Web Security Threats Quiz

Questions and Answers

Which element in HTML5 is used as a grouping of content, e.g. chapters or tabbed pages?

(correct)

What is the purpose of the 'autoplay' attribute in HTML5 video element?

To mute the video by default

To prevent the video from downloading until the user initiates it

To pause the video as soon as the page loads

To start downloading the video file as soon as the page loads and play it automatically (correct)

Which type of files are supported by the HTML5 video element for multimedia integration?

Text files

Executable files

Image files only

Video and audio files (correct)

Which HTML5 element is used to insert multimedia content like audio and video?

and

What is the purpose of TOR (The Onion Router) network?

To provide an anonymous path between the user and the websites visited

Which type of web can only be accessed by individuals with logins for the websites?

Invisible Web (intranet)

Which attack was the first to include a Programmable Logic Controller (PLC) rootkit?

Stuxnet

What was the significant outcome of the Yahoo breach?

It became one of the top corporate hacks

What is the primary objective of phishing?

To gain control of accounts through malicious links

What is the primary goal of ransomware attacks?

To encrypt files and demand ransom payment

What is the main feature of SQL injection attacks?

Maliciously altering website databases

What is the primary purpose of brute force attacks?

To guess usernames, passwords, or other unique user identifiers

Which HTML5 feature enables web applications to store data locally and operate offline?

Persistent local storage

What is the #1 vulnerability in web security according to the text?

Cross-site scripting (XSS)

Which HTML5 feature enhances web interactivity with new APIs for tasks like drag-and-drop and file handling?

New form elements and attributes

What HTML5 feature ensures cross-platform compatibility for a consistent user experience across browsers and devices?

Scalable vector graphics (SVG)

What is Diceware?

A method using a word list and dice to create a passphrase

What is the primary defense mechanism to stop Cross-site scripting (XSS)?

Contextual output encoding/escaping

What does Clickjacking involve?

Tricking users into clicking on invisible iframes positioned above clickable buttons on websites

What is JSON with Padding (JSONP) used for?

Bypassing the same-origin policy by using JSON in combination with the script tag to execute functions and retrieve information from a server

Who coined the term 'computer virus'?

Adleman

What is the most popular algorithm for public key encryption?

RSA

What is the primary purpose of the private key in public key cryptography?

For privacy

What is involved in determining the private key from the public key in RSA encryption?

Factoring very large numbers

What is the purpose of hash functions in public key cryptography?

To map large objects to unique small values

What is the primary difference between SOAP and REST?

SOAP is a protocol for exchanging XML-based messages, while REST is a software architectural style for distributed hypermedia systems.

What is a key characteristic of JSON-RPC?

It is a protocol for exchanging JSON-encoded messages instead of XML.

What is a best practice for implementing REST services?

Provide a URI for each resource that you want exposed.

What is a characteristic of Amazon Associates web services?

It is targeted at third-party site owners looking to build more effective sponsored affiliate links to Amazon products.

What is the primary purpose of Apple's iCloud service for developers?

To place all information captured on any Apple device into the cloud, making it immediately available to all other Apple devices.

What is the primary purpose of a Certificate Authority (CA) in the context of SSL?

Verifying the identity of entities and issuing digitally signed electronic certificates

What is the main function of DNS redirection and round-robin in the context of load balancing?

Evenly distributing web requests and preventing overutilization of servers

What is the role of SSL (Secure Sockets Layer) protocol in web communication?

Establishing an encrypted link between server and client for secure electronic commerce

What is the purpose of cryptographic hash functions like MD5 and SHA in secure web communication?

Mapping values to numbers for message integrity and security

What is the primary factor in the selection of a web platform according to the text?

Capacity, cost, maintenance, security, and development support

Which server is preferred over Apache due to its lower memory usage and better ability to handle high traffic?

NginX

What is the primary purpose of proxy servers on the client-side, known as forward proxy servers?

Control access to restricted sites and enhance performance through caching

Which HTTP headers are utilized for validation and control how browser caches and proxies handle objects?

