HPE Interview
account hijacking (XSS)
An attacker can hijack the user's session before the session cookie expires and take actions with the privileges of the user who accessed the URL, such as issuing database queries and viewing the results.
what are the problems with local file inclusion?
An attacker can view the contents of various (possibly arbitrary) files on the system, which could potentially allow the attacker to recover application source code, system configuration information, or private data
How should you handle login forms?
Any area of a web application that possibly contains sensitive information or access to privileged functionality such as remote site administration functionality should utilize SSL or another form of encryption to prevent login information from being sniffed or otherwise intercepted or stolen. If the login form is being served over SSL, the page that the form is being submitted to MUST be accessed over SSL. Every link/URL present on that page (not just the form action) needs to be served over HTTPS. This will prevent Man-in-the-Middle attacks on the login form.
how to solve XSS
Cross-Site Scripting attacks can be avoided by carefully validating all input, and properly encoding all output. When validating user input, verify that it matches the strictest definition of valid input possible. For example, if a certain parameter is supposed to be a number, attempt to convert it to a numeric data type in your programming language. When accepting other types of text input, make sure the value matches either a list of acceptable values (white-listing), or a strict regular expression. If at any point the value appears invalid, do not accept it. Also, do not attempt to return the value to the user in an error message.
How do you remediate the problem of passwords being found in the query string of a GET request or Set Cookie header?
Ensure that login information is sent with a POST request over an encrypted connection and that sensitive account information is kept on the server.
What are some examples of SQL injection?
Examples include parameters within the url itself, post data, or cookie values.
How do you solve the cookie retrieval problem?
IIS Web Servers should be configured to return custom error pages which do not reveal details about the script which caused the error.
What can happen if you allow POST data parameters to be passed through GET parameters?
It can open the web app to XSRF attacks
Denial of Service (XSS)
Often by utilizing malformed display requests on sites that contain a Cross-Site Scripting vulnerability, attackers can cause a denial of service condition to occur by causing the host site to query itself repeatedly .
browser redirection (XSS)
On certain types of sites that use frames, a user can be made to think that he is in fact on the original site when he has been redirected to a malicious one, since the URL in the browser's address bar will remains the same. This is because the entire page isn't being redirected, just the frame in which the JavaScript is being executed.
What are the workarounds/alternatives to hidden fields
One workable bypass is to encrypt the hidden values in a form, and then decrypt them when that information is to be utilized by a database operation or a script. From a security standpoint, the best method of temporarily storing information required by different forms is to utilize a session cookie.
what is the problem associated with open redirect?
Open redirect vulnerabilities occur when a web application redirects clients to any arbitrary URL that can be controlled by an attacker.Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site.
how do you prevent log forging attacks
Prevent log forging attacks with indirection: create a set of legitimate log entries that correspond to different events that must be logged and only log entries from this set. To capture dynamic content, such as users logging out of the system, always use server-controlled values rather than user-supplied data. This ensures that the input provided by the user is never used directly in a log entry.
Why does autocomplete occur even those the setting might be "off" on your password fields?
Recent versions of most browsers, as noted below, now ignore the autocomplete="off" attribute for password fields in html forms. Users are allowed to decide the password policy at their own discretion using the password manager.
reflected attacks
Reflected attacks, on the other hand, come from somewhere else. This happens when user input from a web client is immediately included via server-side scripts in a dynamically generated web page. Via some social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form, to submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is then reflected back to the user's browser which executes it because it came from a trusted server. The implication of each kind of attack is the same.
What is SQL injection?
SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.
stored XSS
Stored attacks are just that...in some form stored on the target server, such as in a database, or via a submission to a bulletin board or visitor log. The victim will retrieve and execute the attack code in his browser when a request is made for the stored information.
Why is Cookie Retrieval a problem in ASP?
The Active Server Pages (ASP) engine does not properly handle special cookie values when they are retrieved. Because of this, an unhandled error is returned to the client. This behavior can be used maliciously to gather sensitive information from web applications.
what is remote file inclusion?
