WEBSITE SECURITY
What are Cross Site Request Forgery?
application should generate a random token and store it in the session Whenever any form is displayed to the user, the token should be present in the page as a hidden input field. Application logic must check for the token and ensure that it matches the token present in the session.
Difference between Encryption vs hashing?
Encryption is reversible whereas hashing is irreversible
What are firewall security?
A firewall is a device that allows/blocks traffic as per defined set of rules.
What are DDoS attack?
Stands for distributed denial of service. When a network/server/application is flooded with large number of requests which it is not designed to handle making the server unavailable to the legitimate requests.
What are SQL Injection?
SQL commands these strings can be entered in places like search boxes, login forms, and even directly into a url to negate simple client-side.
What are Cross site scripting?
Cross site scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated.
What are Brute Force?
More sophisticated Brute Force attacks compile password lists from keywords available on your website to test on your administrator login forms. The best way to protect yourself is by always using strong, unique passwords and supplementing your access control with Two Factor authentication.
What are Dictionary Attack?
A dictionary attack is a type of brute force attack technique,trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
What are path injection?
script injection in url link.
What is Malware?
Malware and unwanted programs can use browser hijacking to steal a browser’s cookie files without a user’s knowledge. mcrypt or a custom AES encryption to encrypt session data.
What is the difference between encryption and hashing?
Encryption is reversible whereas hashing is irreversible.
What is Spear phishing?
attack by high volume of phising.
What is Phishing?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details
What is Click jacking?
clicking on a button that appears to perform another function.
What is Baiting?
curiosity or greed of the victim.
What is WAF?
WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic.
What is Social engineering?
users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection.
What is two-factor authentication ?
Create Multi-Layer Customer Identity Authentication.
What are salted hashes?
add salt in encryption.
What should you never record into a web app error log?
passwords, credit card numbers, any other sensitive data.
What are replay attack?
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution. This is one of the lower tier versions of a “Man in the middle attack.”