Last-Modified and ETags

What are REST services based on?

Representational State Transfer

What is crucial for financial transactions and commonly used in SOAP-based web services?

XML security and encryption

What is the primary difference between virtual machines (VMs) and containers?

VMs virtualize the hardware, while containers virtualize the operating system.

What was the revolutionary aspect of virtual machines (VMs) in terms of server utilization?

They allowed multiple operating systems to run concurrently on a single physical machine.

What is a drawback of virtual machines (VMs) mentioned in the text?

They are expensive.

What is a common misconception about Function as a Service (FaaS) in serverless computing?

It reduces the need for DevOps and tooling

What is a critical role in designing microservices-based applications on Function as a Service (FaaS)?

Responsiveness

What is a key feature of mature serverless platforms in terms of job processing?

Inbuilt support for long-running jobs and batch processing

Which method is NOT mentioned in the text as a way to opt out of cookies?

Manually editing the cookie files in the browser's directory

What is the purpose of using the 'do not track' option in browser settings?

To prevent websites from tracking user behavior for targeted advertising

What is the primary function of the Evercookie JavaScript API?

To generate extremely persistent cookies in a browser

What is the potential limitation of using opt-out cookies downloaded by clicking a button?

They may conflict with existing cookies in the browser

What is the purpose of using cookie management tools in a web browser?

To view and delete unwanted cookies

What is a key advantage of serverless architectures over traditional virtual machines (VMs)?

Serverless applications automatically scale with the number of requests and are billed based on the exact amount of resources consumed.

What is a distinguishing feature of containers compared to virtual machines (VMs)?

Containers share the host system's kernel, allowing for quick scaling and reduced resource usage.

Which technology abstracted the execution environment from the code, marking the birth of serverless development?

AWS Lambda

What is the primary difference between session and persistent cookies?

Session cookies are stored temporarily and are deleted when the browser is closed, while persistent cookies are stored for a longer period of time.

What is the purpose of secure cookies?

To encrypt cookie data for secure transmission over HTTPS.

In what way do third-party cookies differ from first-party cookies?

Third-party cookies are set by a domain other than the one the user is currently visiting, while first-party cookies are set by the domain of the website being visited.

What happens when a new cookie with the same name, domain, and path as an existing cookie is encountered?

The old cookie is overwritten with the new cookie

What is the purpose of marking a cookie with a special 'secure' keyword?

To ensure the cookie is sent over HTTPS only as a security feature

How are client-side cookies set and sent via JavaScript?

Using the document.cookie property

What is the primary purpose of AJAX in web development?

To update web pages seamlessly without reloading the entire page

What is the benefit of using AJAX in terms of server load and bandwidth?

It reduces server load and bandwidth usage by updating only parts of a web page

How does AJAX contribute to the speed and responsiveness of web applications?

By processing and transferring less data, making web applications feel faster

What type of web applications benefit from the real-time data update capability provided by AJAX?

Chat boxes, live feeds, and real-time data visualization

Which technologies are involved in the concept of AJAX in web development?

HTML/CSS, JavaScript, and XML

What is the key characteristic of AJAX in terms of updating web pages?

It allows web pages to be updated asynchronously without reloading the entire page

Which API provides a more modern, promise-based approach to making asynchronous requests?

Fetch API

What is the responsibility of the server when handling CORS for cross-origin requests?

To include appropriate CORS headers in the response

What is the purpose of the 'Origin' header added by the browser when making a cross-origin request?

To indicate the origin of the request

What is the primary reason for the browser to enforce CORS?

To prevent malicious websites from reading sensitive data from other sites

What is the significance of the 320 by 480-pixel screen mentioned in the text?

It highlights the need to focus on the most important content for mobile devices

What is the primary reason for designing alternative '.mobi' sites for mobile web?

To create an alternative site optimized for mobile devices

What is the primary role of using geo-location in optimizing the mobile experience?

