Establishing a web presence is almost a requirement for organizations today, and users expect fancy web sites with dynamic pages that are easy to use. Although many applications make it easy to create web sites, they don’t always include security. This often results in many web sites being highly susceptible to attacks.
If you’re planning on taking the Security+ exam, you should have a basic understanding of web application vulnerabilities. Here’s a a sample question:
Q. While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. Which of the following attacks will this code MOST likely prevent?
A. Sniffing
B. Spoofing
C. XSS
D. Pharming
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
NoSQL Versus SQL Databases
Server-based SQL databases are traditional relational databases using tables that relate to each other in one way or another. They are very effective in many situations, but not all. A newer type of database has emerged known as not only SQL (NoSQL).
NoSQL databases typically hold one or more of the following types of data: documents, key-value pairs, or graphs. Documents are formatted in a specific way and each document represents an object. This is similar to how a table holds data in rows. However, the document-based NoSQL database gives developers much more flexibility in how they can store and query the data.
Both NoSQL and SQL databases are susceptible to command injection attacks if developers do not implement input validation techniques. SQL databases use SQL queries and are susceptible to SQL injection attacks. NoSQL databases use unstructured query language (UQL) queries. Although the format of UQL queries varies with different vendors, attackers can learn them and use them when developers do not implement input validation techniques.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Cross-Site Scripting
Cross-site scripting (XSS) is another web application vulnerability that can be prevented with input validation. Attackers embed malicious HTML or JavaScript code into an email or web site error message. If a user responds to the email or error message, it executes the code. Many times, this gives the attacker access to user cookies or other information about the user.
You may be wondering why the acronym isn’t CSS instead of XSS. The reason is the web sites use Cascading Style Sheets identified as CSS and CSS files are not malicious.
HTML and JavaScript code use tags surrounded by the less-than (<) and greater-than (>) characters. For example, images are placed within a web page with the <img> tag. These tags support many additional options and commands, which developers use to create feature-rich web pages. However, attackers can manipulate these tags to run malicious code. Attackers often embed cross-scripting code into comments on blog pages or forums when the page allows users to include HTML tags.
As an example, a bug in Twitter’s web site resulted in a cross-site scripting problem in 2010. A malicious Twitter user discovered the bug and embedded JavaScript code into a tweet. When innocent users opened a web page that included the malicious tweet, the code ran on their systems. In this case, the malicious code used the onMouseOver event. When users hovered their mouse over the tweet, it did two things. It retweeted the tweet, sending it out to all of the user’s followers. It also launched a pop-up window displaying content from a hard-core Japanese pornography web site.
Although this attack was more embarrassing to Twitter than harmful to end users, many other cross-site scripting attacks are malicious. They can allow attackers to redirect users to other web sites, steal cookies off a user’s system, read passwords from a web browser’s cache, and more. If a web site stored private data in a user’s cookie, such as a username and password, an attacker can use a cross-site scripting attack to retrieve this information.
The primary protection against cross-site scripting attacks is at the web application with input validation techniques to block the use of HTML tags and JavaScript tags. Tags are embedded within the < and > characters, so it’s possible to block these tags by rejecting any text that includes these characters. It’s also important to educate users about the dangers of clicking links. Some XSS attacks send emails with malicious links within them. The XSS attack fails if users do not click the link.
Remember this
Cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.
Q. While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. Which of the following attacks will this code MOST likely prevent?
A. Sniffing
B. Spoofing
C. XSS
D. Pharming
Answer is C. A cross-site scripting (XSS) attack can be blocked by using input validation techniques to filter special characters such as the < and > characters used in HTML code. None of the other attackers requires the use of special characters.
Sniffing captures data with a protocol analyzer.
Spoofing hides the identity of the original entity.
Pharming redirects a user from one web site to another web site.
