OWASP: Web Application Security
What best describes a third-party component? - A component written and/or maintained by open source community. - A component written and/or maintained by another team in your organization.
A component written and/or maintained by open source community. (Keep in mind your team could also be part of this open source community.)
How can you prevent the XML external entity vulnerability? A: UA: Use JSON, avoid avoiding serialization of sensitive data. B: Disable XXE and implement whitelisting. C: Patch or upgrade all XML processors and libraries. D: Detect, resolve and verify XXE with static application security testing tools
A, B, C & D
What is the main goal of an API? - API (Application Programming Interface) lists a bunch of operations that developers can use, along with a description of what they do. The developer doesn't necessarily need to know how, for example, an operating system builds and presents a "Save As" dialog box. They just need to know that it's available for use in their app. - API (Application Programming Interface) automates lots of mundane work for the programmer. By using APIs the programmer becomes more effective and efficient, since the API is typically maintained by open source developers. They just need to know that it's available for use in their app. - API (Application Programming Interface) is a type of microservice that is often used for web applications. The use of mircroservies enables the programmer becomes more effective and efficient, wince the API is typically maintained by open source developers. They just need to know that it's available for use in their app. - API (Application Programming Interface) is a type of design pattern that is only used by senior developers. Design patterns are recipes for solving common problems to prevent reinventing the wheel. The use of design patterns enables the programmer becomes more effective and efficient, since the API is typically maintained by open source developers. They just need to know that it's available for use in their app.
API (Application Programming Interface) lists a bunch of operations that developers can use, along with a description of what they do. The developer doesn't necessarily need to know how, for example, an operating system builds and presents a "Save As" dialog box. They just need to know that it's available for use in their app.
How can you protect an API? - Ensure secure communication between client browser and server API. - Reject untrusted/invalid input data. - Use latest framework. - Vulnerabilities are typically found by penetration testers and secure code reviewers. - All answers are right.
All answers are right.
How can Cross-Site Request Forgery impact a banking web application? - Cross-Site Request Forgery is not applicable to the banking sector, because of tight regulation. - An attack may force a victim to execute unwanted transactions on a web application in which they're currently authenticated. - An attack may force a victim to execute transactions on a web application. - A victim may force an attacker victim to execute unwanted transactions on a web application in which they're currently authenticated.
An attack may force a victim to execute unwanted transactions on a web application in which they're currently authenticated.
What is the most cost effective way to address security misconfiguration? - Hire external security consultants. - Hire an intern to reduce costs. - Buy the most well advertised security product, because they have a better reputation. - Continuously scan for vulnerabilities, train your staff and focus on building & shipping more secure products.
Continuously scan for vulnerabilities, train your staff and focus on building & shipping more secure products. (This is the most costs effective way in the long run.)
What is the difference between encryption at rest an in transit? - Encryption at rest covers stored data, while encryption in transit covers data in flux (i.e. moving from one point to another point). - This is a trick question and has nothing to do with sensitive data exposure. - Encryption at rest covers data influx (i.e. moving from one point to another point), while encryption in transit covers stored data. - Encryption at rest covers stored data, while encryption in transit covers data stored in routers and switches.
Encryption at rest covers stored data, while encryption in transit covers data in flux (i.e. moving from one point to another point). (Note: there are new developments that encrypt data in use (e.g by a processor). An example of this is Microsoft confidential compute.)
How can insufficient attack protection be mitigated? - Identify, prevent, detect and respond to abnormal use of the web application. - Identify, prevent and respond to abnormal use of the web application. - Hardening the web application. - Hire external consultants that have experience with main technology used in the web application.
Identify, prevent, detect and respond to abnormal use of the web application. (This answer covers all facets (derived from NIST cyber security framework). For instance, when you cannot prevent abnormal use you need to detect it (e.g. with logs).)
What is broken access control? - Improper enforcement of authorization. - Improper enforcement of identification.
Improper enforcement of authorization. (It is important to check whether the user is allowed to access a part of the system.)
Which answer best describes how to mitigate injection? - Never trust needles - Never trust user input / always sanitize user input - Never trust user output - it is important to screen every user. Only users that passes your screening may use the web application
Never trust user input / always sanitize user input (You never know who the user is. Even when you application is only exposed to internal employees. Even internal employee can become malicious)
Security misconfiguration is prevented by installing the latest patches.
No (As mentioned in the title of this vulnerability, sometimes you may accidentally misconfigure a system (e.g. leaving unused ports open) which leads to a vulnerability. Typically, this is not patchable.)
Can you efficiently detect known vulnerabilities in third-party components by reading the code?
No (Third-party code often contains hundreds (or thousands) lines of code. It is not efficient to read the code. Automated scanning tools can do this for you.)
What is the most important message you want to communicate to your developers when you want them to mitigate Cross-Site Scripting? - Attain formal education about business continuity as soon as possible. - Blame the cloud provider. - Religiously untrust input data. - This attack results in denial of server (DOS), which means one can mitigate by scaling in resources.
Religiously untrust input data. (Even though this answer is framed controversial with the word religious, mitigation is all about untrusting user input data.)
Select the right answer. ---------- Rotate: changes keys/password frequently (multiple times a day). Repave: restores the configuration to last good state (golden image). Repair: patches vulnerability as soon as the patches are available. ---------- Rotate: patches vulnerability as soon as the patches are available. Repave: restores the configuration to last good state (golden image). Repair: changes keys/password frequently (multiple times a day). ---------- Rotate: patches vulnerability as soon as the patches are available. Repave: changes keys/password frequently (multiple times a day). Repair: restores the configuration to last good state (golden image). ---------- Rotate: changes keys/password frequently (multiple times a day). Repave: patches vulnerability as soon as the patches are available. Repair: restores the configuration to last good state (golden image).
Rotate: changes keys/password frequently (multiple times a day). Repave: restores the configuration to last good state (golden image). Repair: patches vulnerability as soon as the patches are available.
What is the impact of Broken Authentication and Session management and how can it be mitigated? - The attacker can claim the identity of the victim. This is troublesome because now the victim has to prove that (s)he has been hacked. - The attacker can claim the identity of the victim and it can be mitigated using a Distributed Denial of Service (DDOS) mitigation strategy. - This is a trick question, there is no impact nor mitigation strategy. - The attacker can claim the identity of the victim and could be mitigated using two-factor authentication.
The attacker can claim the identity of the victim and could be mitigated using two-factor authentication. (Two-factor is one of many mitigation strategies.)
Which of the following answers does not prevent insecure deserialization? - Implement digital signatures on serialized objects to enforce integrity. - Use salted encryption on storage of passwords. - Validate user input. - Restrict usage and monitor deserialization and log exceptions and failures.
Use salted encryption on storage of passwords.