To tailor content based on the user's location

What is the primary advantage of the Fetch API over XMLHttpRequest for new development?

It provides a more modern, promise-based approach

What is the primary technology used in AJAX to request data from a server?

XMLHTTPRequest

Which data formats can AJAX work with?

JSON, HTML, and plain text

What does AJAX heavily rely on for dynamic display and interaction with fetched server data?

JavaScript

Which technology is an alternative to XMLHttpRequest, providing CORS and easy usage for REST calls?

Fetch API

What is the full form of AJAX?

Asynchronous JavaScript and XML

How can AJAX be recognized?

fetch(), iframes, jQuery AJAX functions, and JavaScript code that invokes XMLHttpRequest

What percentage of the end user response time is spent on the front-end according to the text?

80-90%

What is the primary action to bypass the disk cache and request all the components to load the page?

Refresh the page

What is the purpose of the 'Expires' and 'Last-Modified' headers in the context of caching?

Expires ensures the page is not cached, Last-Modified ensures the server checks if the page is blank

What is the significance of the 80/20 performance rule mentioned in the text?

It emphasizes the need to optimize the 20% that affects 80% of the user experience

What is the action to ensure most components are found in the disk cache and corresponding HTTP requests are avoided?

Refresh the page

What is the primary focus when applying the 80/20 performance rule to web optimization?

Front-end optimization

What is the primary difference between Functional/Stateless and Class/Stateful components in React?

Functional components do not maintain their own state, while Class components can maintain a state and have an independent existence

What is the purpose of Props in React?

Props make components reusable by allowing them to receive data from the parent component

Which technology is used to add responsive capabilities to React and replaces the Bootstrap JavaScript?

React-Bootstrap

What is the core of React Native that allows for an easy learning curve and embodies all React’s principles and syntax?

React.js

What is the primary difference between React and Angular?

React is a JavaScript library focused on the view layer, while Angular is a full-fledged MVC framework developed by Google

What is the primary advantage of Angular over React?

Angular provides more out-of-the-box solutions and is more opinionated in its approach

What is the framework for building native, cross-platform mobile apps using JavaScript and React?

React Native

What does React Native implement in terms of CSS and its usage by startups for quicker development and cheaper resources?

React Native implements a strict subset of CSS and is used by startups for quicker development and cheaper resources

What is the purpose of setting an Expires header in HTTP responses?

To instruct caches to remove the object from the cache sooner

What is the primary purpose of using a CDN (content distribution network)?

To distribute content so downloads can come from a nearby location

What is the recommended approach to reduce the number of HTTP requests for scripts, style sheets, and images?

Combine scripts, style sheets, and images into a single request using 'sprites'

What is the main reason for moving scripts to the bottom of the HTML document?

To prevent JavaScript from blocking the rendering of the page

What is the purpose of minifying JavaScript?

To remove unnecessary characters from the source code and reduce its size

Why is it recommended to use external JavaScript and CSS files despite the increase in HTTP requests?

External JS and CSS files can be cached, reducing the need for repeated downloads

What is the primary purpose of setting the Expires header and using a CDN in website optimization?

To improve performance by caching resources and reducing latency

What is the main reason for putting stylesheets at the top and scripts at the bottom in website optimization?

To avoid delays in page rendering

What is the role of Etags in website optimization?

To verify cached resources

What is the primary focus of Yahoo's best practices for website optimization?

Flushing the buffer early

What are the main challenges that ReactJS addresses?

2-way data binding complexity

What distinguishes ReactJS from a fully-functional web app framework?

