Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. The OWASP project (Open Web Application Security Project) is a great source t

ID: 3666022 • Letter: 1

Question

1. The OWASP project (Open Web Application Security Project) is a great source to explain the most common web application attack vectors (as Brian posted a couple days ago). Here is a link to their Top 10 list. Pick one and tell the group a little bit about it and how it can be prevented.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

2.So why are application-level attacks so pervasive? Are software developers out there churning out line after line of insecure code? Why aren't these vulnerabilities caught during the system development process? Name a couple key process steps or elements of a system development process that should allow insecure code to be flagged and corrected.

Explanation / Answer

Q1:

Ans: Cross Site Scripting:(XSS): The cross site scripting is reffered as client side code injection attack where an attacker can execute melicious script in to the legitimate website or web application.

This is the most rampant of web application and mailey occures when application uses an unvalivated or unencoded user input within the output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browse

How it works:

In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.

In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.

The main consideration for XSS is use of Javascript to enter a melicious code into the Victim's browser and if the user is doing some e-commerse transactions, and this code is executed. then the attacker can have high advantage of getting all the information about the users account details such as User name, pasword etc. This will couse high loss to the user and the e-commerse site too.

How to avoid it?

The programmer can user duble lare security check and validations. This can be accomplished by having client side as well as server side validations. The main important thing a web appication designer can do is use SOP concept (Same Origion Point) wherein, whenver the web appication is accessed in an users broweser, the server can send HTML and Javacript from same point so that the browser can make decision that if html and javascrits are coming fron same server, then execute th further processes else discard. This is proven to be best method to avoid scross site scripting.

Q2:

Ans: The major causes of above questions are, last time requirement changes, flow in requirement understanding between customers who want this application and the designer who devlops the architecture of the same. When requirements are not clear , the design will be clumsy and ambiguous. When this design is given to application developers, it will be quite difficult to understand where the flaw will accour and also testing will not be happening properly. After the application comes in real world, there are plenty of hackers waiting for its weakness and to breack it.

So, To avoid these problems the systematic planning, requirement understanding, designing, development of application, testing the application thoroughly and the do the beta version with customers and selected users and then finally release it to the realtime users.

This Entire process is called Software development life Cycle(SDLC). The verification and validations of each document(Software requirement document),design(High level and low level design), apllication as whole(after developing the application) should be done properly.

Eraly testing in the SDLC proccess can solve many problems which occur in later point in time in the application development. for example: verify the requirement document and design , if any flows are present, discuss and correct the same. Static and dynamic testing, white box and black box testing. security tersting, reliability testing, load testing ctc..

Related Questions

1. The K sp of silver chloride is 1.8 x 10-10. What is the molar solubility of A
Question #892573
1. The KT impact. [11 marks total] The size of the KT impact can be estimated fr
Question #119113
1. The Ka of benzoic acid 1x10^-5. Which of the following would you choose as a
Question #856824
1. The Kg expression for Ag S is not listed The value of Kap of Agcl is 1.8 x 1o
Question #1033411
1. The KrebsOnSecurity.com attack ________. a. neither was a denial of service a
Question #3891534
1. The Ksp for AgCl is 1.6 x 10-10 (a) What is the molar solubility of AgCl? (b)
Question #566980
1. The Ksp for AgCl is 1.6 x 10-10 (a) What is the molar solubility of AgCl? (b)
Question #1086864
1. The Ksp is important because it can be used to calculate the concentrations o
Question #522002

Navigate

Previous
1. The OS must maintain __________ tables to manage processes. a) Process b) I/O
Next
1. The O\'Neill Shoe Manufacturing Company willp Assignment (Chapter 1, Part B)

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.