Web Application Security Quiz (Short Version)

1. The most effective way of protecting against SQL injection is…

… blacklisting strings such as "1 OR 1=1" and "UNION" from input.

… using an intrusion detection system to detect attacks.

… whitelisting input (e.g. only allowing alphanumerical characters and spaces).

… use of prepared statements or parametrized queries.

… segmenting database accounts and minimizing their user rights.

a] Blacklisting is a poor solution against SQL injection. It can be avoided in multiple ways, and can block valid user input if overused.
b] IDS can detect obvious SQL injection attempts, but it is possible for skilled attackers to avoid detection.
c] Whitelisting can be effective in general, but it overly restricts valid input. Many names have dashes and apostrophes in them, for example.
d] Use of prepared statements is generally accepted as the most effective way of protecting against SQL injection. The built-in escaping and validation will prohibit attackers from injecting a string into a numeric field, and quote data in string fields properly.
e] Adhering to the principle of least privilege is generally a good thing, but it only reduces the impact of a successful attack.

Explanation

a] Blacklisting is a poor solution against SQL injection. It can be avoided in multiple ways, and can block valid user input if overused.
b] IDS can detect obvious SQL injection attempts, but it is possible for skilled attackers to avoid detection.
c] Whitelisting can be effective in general, but it overly restricts valid input. Many names have dashes and apostrophes in them, for example.
d] Use of prepared statements is generally accepted as the most effective way of protecting against SQL injection. The built-in escaping and validation will prohibit attackers from injecting a string into a numeric field, and quote data in string fields properly.
e] Adhering to the principle of least privilege is generally a good thing, but it only reduces the impact of a successful attack.

2. Which is NOT true with respect to cross-site scripting (XSS) vulnerabilities?

The attacker may be able to run arbitrary code on the user's machine.

The attacker can exploit a XSS vulnerability in order to impersonate a user.

Reflected XSS vulnerabilities can only be triggered if the user performs a certain action.

The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.

An XSS payload may use AJAX requests to persistently infect multiple pages on the host.

a] True; if there is a vulnerability in the JavaScript interpreter or in one of the browser plugins, an XSS attack can lead to client-side code execution.
b] True; an attacker can steal the user’s authentication data from cookies and use it to impersonate the user.
c] True; by definition, a reflected XSS vulnerability is triggered by the user actively following a link.
d] This is NOT true; there are browser plugins such as NoScript that can prevent running JavaScript from untrusted sites.
e] True, the payload may contain a HTTP request that is parametrized to exploit an XSS in another page on the same host. See the Samy MySpace worm for an example.

Explanation

a] True; if there is a vulnerability in the JavaScript interpreter or in one of the browser plugins, an XSS attack can lead to client-side code execution.
b] True; an attacker can steal the user’s authentication data from cookies and use it to impersonate the user.
c] True; by definition, a reflected XSS vulnerability is triggered by the user actively following a link.
d] This is NOT true; there are browser plugins such as NoScript that can prevent running JavaScript from untrusted sites.
e] True, the payload may contain a HTTP request that is parametrized to exploit an XSS in another page on the same host. See the Samy MySpace worm for an example.

3. Which statement is true with respect to HTML5 security?

In HTML5, AJAX calls can read from other domains without restrictions.

Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.

If a page does not use the new features introduced by HTML5, it is a good way to protect against the new security risks introduced by those features.

HTML5 makes it easier to protect against XSS.

Local Storage cannot be directly manipulated by XSS.

A] False – the other domain needs to explicitly allow this
B] True
C] False – if the browser supports HTML5, the attacker can inject any kind of HTML5 tag into the page
D] False – it actually gives the attackers more opportunities for XSS attacks
E] False – Cross-site scripting attacks can read or modify Local Storage contents

Explanation

A] False – the other domain needs to explicitly allow this
B] True
C] False – if the browser supports HTML5, the attacker can inject any kind of HTML5 tag into the page
D] False – it actually gives the attackers more opportunities for XSS attacks
E] False – Cross-site scripting attacks can read or modify Local Storage contents

4. If a web application includes a WYSIWYG editor, which of the approaches described below would NOT be appropriate for dealing with potential XSS in user input?

Looking for dangerous strings such as <script>, javascript: and eval(.*) in user-submitted data, and removing them.

Converting HTML control characters such as < to HTML entities such as <.

Only allowing certain 'safe' tags for formatting, such as <b>, <i>, <p>, <br>.

Using special tags (such as [url=...]) and converting them to HTML

Using a HTML filter library to remove potential XSS code from output.

a] Blacklisting is not a good approach, as there are many ways to circumvent and avoid such filters.
b] While this prevents cross-site scripting attacks, it also prevents users from submitting any kind of active content to the site.
c] This approach may be viable depending on the context, but it significantly restricts the scope of content users can submit – e.g. links.
d] This approach is generally accepted as the best compromise. However, the parameters of the special tags (e.g. URLs) must be validated in some way before conversion.
e] Depending on the language of the webapp, this may be a viable solution.

Explanation

a] Blacklisting is not a good approach, as there are many ways to circumvent and avoid such filters.
b] While this prevents cross-site scripting attacks, it also prevents users from submitting any kind of active content to the site.
c] This approach may be viable depending on the context, but it significantly restricts the scope of content users can submit – e.g. links.
d] This approach is generally accepted as the best compromise. However, the parameters of the special tags (e.g. URLs) must be validated in some way before conversion.
e] Depending on the language of the webapp, this may be a viable solution.

Submit

5. If the attacker can run JavaScript on the user's machine, he can expect to…

… modify other currently running scripts.

… simulate user clicks in the browser.

… run arbitrary native code on the user’s machine.

… modify user session data.

… act as a keylogger within the scope of the JavaScript’s origin.

a] True – the attacker can rewrite methods and change variables of other JavaScripts.
b] True – JavaScript clicks are equivalent to user clicks.
c] False – this is only possible if there is a bug in the browser that can be exploited through JavaScript.
d] False – a typical client-side breach cannot affect assets stored on the server.
e] True – JavaScript can relay keystrokes and e.g. send them to an iframe.

Explanation

a] True – the attacker can rewrite methods and change variables of other JavaScripts.
b] True – JavaScript clicks are equivalent to user clicks.
c] False – this is only possible if there is a bug in the browser that can be exploited through JavaScript.
d] False – a typical client-side breach cannot affect assets stored on the server.
e] True – JavaScript can relay keystrokes and e.g. send them to an iframe.

Submit