It provides a view layer library

Study Notes

Web Security Threats and Mitigations

• Diceware uses a word list of 7,776 English words and involves rolling a dice 5 times to select a passphrase
• Bill Burr, author of NIST 2003 password guidelines, regrets recommending passwords with uppercase, lowercase, numbers, special characters, and a minimum of 8 characters
• Session hijacking involves impersonating a website user by compromising their session ID or cookies
• Cross-site scripting (XSS) vulnerabilities allow attackers to inject client-side scripts into web pages, bypassing access controls
• Contextual output encoding/escaping is the primary defense mechanism to stop XSS, with various escaping schemes for different contexts
• Web applications can mitigate XSS by tying session cookies to the user's IP address and using HttpOnly flag to prevent client-side script access
• Browser and plugin vulnerabilities pose risks and need to be patched by vendors, making it challenging for web application developers to address
• Clickjacking involves tricking users into clicking on invisible iframes positioned above clickable buttons on websites
• Injection attacks, such as SQL and JavaScript hijacking, occur when applications do not properly validate user input
• JavaScript hijacking allows unauthorized access to confidential data by bypassing the Same Origin Policy using JSON with Padding (JSONP)
• Search worms automate finding vulnerable web servers by sending crafted queries to search engines, evading random scanning and detection methods
• JSON with Padding is a way to bypass the same-origin policy by using JSON in combination with the script tag to execute functions and retrieve information from a server

Web Services, REST, and Proxy Servers Overview

• Load balancing involves distributing requests to the least loaded servers, while proximity routing sends requests to the nearest server when geographically distributed.
• Load balancing hardware prevents requests from reaching failed servers, and various technologies like DNS redirection and proxy servers aid in this process.
• NginX is preferred over Apache due to its lower memory usage and better ability to handle high traffic, while Lighttpd follows NginX in performance.
• Additional RAM or direct modules can enhance Apache's performance, and using NginX as a reverse proxy can improve overall server performance.
• Proxy servers act as intermediaries for client requests and can be used for various purposes like caching, security, and anonymizing.
• Proxy servers on the client-side, known as forward proxy servers, can control access to restricted sites and enhance performance through caching.
• HTTP headers, such as Last-Modified and ETags, are utilized for validation and control how browser caches and proxies handle objects.
• Web Services provide APIs for accessing a website's information across the Internet, with SOAP and REST being common implementation categories.
• XML security and encryption are crucial for financial transactions and are commonly used in SOAP-based web services.
• REST services, based on Representational State Transfer, use HTTP methods for server-to-client communication and often require OAuth user authentication.
• Cloud services, including application hosting, backup and storage, content delivery, and DNS protection, are offered through APIs and commercial payment models.
• REST is a software architecture style for distributed hypermedia systems, initially proposed by Roy Fielding and commonly used in modern web services.

Understanding Cookies and Cookie-Based Marketing

• Cookies can be set with an "expires=" parameter to specify the date for the cookie to be dropped.
• Overwriting cookies occurs when a new cookie with the same name, domain, and path as an existing cookie is encountered, causing the old cookie to be discarded.
• There is no specific mechanism for deleting cookies, but a common hack involves overwriting a cookie with a bogus value and backdating or setting a short-lived expiration.
• "Protected" cookies can be marked with a special "secure" keyword, causing them to be sent over HTTPS only as a security feature.
• Client-side cookies can be set and sent via JavaScript using the document.cookie property.
• The document.cookie property maintains a list of cookies that can be read and written, providing an array of all cookies for a particular domain.
• A cookie can be removed from the database either because it expires or the cookie file becomes too large, with browsers typically not storing more than 300 cookies, 20 cookies per web server, or more than 4K per cookie.
• The escape() and unescape() functions are used to encode and decode cookie values, converting special characters to their hex equivalents and vice versa.
• Cookie-based marketing involves advertisers using cookies to target specific ads to users and track their activity through third-party cookies.
• Ad networks connect advertisers to websites that want to host advertisements, involving advertisers, website owners, the ad network, and visitors.
• Doubleclick, now owned by Google, is an ad network that matches advertisements to users based on their profiles.
• Google Analytics, a free web analytics tool, uses its own set of cookies to track visitor interactions, storing information such as time of the current visit, previous visits, and referred sites.

