Terms in this set (17)
What is Application Security Testing?
The process of using software, hardware, and procedural methods to prevent security flaws in applications and protect them from exploit.
What are the 3 types of box testing?
White: All details are known during testing.
Grey: Some but not all of the details are known.
Black: None of the details are known before testing.
What are 6 common testing types?
-White/Grey/Black Box testing: Know all/some/none of an application before testing
-Regression Testing: Full testing cycle of the application after a change is made.
-Unit Testing: Done by the developers during development
-Function Testing: Validates the program against a set of functional requirements.
What is the key word found in a Cross-Site Scripting attack?
What are the three types of XSS attacks?
Nonpersistent XSS - URL with rogue script.
Persistent XSS - Websites that allow users to input data that is stored in a database or other location.
DOM (Document Object Model) based XSS - Local document attacked to modify original page client-side JS.
What is Cross-Site Request Forgery?
Tricks a browser to send a forged HTTP request, including cookies and authentication tokens, to a vulnerable web application.
What are some other names for Cross-site Request Forgery?
One-click or session-riding.
When is it common to find the use of Clickjacking?
Clickjacking is commonly found in phishing emails. It is when you disguise the url that is being cliked on a page from the recognizable url to a hidden url.
What is input validation?
The process of validating data entered into the web application before the data is sent to the web application for processing.
What is an example of improper error handling?
Error handling and reporting should not report back to the website. If a website pastes the error to the webpage, this could give a potential attacker critical insider information about the web server.
What is Session Management Attacks? What is the vulnerability in them?
Session Management Attacks are when a user closes the browser, but does not log out. The session is still active and can be used to reopen the site.
The Vulnerability is that some web sites encode the session ID and put it into the URL.
What is the security concern surrounding Geotagging?
Geotagging on most mobile phones are readily available and can be used to track potential victims.
What is a SQL Injection Attack?
The process of sending malicious SQL queries to the underlying database to manipulate the database, ex filtration of data.
How can you protect your application from SQL Injection attacks?
A Web Application Firewall (WAF) can test for these characters in the incoming url when SQL injection attacks are attempted.
Code modules should be developed with low cohesion and high coupling.
True or False?
A code module should have high cohesion(Can perform a single task with little input from other modules). And low coupling(The measurement of the inter connectivity between code modules.
In the Operating System Rings of Protection, what is the center ring called?
Ring 0 aka the Kernel.
In the Operating System Rings of Protection, what is the order of rings from inside to the outside and their rank of privilege?
The center is Ring 0 - Kernel: Most Privileged
Ring 1-2 - Device Drivers: Medium Privilege
Ring 3 - Applications: Least Privileged