The attacker can cause the application to fetch and display arbitrary URLs, thus allowing the attacker to feed specific information to the application for processing and display. The application is vulnerable to Cross-Site Scripting if the application only displays the fetched information. However, many web applications platforms (notably PHP) allow the interpretation of PHP script fetched from remote URLs; this could result in the attack running arbitrary script code on the web server simply by causing the web application to fetch a URL that returns script code.
reflected vs stored XSS
The main difference between the two is in how the payload arrives at the server.
how to stop open redirect attacks?
Unvalidated user input should not be allowed to control the destination URL in a redirect. Instead, use a level of indirection: create a list of legitimate URLs that users are allowed to specify and only allow users to select from the list. With this approach, input provided by users is never used directly to specify a URL for redirects
How to handle poor error handling
Use uniform error codes to ensure that you are not inadvertently supplying information to an attacker. Do not reveal too much info in your error messgaes. Utilize generic error pages and error handling logic to inform end users of potential problems.
malicious script execution (XSS)
Users can unknowingly execute JavaScript, VBScript, ActiveX, HTML, or even Flash content that has been inserted into a dynamically generated page by an attacker.
How do you stop SQL injection
Using parameterized queries will stop SQL injection attacks by seperating the logic of a query from its data. It can have an impact on performance. Validating user input for both type and format can help as well. Whitelisting is the best option here.
information theft (XSS)
Via redirection and fake sites, attackers can connect users to a malicious server of the attacker's choice and capture any information entered by the user.
What do WSDLs contain and why are the bad?
WSDL's contain information about the web services that the server offers. An unintended exposure of this information can cause unauthorized access to server methods. An attacker can bypass the client application and directly call web methods.
Why are hidden fields bad?
While preventing display of information on the web page itself, the information submitted via hidden form fields is easily accessible, and could give an attacker valuable information that would prove helpful in escalating his attack methodology.
worm propagation (XSS)
With Ajax applications, XSS can propagate somewhat like a virus. The XSS payload can autonomously inject itself into pages, and easily re-inject the same host with more XSS, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
Main problems associated with XSS
account hijacking, malicious script injection, worm propagation, information theft, denial of service, browser redirection, manipulation of user settings
what is cross frame scripting (XFS)
allows an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. This is usually associated with click jacking.
what is command injection?
allows an attacker to remotely execute code on your application server.
how to stop command injection
any time a parameter is passed into a dynamically generated page, it must be assumed that could be incorrectly formatted. OS specific command metacharacters such as pipe and backquote characters should be filtered from incoming data before being used in an OS command.
how to fight remote file inclusion
define what is allowed. Ensure the web application validates all input parameters. check the responses from POST and GET requests to ensure what is being returned is expected, and is valid. Verify the origin of the scripts before you modify or utilize them.
Why is XSS bad
if successful, XSS vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems.
Common information leaks
internal IP address (may disclose information about the IP addressing scheme of the internal network), including filename,
Why should HTTPOnly be set on cookies
it helps mitigate the possibility of successful XSS attacks by not allowing cookies with HTTP only attribute to be accessed by client-side scripts?
What is XSS
it occurs when dynamically generated web pages display user input that is not properly validated, allowing an an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site.
what is XSRF
occur if one site sends a request to another site on which the user has authenticated that will mistakenly be received as if the user authorized the request. If a user visits a vulnerable site, the attacker make the user's browser send a request to a different target site that performs and action on behalf of the user. The target site only sees a normal authenticated request coming from the user and performs whatever sensitive action was requested. Whatever functionality exists on the target site can be manipulated in this fashion.
how to remediate potential problems with remote file inclusion?
the problem arises from improper validation of characters accepts by the application. Never assume the parameter is of a valid format. Don't store critical data in hidden parameters.
how to fight XSRF
use anti-XSRF tokens throughout the session or CAPTCHAS.
how to mitigate XFS?
use the X-frame options headers. It instructs the browser about appropriate actions to perform if their site is included in an iframe. Options: Deny - deny all attempts to frame page; SAMEORIGIN- the page can be framed by another page only if it belongs to the same origin as the page being framed; ALLOW-FROM - developers can specify a list of trusted origins in the origin attribute, only pages on origin permitted to load this page inside an iframe. Developers must also use client side frame busting JavaScript as protection against XFS.