0-mysql'?

To allow PHP scripts to connect to MySQL databases.

The MySQL database used in the example is named __________.

Manager_db

Match the following terms with their descriptions:

PDO = PHP Data Objects for database connections SQL Injection = Attack to manipulate SQL queries row-level security = Restricts access to rows in a database table localhost.localdomain = Indicates a local server usage in email headers

How many accounts are created in the MySQL database for user access?

Three

The presence of 'localhost.localdomain' in an email header can indicate it originated from a residential IP block.

True

What action does the visitor take after filling out the form in RetrieveFromMySQL.html?

The visitor clicks the 'Submit' button.

When accessing the Maintenance_Schedule table, users can only view __________.

their own row

What type of web server works with the MySQL database in the mentioned example?

Apache

What is the primary goal of the XSS attack with server-side injection described?

To cause a spam file to be downloaded

The injected PHP code will be visible to clients when they view the page source in their browser.

False

What is the IP address of the Web Hosting Service Provider?

192.168.1.105

The service that handles sending emails on the server is called ______.

Sendmail

Match the following entities with their associated IP addresses:

Web Hosting Service Provider = 192.168.1.105 Innocent Client = 192.168.1.103

Which of the following operating systems does the web hosting service provider use?

Ubuntu 10.04

The innocent client's web browser is Internet Explorer.

False

What file is created by the uploadfile.php script?

A file identical to what the client uploaded, except for extra PHP code

The upload page provided to clients is called ______.

UploadYourWebPage.html

What is a major enabler of SQL injection exploits?

Using the GET method for form submission

SQL injection can enable a user to delete all tables in a database.

True

What does PDO stand for in the context of database security?

PHP Data Objects

The Slowloris Attack can potentially bring down a web server due to insufficient _____ available to it.

concurrency

Match the following SQL concepts with their descriptions:

SQL Injection = Exploiting vulnerabilities to manipulate database queries GET method = Form submission that leaks sensitive data through URL PDO = A PHP extension for secure database interactions Slowloris Attack = Creating numerous half-open TCP connections to exhaust server resources

What command can a user input to potentially delete all tables in the database?

nothing; DROP TABLE *;

A Slowloris attack sends complete requests to a web server.

False

Who authored the Slowloris attack?

Robert Hansen

A TCP connection established during a Slowloris attack is kept open until it _____ .

times out

What is the main reason SQL Injection exploits are successful?

SQL syntax treating commands and data equally

Study Notes

Lecture 08: Web Security

• The lecture focuses on web security, covering issues relevant to web servers, browsers, and user interactions.
• Prerequisites for the lecture include URL, HTTP, and HTML knowledge.
• Software like Apache2 web server, PHP7, MySQL, and sendmail are required.
• Programming languages such as PHP, Perl, Python, JavaScript, and CGI scripts are used in web development.
• Resources for further study include PHP comparisons, manuals, tutorials, MySQL documentation, PDO tutorials, Modsecurity projects, JavaScript tutorials, and OWASP resources for application security.
• Topics outlined include XSS attacks (server-side injection), SQL injection attacks, Slowloris attacks, mod-security, client-side XSS, cookie theft using XSS, and heap spray exploits.

Prerequisites

• URL, HTTP, and HTML knowledge are needed.
• Apache2 web server installed on an Ubuntu machine.
• Apache2 server is enabled with PHP7.
• MySQL database management system used as database backend.
• A driver to enable PHP communication with MySQL.
• Sendmail program running on the server.

Languages

• PHP
• Perl
• MySQL
• Python
• JavaScript
• CGI scripts

Resources

• PHP vs. NodeJS comparison and benchmarks (2018)
• PHP Manual
• PHP Tutorial
• MySQL Documentation
• PDO tutorials (addressing PHP delusions)
• Modsecurity Project
• JavaScript Tutorial
• OWASP Foundation (Open Source Foundation for Application Security)

Outline

• XSS attack with server-side injection
• SQL Injection Attack
• Slowloris Attack
• mod-security
• Client-side XSS
• Cookies and XSS for stealing cookies
• Heap Spray Exploit

Web Security

• Web security addresses issues specific to how web servers display content to browsers, how browsers interact with servers, and how users interact with browsers.
• The World Wide Web, web servers initially offered only static content.
• Now, dynamic content is common, often tied to a database server.
• Middleware (often PHP scripts) is frequently used for this purpose, particularly with Apache and MySQL.

