Q:1. Which of the following is correct for CSRF attack?
1.It tricks user to send malicious request to server.2.Cookie can be used in CSRF attack
3.Both 1 and 2
4.None of the mentioned above
Ans-:.Both 1 and 2
CSRF is an attack that tricks the victim into submitting a malicious request, Cookie-based session handling. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
Q:2. One of the ways to prevent CSRF attack is that you should use _____ validation.
1.Referrer
2.CSRF token
3.browser
4.Both 1 and 2
Ans-:.Both 1 and 2
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate requests and forged requests. Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state. This makes a referer a useful method of CSRF prevention when memory is scarce. However, checking the referer is considered to be a weaker from of CSRF protection
Q:3. Some of the vulnerability of a websites is/are ?
1.SQL Injection
2.CSRF
3.Cross Side Scripting
4.All of the above
Ans- all of the above
A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server.
Q:4. _________ is a attack in which the script is stored permanently on server.
1.Stored XSS
2.Reflected XSS
3.DOM based attack
4.All of the above
Ans- stored xss
Stored or Persistent Cross Site Scripting Attacks (Type-I XSS) The potentially more devastating stored cross-site scripting attack, also called persistent cross-site scripting or Type-I XSS, sees an attacker inject script that is then stored permanently on the target servers.
Q:5. Which of the following is true for DOM-based XSS attack ?
1.Set the HttpOnly flag in cookies
2.Ensure that session IDs are not exposed in a URL
3.payload can not be found in response
4.None of the above
Ans- payload can not be found in response
DOM Based XSS simply means a Cross-site scripting vulnerability that appears in the DOM (Document Object Model) instead of part of the HTML. In reflective and stored Cross-site scripting attacks you can see the vulnerability payload in the response page but in DOM based cross-site scripting, the HTML source code and response of the attack will be exactly the same, i.e. the payload cannot be found in the response. It can only be observed on runtime or by investigating the DOM of the page.
Posts
No comments:
Post a Comment