Questions a) Explain, in your own words, the vulnerabilities that lead to succes
ID: 3674437 • Letter: Q
Question
Questions
a) Explain, in your own words, the vulnerabilities that lead to successful XSS attacks and what methods can be applied to prevent them.
b) Explain, in your own words, the vulnerabilities that lead to successful CSRF attacks and what methods can be applied to prevent them.
c) The claim was made that a nonce can be used to prevent the “double submission” problem in web applications. What is a nonce? What is the double submission problem and how can a server can detect and prevent a it with a nonce?
d) What are the advantages and disadvantages to using an alternative markup syntax for text formatting in web applications (e.g. wiki syntax, Markdown, Textile, or reStructuredText)
Explanation / Answer
a)
1. XSS, or Cross Site Scripting, allows an attacker to execute code on the target website from a user's browser, often causing side effects such as data compromise, or the stealing of a user session. This can allow an attacker to impersonate a user to steal their details, or act in their place without consent.
2. XSS is an attack using a browser side scripting language (usually JavaScript). The goal of the attacker is to make the malicious script appear to be from the site being attacked, so the user's browser can't tell the script being executed is not meant to be aprt of the site they are viewing.
3. This is usually accomplished by an attacker by submitting specially crafted values into the target site's URL or web forms, or anywhere user generated content is displayed on the site.
4. XSS arises in a variety of ways. Code is planted on a site or in a link a user will be tricked into clicking, causing the XSS exploit to execute on the client's browser. Cross site scripting attempts can be notoriously hard to detect as they may take many forms, such as normal human readable text, or specially encoded characters used to trick attempts to detect it.
5. There are two broad attack surfaces which must be protected from XSS. The first is the users browser environment, and any JavaScript or other code which is executed by the browser, and the second is server side.
6. Browser attacks are executed via variables like the http referrer (page the user was last on and clicked from), or other http type methods such as document.location or document.URL.
7. These variables are supplied by the user's browser, and not the site the page was requested from, so the site has less control. If these values are written into the document at the user side, then the page may be modified with an XSS attack after it has been delivered to the user, as opposed to server-side XSS, where the attack is rendered by the server prior to being sent.
8. In-Body attacks are less likely (in some cases impossible) to prevent with server-side input checking, and should be prevented directly in the client-side code instead.
b)
1. Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
2. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context.
3. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
4. Impacts of successful CSRF exploits vary greatly based on the role of the victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire Web application.
5. The sites that are more likely to be attacked are community Websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services).
6. This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS). Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'.
7. The task then executes with or without the user's knowledge, either directly or by utilizing a Cross-site Scripting flaw (ex: Samy MySpace Worm).
c)
1. The word Nonce is actually a sort of acronym and is short for "Number used ONCE". It serves as an extra security measure on top of user credentials and access rights to protect against certain actions launched from a website.
2. The goal is to help prevent malicious attacks against the system by preventing actions initiated by links or HTTP requests from being utilized more than once. It works much like the numbering systems at your local butcher shop or medical laboratory.
3. We take a number from the dispenser and wait for your number to be called. Afterwards, you throw away the number. With respect to nonces, every time a link or a form is transmitted to the browser, a key/value pair is embedded.
4. When the link is activated or the form is submitted, server-side code checks for the key/value pair and then authenticates it. If the nonce checks out, the action is performed, if it doesn't or the nonce is missing, the action is not performed and a security error results.
5.While nonce formats are unstandardized at this point, most libraries employ the following pieces of information in generating a nonce:
d)
1. There are a number of popular text markup formats in use today. Some of these, such as JSON and Markdown, have risen in popularity recently; others, such as SGML or troff, have waned. Whenever a format becomes more popular it gains proponents who seem to want to see it used everywhere, for everything, for ever, right away.
2. A fairly simple (and possibly over-simplistic) analysis of the rhetorical nature of some of these various formats.
3. HyperText Markup Language, commonly referred to as HTML, is the standardmarkup language used to create web pages.
4. Along with CSS, and JavaScript, HTML is a cornerstone technology, used by most websites to create visually engaging web pages, user interfaces for web applications, and user interfaces for many mobile applications.
5. Web browsers can read HTML files and render them into visible or audible web pages. HTML describes the structure of a website semantically along with cues for presentation, making it a markup language, rather than a programming language.
6. HTML elements form the building blocks of all websites. HTML allows images and objects to be embedded and can be used to create interactive forms. It provides a means to create structured documents by denoting structural semantics for text such as headings, paragraphs, lists, links, quotes and other items.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.