Unit 3
1. Why is it critical to perform a penetration test on a Web application and a Web server prior to production implementation?
Although many organizations have reduce significant number of design and coding defects through software development lifecycle; there still remains security holes that arise when an application is deployed and interacts with other processes and different operating systems (Cobb, 2014). Another reason that penetration test is critical is many Payment Card Industry Data Security Standard (PCI DSS) mandate internal and external penetration test (Cobb,2014).
2. What is a cross-site scripting attack? Explain in your own words.
Cross-site scripting is when an attacker exploits the controls of a trusted website and injects malicious code with the intent of spreading it to other end users. For example, an attacker injects a browser script on a website, so that other users will click on it and compromise sensitive information.
3. What is a reflective cross-site scripting attack?
A reflective cross-site scripting attack is when the injected script is reflected off the web server, much like an error message or search results. This type of attack is mostly carried out by e-mail messages in which the user is tricked by clicking on a malicious link and then the injected code travels to the vulnerable website and reflects the attack back to the user’s browser (OWASP, 2013).
4. What common method of obfuscation is used in most real-world SQL attacks?
These methods include character scrambling, repeating character masking, numeric variance, nulling, artificial data generation, truncating, encoding, and aggregating. These methods rely on an array of built in SQL server system functions that are used for string manipulation (Magnabosco, 2009).
5. Which Web application attack is more prone to extracting privacy data elements out of a database?
SQL injections can be used to enter the database with administrator rights in which are also the
Although many organizations have reduce significant number of design and coding defects through software development lifecycle; there still remains security holes that arise when an application is deployed and interacts with other processes and different operating systems (Cobb, 2014). Another reason that penetration test is critical is many Payment Card Industry Data Security Standard (PCI DSS) mandate internal and external penetration test (Cobb,2014).
2. What is a cross-site scripting attack? Explain in your own words.
Cross-site scripting is when an attacker exploits the controls of a trusted website and injects malicious code with the intent of spreading it to other end users. For example, an attacker injects a browser script on a website, so that other users will click on it and compromise sensitive information.
3. What is a reflective cross-site scripting attack?
A reflective cross-site scripting attack is when the injected script is reflected off the web server, much like an error message or search results. This type of attack is mostly carried out by e-mail messages in which the user is tricked by clicking on a malicious link and then the injected code travels to the vulnerable website and reflects the attack back to the user’s browser (OWASP, 2013).
4. What common method of obfuscation is used in most real-world SQL attacks?
These methods include character scrambling, repeating character masking, numeric variance, nulling, artificial data generation, truncating, encoding, and aggregating. These methods rely on an array of built in SQL server system functions that are used for string manipulation (Magnabosco, 2009).
5. Which Web application attack is more prone to extracting privacy data elements out of a database?
SQL injections can be used to enter the database with administrator rights in which are also the
References: Cobb, M. (2014). Are Web application penetration tests still important? Retrieved from http://searchsecurity.techtarget.com/answer/Are-Web-application-penetration-tests-still-important OWASP. (2013). Cross-site Scripting (XSS). Retrieved from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Magnabosco, John. (2009). Retrieved from https://www.simple-talk.com/sql/database-administration/obfuscating-your-sql-server-data/ OWASP. (2013). SQL Injection . Retrieved from https://www.owasp.org/index.php/SQL_Injection Microsoft Corporation. (2014). Securing Your Web Server. Retrieved from http://msdn.microsoft.com/en-us/library/aa302432.aspx