Security an der LMU München | Karteikarten & Zusammenfassungen

Lernmaterialien für Security an der LMU München

Greife auf kostenlose Karteikarten, Zusammenfassungen, Übungsaufgaben und Altklausuren für deinen Security Kurs an der LMU München zu.

TESTE DEIN WISSEN

1. What is Cross-Site Scripting (XSS)?

2. What are the types of XSS
Lösung anzeigen
TESTE DEIN WISSEN

1. Attacker includes malicious code (most often JS) in a web page

2. User visits the web page and malicious code gets executed

E. G. Forums, web pages with comments, message boards


Types of XSS Attacks

The code we walked through above is an example of one type of XSS called a DOM-based XSS attack. There are actually three different types that all vary in the way that the malicious payload is injected into and processed by the application.

  • Stored XSS — Stored XSS occurs when a malicious input is permanently stored on a server and reflected back to the user in a vulnerable web application. This often occurs when a malicious value can be stored in a database and retrieved, such as with a message board post or data in a user profile.
  • Reflected XSS — Reflected XSS occurs when malicious input is sent to a server and reflected back to the user on the response page.

    For a reflected XSS attack to succeed, the attacker needs to convince the user to click a link that has the malicious input in it, like: https://vulnerablesite.com?param=<script>document.cookie()</script>. While this may not fool your more savvy users, even the most experienced white knight can be tricked by the use of services like link shorteners, which obfuscate the underlying URL.

  • DOM-based XSS — DOM-based XSS occurs when an attack payload is executed as a result of modifying the web page’s document object model (DOM) in the victim user’s browser. The web page itself is not changed, but its client-side code executes in a malicious way because of these DOM changes. In this case, the web application’s server or database is never involved. This is an important distinction, because many security products can’t catch this kind of attack if the malicious input doesn’t reach the server. 

Understand Cross-Site Scripting (XSS)

Prevention

Input Filtering

Input filtering works on the idea that malicious attacks are best caught at the point of user input. If the user inputs <b>duck</b> and the page strips or blocks the code, then no unauthorized code runs. There are two types of input filtering.

  • Blacklisting — Specific “bad” characters or combinations of characters are banned, meaning they can’t be entered or stored. The developer creates a list of known bad characters (such as HTML or script tags) and throws an error if any bad characters are in the input.
  • Whitelisting — Only characters or words from a known list of entries are permitted, preventing malicious input. For example, if the user enters anything besides numbers in a phone number field, the application throws an error.

Of the two input filtering methods, whitelisting is considered the more secure approach. For whitelisting to be effective, the developer only needs to know the expected input values, while blacklisting requires the developer to maintain a list of all potential malicious entries, often an impossible task.

Output Encoding

While input filtering techniques work by preventing malicious data from entering the system, output encoding techniques take an opposite approach: They prevent malicious payloads already in the system from executing. In fact, output encoding is often considered more necessary than input encoding because it doesn’t rely on any upstream or downstream protections, and it can’t be bypassed by alternative input pathways.

In output encoding, a server takes all characters that are meaningful in a specific context (HTML, JavaScript, URL) and replaces them with characters that represent its text version. For example, consider the "<” character. In HTML, this character signifies the start of a tag (like <b> for bold), but in mathematical functions the character means greater than.

So how does your browser tell the difference? Encoding! Encoding enables a meaningful character to be included in a block of text via a controlled substitution that removes the meaning. In the case of the "<" character, you can replace it with the characters "&lt;" and your browser will understand that you want the text version of "<", not the HTML version.

As a developer, you can use this same concept to mitigate XSS, because characters that can act as code aren’t represented in their meaningful version inside a block of code. Only the characters’ text equivalents appear.

Lösung ausblenden
TESTE DEIN WISSEN

How to handle data management?

Lösung anzeigen
TESTE DEIN WISSEN

no single point of failure

limit sensitive info exposure (encrypt data on rest, on sending, backups) HOWEVER: not always feasible

-> encrypt only data that is sensitive (like personal info, passwords)

bcrypt, scrypt, Aragon2 (password storage)

pgcrypto - encrypt a few columns

Lösung ausblenden
TESTE DEIN WISSEN

How to handle Access Control?

Lösung anzeigen
TESTE DEIN WISSEN

is having restrictions on what authenticated users are allowed to do or not (so after logged in)

Principal of least privilege

Lösung ausblenden
TESTE DEIN WISSEN

What are the secure headers?

Lösung anzeigen
TESTE DEIN WISSEN


automatically e.g. through npm helmet (Express)

Lösung ausblenden
TESTE DEIN WISSEN

What is an Injection attack? How to prevent it?

Lösung anzeigen
TESTE DEIN WISSEN

When somebody injects code into our code. Most famous are SQL injections


1. Sanitize input (only allow input of an allowed type, e.g. date of birth only as number, through white list or black list by removing html tags, or taking only the tag's content or giving an error msg)

2. Parameterize Queries (precompiled sql statement so that user can only choose from options, already available through object relational mappers like Knex.js)

3. Object relational mappers (ORM) like Knex.js



Note:

! Don't use el.innerHTML for inputs. This can lead to loading of img through input.

instead do document.createTextNode and then do appendChild. CreateTextNode will convert the input to text so no img tag will be executed.


