Web Security Threats and Solutions Quiz 5 new

Questions and Answers

Which element in HTML5 is used as a grouping of content, e.g. chapters or tabbed pages?

(correct)

What attribute is used to tell the browser to start downloading and playing a video automatically as soon as possible?

loop

controls

autoplay (correct)

preload

Which HTML5 element is used for multimedia content and supports audio and video natively?

/ (correct)

What is the purpose of the element in HTML5?

To define navigation links

Which attribute is used to specify that a video should start downloading as soon as the page loads, but not playing automatically?

preload='auto'

What is the purpose of the element in HTML5?

To contain introductory content or navigational links

What is the purpose of the canvas element in HTML5?

To draw graphics with JavaScript

What feature of HTML5 allows users to share their physical location with web applications?

Geolocation

Why is HTML5 popular for game development?

It supports scalable vector graphics (SVG)

What does HTML5 provide for consistent user experience across browsers and devices?

Cross-platform compatibility

Which aspect of web security does HTML5 emphasize improvements on?

Semantic elements

What is a feature of HTML5 that enables more efficient, faster-loading web pages?

Improved parsing rules

What is TOR and what does it provide?

A protective layer that provides an anonymous path between the user and the Internet

Which of the following is an example of the Invisible Web?

NASA's internal database

What was the first discovered malware that spies and subverts industrial systems?

Worms Stuxnet

What is the main characteristic of the Dark Web?

It is accessible only through software called TOR

What does the term 'Intranet' refer to?

Web content that can only be accessed by individuals with logins

What is the purpose of Onion routing implemented by TOR?

To conceal a user's location and usage from network surveillance

What is the primary goal of phishing?

To gain unauthorized access to accounts

What is a common vulnerability in web security?

Insufficient authentication

What is the primary characteristic of passphrases in comparison to passwords?

Longer and more secure

What method do brute force attacks use to guess user credentials?

Automated trial and error

What type of attacks did Wannacry specifically target?

Hospitals

What experienced a 600% increase in cyber attacks?

IoT devices

What is Diceware used for?

Creating secure passphrases

What did Bill Burr, the original author of NIST 2003 password guidelines, regret recommending?

Passwords with uppercase and lowercase letters, numbers, special characters, and a minimum of 8 characters

What is the primary defense mechanism to stop Cross-site scripting (XSS)?

Contextual output encoding/escaping

What is a mitigation for XSS?

Tying session cookies to the user's IP address and using the HttpOnly flag

What is Clickjacking?

A method used by malicious individuals to trick users into clicking on invisible iframes positioned above clickable buttons on a website

What does JSONP (JSON with Padding) allow?

Bypassing the same-origin policy by using JSON in combination with the script tag

Study Notes

Web Security Threats and Solutions

• Diceware is a method for creating secure passphrases by rolling a dice to select words from a list of 7,776 English words.
• Bill Burr, the original author of NIST 2003 password guidelines, regrets recommending passwords with uppercase and lowercase letters, numbers, special characters, and a minimum of 8 characters.
• Session prediction/hijacking involves impersonating a website user by compromising their session ID or cookies.
• Cross-site scripting (XSS) is a vulnerability in web applications that allows attackers to inject client-side scripts and bypass access controls.
• Contextual output encoding/escaping is the primary defense mechanism to stop XSS, but many web applications still rely on session cookies for authentication.
• Mitigations for XSS include tying session cookies to the user's IP address and using the HttpOnly flag to prevent client-side scripts from accessing cookies.
• Browser and plugin vulnerabilities, such as Java/ActiveX/Flash/Acrobat, can enable various attacks and need to be patched by vendors.
• Clickjacking is a method used by malicious individuals to trick users into clicking on invisible iframes positioned above clickable buttons on a website.
• Injection attacks, including SQL/LDAP/XPATH/SOAP/JSON Injection, occur when an application does not properly validate user input.
• JavaScript Hijacking allows unauthorized attackers to read confidential data from a vulnerable application by bypassing the Same Origin Policy using a dynamic script tag.
• Search worms automate finding vulnerable web servers by sending carefully crafted queries to search engines, evading common detection methods.
• JSON with Padding (JSONP) is a way to bypass the same-origin policy by using JSON in combination with the script tag, allowing the execution of information from the server.

Description

Test your knowledge of web security threats and solutions with this quiz. Explore concepts such as Diceware passphrases, session prediction/hijacking, cross-site scripting (XSS) vulnerabilities, clickjacking, injection attacks, and more. Learn about defense mechanisms and mitigations to safeguard against these threats.