Properties and Characteristics of AJAX

• AJAX allows browsers to send and receive data from servers asynchronously, without interfering with the display and behavior of the existing page.
• The XMLHttpRequest object is typically used in AJAX to request data from a server.
• AJAX can work with various data formats including JSON, HTML, and plain text, not just XML.
• AJAX heavily relies on JavaScript for dynamic display and interaction with fetched server data and can update the DOM in response to user interactions without page reloads.
• AJAX can be used in conjunction with other web technologies like PHP, ASP.NET, and APIs to fetch data.
• Modern browsers support AJAX, but the implementation details may vary.
• AJAX must be implemented with security considerations in mind to protect data integrity and prevent unauthorized access.
• AJAX, which stands for Asynchronous JavaScript and XML, is a combination of technologies including CSS, XHTML, DOM, XMLHTTPRequest, XML/JSON, and JavaScript.
• AJAX applications are not just websites, they allow for smooth interaction, immediate data effectiveness, visual effects, and dynamic icons.
• Traditional websites rely on server-side construction and interaction, while AJAX interfaces are manipulated by client-side JavaScript and are always responsive.
• AJAX can be recognized through iframes, jQuery AJAX functions, fetch(), and JavaScript code that invokes XMLHttpRequest.
• The Fetch API is an alternative to XMLHttpRequest, providing CORS and easy usage for REST calls, and is now included in all browsers.

React and React Native Overview

• React uses 1-way data binding and a virtual DOM for efficient updates, JSX for easy HTML and JS mixing, and provides excellent community support and dev tools
• Components are the building blocks of React applications, allowing the UI to be split into reusable pieces
• Functional/Stateless components do not maintain their own state, while Class/Stateful components can maintain a state and have an independent existence
• State in React is a JavaScript object containing component data, accessed via this.state and updated using setState() method
• Props make components reusable by allowing them to receive data from the parent component
• React-Bootstrap is used to add responsive capabilities to React and replaces the Bootstrap JavaScript
• React Native is a framework for building native, cross-platform mobile apps using JavaScript and React, with 5 levels of calls and bindings to native UI components
• React.js is the core of React Native, which allows for an easy learning curve and embodies all React’s principles and syntax
• React Native implements a strict subset of CSS and is used by startups for quicker development and cheaper resources
• React is a JavaScript library focused on the view layer, while Angular is a full-fledged MVC framework developed by Google
• Angular uses TypeScript and supports two-way data binding, RxJS, and a built-in dependency injection mechanism
• React offers more flexibility and a simpler learning curve, while Angular provides more out-of-the-box solutions and is more opinionated in its approach. Both have large communities and are ideal for building SPAs.

Website Optimization and ReactJS Overview

• GIFs can have their Expires date set appropriately to remove the cookie sooner
• Browser requests produce response status codes 200 (server sending back the image) and 304 (browser has the image in its cache)
• Akamai is the largest content distribution network (CDN) provider
• Initial 14 rules to optimize a website include making fewer HTTP requests, using a CDN, adding an Expires header, and compressing components using Gzip
• Putting stylesheets at the top can block rendering in IE, while moving scripts to the bottom can avoid delays in page rendering
• Making JavaScript and CSS external allows for caching, while reducing DNS lookups is recommended to improve performance
• Minifying JS is the second best way to optimize, and avoiding redirects and duplicate scripts are also important
• Etags are used to verify cached resources, and making AJAX cacheable and small is recommended
• Yahoo's best practices include flushing the buffer early, using GET for AJAX requests, and reducing the number of DOM elements
• ReactJS was developed by Facebook as a lightweight JavaScript library for building user interfaces in single-page applications
• ReactJS is not a fully-functional web app framework, but it is used by popular companies like Netflix, Facebook, and Instagram
• React tackles challenges by providing a view layer library and addressing issues with existing heavy-weight frameworks, 2-way data binding complexity, and performance-intensive updates to the real DOM

Description

Explore web security threats and their mitigations in this informative quiz. Test your knowledge on Diceware passphrases, session hijacking, XSS vulnerabilities, injection attacks, browser and plugin vulnerabilities, clickjacking, and more.