Lösung ausblenden
TESTE DEIN WISSEN

What is CSRF? How can it be prevented?

Lösung anzeigen
TESTE DEIN WISSEN

is used to trick a user into performing an unwanted action on a web application he is authenticated for. The attacker places e.g. a snippet like an image which the user clicks but which is actually a forged request to the web application. While the attacker cannot see the result of the request, he can change the state of the system such as changing passwords or becoming a worm on social media. Focus is state change, not data theft


  • Same site Policy
  • sanitize input (no html as e.g. img or iframe should be allowed as user input)
  • no eval()
  • no document.write()
  • Content-Security-Policy (eg through npm csurf)
  • Secure + HTTPOnly Cookies
Lösung ausblenden
TESTE DEIN WISSEN

How to handle code secrets?

Lösung anzeigen
TESTE DEIN WISSEN

Environment variables: .env file with secrets

Commit history: use .gitignore

Lösung ausblenden
TESTE DEIN WISSEN

What is HTTP and HTTPS?

Lösung anzeigen
TESTE DEIN WISSEN

HTTP means that everything is sent as plain text

HTTPS is a SSL/TLS certificate which creates a tunnel which encrypts the data that is sent

HTTPS should ALWAYS be used when forms are sent

Lösung ausblenden
TESTE DEIN WISSEN

How to handle authentication?

Lösung anzeigen
TESTE DEIN WISSEN

give passwords

manage session

Lösung ausblenden
TESTE DEIN WISSEN

What is a Linter?

Lösung anzeigen
TESTE DEIN WISSEN

Linting is the process of checking the source code for Programmatic as well as Stylistic errors. This is most helpful in identifying some common and uncommon mistakes that are made during coding.

A Lint or a Linter is a program that supports linting (verifying code quality). They are available for most languages like JavaScript, CSS, HTML, Python, etc..

Lösung ausblenden
TESTE DEIN WISSEN

What is snapshot testing?

Lösung anzeigen
TESTE DEIN WISSEN

A typical snapshot test case for a mobile app renders a UI component, takes a snapshot, then compares it to a reference snapshot file stored alongside the test. The test will fail if the two snapshots do not match: either the change is unexpected, or the reference snapshot needs to be updated to the new version of the UI component.

Lösung ausblenden
TESTE DEIN WISSEN

How to handle Logging?

Lösung anzeigen
TESTE DEIN WISSEN

npm install winston/morgan

Lösung ausblenden
  • 584263 Karteikarten
  • 8292 Studierende
  • 559 Lernmaterialien

Beispielhafte Karteikarten für deinen Security Kurs an der LMU München - von Kommilitonen auf StudySmarter erstellt!

Q:

1. What is Cross-Site Scripting (XSS)?

2. What are the types of XSS
A:

1. Attacker includes malicious code (most often JS) in a web page

2. User visits the web page and malicious code gets executed

E. G. Forums, web pages with comments, message boards


Types of XSS Attacks

The code we walked through above is an example of one type of XSS called a DOM-based XSS attack. There are actually three different types that all vary in the way that the malicious payload is injected into and processed by the application.

  • Stored XSS — Stored XSS occurs when a malicious input is permanently stored on a server and reflected back to the user in a vulnerable web application. This often occurs when a malicious value can be stored in a database and retrieved, such as with a message board post or data in a user profile.
  • Reflected XSS — Reflected XSS occurs when malicious input is sent to a server and reflected back to the user on the response page.

    For a reflected XSS attack to succeed, the attacker needs to convince the user to click a link that has the malicious input in it, like: https://vulnerablesite.com?param=<script>document.cookie()</script>. While this may not fool your more savvy users, even the most experienced white knight can be tricked by the use of services like link shorteners, which obfuscate the underlying URL.

  • DOM-based XSS — DOM-based XSS occurs when an attack payload is executed as a result of modifying the web page’s document object model (DOM) in the victim user’s browser. The web page itself is not changed, but its client-side code executes in a malicious way because of these DOM changes. In this case, the web application’s server or database is never involved. This is an important distinction, because many security products can’t catch this kind of attack if the malicious input doesn’t reach the server. 

Understand Cross-Site Scripting (XSS)

Prevention

Input Filtering

Input filtering works on the idea that malicious attacks are best caught at the point of user input. If the user inputs <b>duck</b> and the page strips or blocks the code, then no unauthorized code runs. There are two types of input filtering.

  • Blacklisting — Specific “bad” characters or combinations of characters are banned, meaning they can’t be entered or stored. The developer creates a list of known bad characters (such as HTML or script tags) and throws an error if any bad characters are in the input.
  • Whitelisting — Only characters or words from a known list of entries are permitted, preventing malicious input. For example, if the user enters anything besides numbers in a phone number field, the application throws an error.