XSS Attack with Server-Side Injection

• This type of attack injects malicious code, often PHP, during upload processes.
• The injected code isn't visible in the browser's source.
• The goal might be to download a spam file from a third-party source as soon as the page loads.
• A diagram illustrates the attack flow, showing the attacker's web hosting provider injecting the script into the web pages uploaded by users.

XSS Attack with Server-Side Injection (Details)

• Specific details are provided about the web servers, clients, and email providers involved.
• Example code snippets showing the injected PHP code demonstrate how the attack works.

SQL Injection Attack

• PHP and MySQL work together to manage web server databases. The "php7.0-mysql" package allows for direct database connections via a PHP Data Objects (PDO) based driver.
• A MySQL database (Manager_db) with user accounts (Operator1, Operator2, Operator3) and a Maintenance_Schedule table are setup for illustration.
• The initial table setup shows each operator's schedules relating to specific equipment.

SQL Injection Attack (Details)

• An attacker could insert malicious code to modify or delete data (delete all tables) in the database.
• An important factor is that the SQL syntax places commands and data on equal footing.

Security against SQL Injection

• To prevent this, user inputs need careful filtering and restricted command access.
• PDO (PHP Data Objects) based drivers offer consistent API usage across diverse database systems. They often include built-in security measures against SQL Injection.

Kak's Code (Lecture 27)

• Specific file names (RetrieveFromMySQL.html, RetrieveFromMySQL.php) are listed for code.

The Slowloris Attack

• Developed by Robert Hansen in 2009.
• The attack involves sending incomplete HTTP requests to a web server.
• This keeps many TCP connections open, overwhelming the server's capacity.

The Slowloris Attack: Example 1, 2, and 3

• Illustrations of client-side scripts (ClientSocketFetchDocs.py, TestHTTPServerWithNoCRLF.py) and server-side scripts (CheckNetstat.sh, RepeatedAttack.sh, TerminateLoris.sh) used in the attack demonstrate the attack's method.

SlowPost Attack

• Similar to Slowloris but uses POST requests instead of GET requests.

Kak's Code (Lecture 28)

• Specific file names (WealthTracker.html) for the relevant code are listed.

XSS for Stealing Cookies

• Third parties can steal cookies via XSS attacks. JavaScript is used in these attacks.

• Example steps for a cookie-stealing attack are given, showing how to bring up the JavaScript console, and the required commands are illustrated to steal cookies.

• The web server named 'Collector.cgi' is part of the attack and stores stolen cookies.

The Heap Spray Exploit

• This exploit uses JavaScript to execute shell commands by exploiting how script engines manage memory.

Heap Spray References

• References to documentation on the heap spray technique are provided.

Web Vulnerabilities

• Historical security issues with browsers' interactions with servers (e.g., Samy worm).

Browser Vulnerabilities

• Vulnerabilities like JavaScript and the DOM (Document Object Model) are discussed.
• Another common technique (e.g. using <iframe>) is addressed, as well as the potential for another web page to be embedded within the target page.

Web Application Security

• The OWASP (Open Web Application Security Project) is mentioned as a notable resource.
• Tools like W3af for testing web applications for vulnerabilities (SQL injection, cross-site scripting, remote file inclusion) are discussed.

Reference

• A PDF file reference (for subverting AJAX) is listed.

Description

Test your knowledge on web security concepts, including dynamic content, common attacks, and functionalities of web servers. This quiz covers various critical topics about safeguarding web applications and understanding vulnerabilities. Challenge yourself with matching terms and answering specific questions!