Codebashing
What is the reason the insecure redirect (or insecure forward) vulnerability exists in the redirection functionality of an application?
A vulnerable application may redirect users to an arbitrary domain. This vulnerability may be exploited by attackers in phishing campaigns. NEXT
What may an attacker do if he successfully exploits a command injection vulnerability?
Command injection gives an attacker an opportunity to run an arbitrary command with the privileges of the application user in OS. If Bob can escalate privileges, he can run commands as root.
Which of the options best describes a Horizontal Privilege Escalation attack?
This is a description of a Horizontal Privilege Escalation attack - attackers being able to steal other, similar user privileges which apply to a different scope or domain of access. NEXT
How does an additional unique token in the request body help the server mitigate CSRF?
This prevents an attacker from filling in a form and having a user submit it for them, as a token associated with a user's session will then be validated by the server; since an attacker cannot guess this token, they cannot forge a form that would be accepted. In other words, an element in the form which is unique to the user would prevent the attacker from crafting a valid form, mitigating CSRF attacks. NEXT
What is the explicit reason deserialization of untrusted data being so dangerous?
An attacker may create serialized objects which, upon deserialization by the server, may result in malicious code execution, OS command injection, logic and security bypasses and more, depending on classes and objects available to the deserialization methods to deserialize dangerous content into. NEXT
How can an attacker find a user management interface?
An attacker may find a hidden management interface using all of the mentioned ways. NEXT
How to prevent Stored XSS?
To prevent Stored XSS attack, user input should be sanitized before it's saved to the database and after it's retrieved from the database and then served to the user. NEXT
If the session token is stored in the URL (e.g. https://example.com/profile?session=7sdfkl82qtklqa81o9nar0) where can it be leaked?
URLs are usually saved in lots of locations like web server logs or web application logs, proxies, browsers, network devices. They may even be sent by the browser in a Referer header. NEXT
The authentication credentials are stored in the URL(e.g. http://codebashing.com/login?username=admin&password=admin). Where can they be leaked from?
URLs are usually saved in lots of locations like web server logs or web application logs, proxies, browsers, network devices. They may even be sent by the browser in a Referer header. NEXT
What are the dynamic contexts that could be prone to XSS?
User input values could eventually be inserted into HTML context, JavaScript context, etc. These contexts are dynamic and while rendering the page, may execute a malicious code received from the user input. NEXT
What is the right strategy to prevent session fixation vulnerability?
Using a different session ID before and after the authentication allows avoiding session fixation. NEXT
What is an example of the vertical privilege escalation in a web application?
Vertical privilege escalation means that the attacker gets access to the application's functionality that requires special privileges. For example, when a regular user gets access to the user management functionality that only the admin should be able to access. NEXT
What header can be used to protect against Clickjacking attacks?
Content-Security-Policy "frame-ancestors" directive allows restricting a number of domains that are allowed to open the site in an iframe or with similar tags, thus preventing Clickjacking NEXT
How can the comments left during debugging impact security?
Developers tend to write verbose comments during development with some useful information in them. It's important to remove all the unnecessary sensitive information from the code before sending it to the production environment. NEXT
What are the consequences of insufficiently random values usage?
If session ID is not sufficiently random, it could be predicted, thus allowing to hijack user accounts
What should you do to protect from XXE processing?
Prohibiting definition of document type (DTD) prevents XXE attacks
Why vulnerabilities in third-party software components persist?
Security is everybody's job meaning both security engineers and developers should participate in tasks aiming at security. Vendors tend to mitigate vulnerabilities as soon as possible, and it is really important to patch the vulnerable component according to its severity level. Update of components indeed requires a lot of testing but it should be included into plans and performed in a timely manner. NEXT
If CSRF token is a part of the URL, where could it be disclosed?
Sending sensitive data like CSRF token in URL may lead to its disclosure through all the ways and places mentioned. NEXT
The application allows the user to choose language settings by specifying a language file in the URL (e.g. http://example.com/languages?language=english.txt). It returns the content of the specified file from /var/www/languages/ directory to the user's browser to make sure the user wants this language settings. Choose the right payload that may be inserted into the "Language" parameter to steal the password file stored in /home/superadmin/pwd.txt.
/ ../ symbols are used in UNIX systems to address a parent folder of a current folder. If the application doesn't sanitize user input, Directory Traversal vulnerability allows an attacker to read an arbitrary file using ../ symbols. First, by using multiple ../ attacker returns to the root folder from web server folder and then goes to a specified file. NEXT
What is the necessary condition for Reflected XSS attack?
The core concept of reflected XSS is exploiting user input reflected to user's browser in errors, search results, etc. The attacker tricks a user to open a vulnerable site with a malicious script inserted into the input field. This script is reflected back to user's browser and is treated by the browser as a part of the site.