Of the two input filtering methods, whitelisting is considered the more secure approach. For whitelisting to be effective, the developer only needs to know the expected input values, while blacklisting requires the developer to maintain a list of all potential malicious entries, often an impossible task.

Output Encoding

While input filtering techniques work by preventing malicious data from entering the system, output encoding techniques take an opposite approach: They prevent malicious payloads already in the system from executing. In fact, output encoding is often considered more necessary than input encoding because it doesn’t rely on any upstream or downstream protections, and it can’t be bypassed by alternative input pathways.

In output encoding, a server takes all characters that are meaningful in a specific context (HTML, JavaScript, URL) and replaces them with characters that represent its text version. For example, consider the "<” character. In HTML, this character signifies the start of a tag (like <b> for bold), but in mathematical functions the character means greater than.

So how does your browser tell the difference? Encoding! Encoding enables a meaningful character to be included in a block of text via a controlled substitution that removes the meaning. In the case of the "<" character, you can replace it with the characters "&lt;" and your browser will understand that you want the text version of "<", not the HTML version.

As a developer, you can use this same concept to mitigate XSS, because characters that can act as code aren’t represented in their meaningful version inside a block of code. Only the characters’ text equivalents appear.

Q:

How to handle data management?

A:

no single point of failure

limit sensitive info exposure (encrypt data on rest, on sending, backups) HOWEVER: not always feasible

-> encrypt only data that is sensitive (like personal info, passwords)

bcrypt, scrypt, Aragon2 (password storage)

pgcrypto - encrypt a few columns

Q:

How to handle Access Control?

A:

is having restrictions on what authenticated users are allowed to do or not (so after logged in)

Principal of least privilege

Q:

What are the secure headers?

A:


automatically e.g. through npm helmet (Express)

Q:

What is an Injection attack? How to prevent it?

A:

When somebody injects code into our code. Most famous are SQL injections


1. Sanitize input (only allow input of an allowed type, e.g. date of birth only as number, through white list or black list by removing html tags, or taking only the tag's content or giving an error msg)

2. Parameterize Queries (precompiled sql statement so that user can only choose from options, already available through object relational mappers like Knex.js)

3. Object relational mappers (ORM) like Knex.js



Note:

! Don't use el.innerHTML for inputs. This can lead to loading of img through input.

instead do document.createTextNode and then do appendChild. CreateTextNode will convert the input to text so no img tag will be executed.


Mehr Karteikarten anzeigen
Q:

What is CSRF? How can it be prevented?

A:

is used to trick a user into performing an unwanted action on a web application he is authenticated for. The attacker places e.g. a snippet like an image which the user clicks but which is actually a forged request to the web application. While the attacker cannot see the result of the request, he can change the state of the system such as changing passwords or becoming a worm on social media. Focus is state change, not data theft


  • Same site Policy
  • sanitize input (no html as e.g. img or iframe should be allowed as user input)
  • no eval()
  • no document.write()
  • Content-Security-Policy (eg through npm csurf)
  • Secure + HTTPOnly Cookies
Q:

How to handle code secrets?

A:

Environment variables: .env file with secrets

Commit history: use .gitignore

Q:

What is HTTP and HTTPS?

A:

HTTP means that everything is sent as plain text

HTTPS is a SSL/TLS certificate which creates a tunnel which encrypts the data that is sent

HTTPS should ALWAYS be used when forms are sent

Q:

How to handle authentication?

A:

give passwords

manage session

Q:

What is a Linter?

A:

Linting is the process of checking the source code for Programmatic as well as Stylistic errors. This is most helpful in identifying some common and uncommon mistakes that are made during coding.

A Lint or a Linter is a program that supports linting (verifying code quality). They are available for most languages like JavaScript, CSS, HTML, Python, etc..

Q:

What is snapshot testing?

A:

A typical snapshot test case for a mobile app renders a UI component, takes a snapshot, then compares it to a reference snapshot file stored alongside the test. The test will fail if the two snapshots do not match: either the change is unexpected, or the reference snapshot needs to be updated to the new version of the UI component.

Q:

How to handle Logging?

A:

npm install winston/morgan

Security

Erstelle und finde Lernmaterialien auf StudySmarter.

Greife kostenlos auf tausende geteilte Karteikarten, Zusammenfassungen, Altklausuren und mehr zu.

Jetzt loslegen

Das sind die beliebtesten Security Kurse im gesamten StudySmarter Universum

Asset Backed Securitization

Frankfurt School of Finance & Management

Zum Kurs
IT Security

Technische Hochschule Ingolstadt

Zum Kurs
Cyber Security Foundations

HSR - Hochschule für Technik Rapperswil

Zum Kurs
MBA-07 Information Security

Fachhochschule Burgenland

Zum Kurs
Mobile - Security

Hochschule Worms

Zum Kurs

Die all-in-one Lernapp für Studierende

Greife auf Millionen geteilter Lernmaterialien der StudySmarter Community zu
Kostenlos anmelden Security
Erstelle Karteikarten und Zusammenfassungen mit den StudySmarter Tools
Kostenlos loslegen Security