Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
25 Cards in this Set
- Front
- Back
|
Cross-site scripting
|
one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications.
|
|
|
If you use SQL queries in security controls such as authentication, what will happen?
|
attackers could alter the logic of those queries to bypass security. They could modify the queries to steal, corrupt, or otherwise change your underlying data.
|
|
|
Buffer overflows
|
are Mother Nature's little reminder of that law of physics that says: if you try to put more stuff into a container than it can hold, you're going to make a mess. The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination.
|
|
|
CSRF
|
Cross-Site Request Forgery
|
|
|
If you don't ensure that your software's users are only doing what they're allowed to, what will happen?
|
attackers will try to exploit your improper authorization and exercise unauthorized functionality that you only intended for restricted users.
|
|
|
When can trouble occur?
|
Software developers often rely on untrusted inputs in the same way, and when these inputs are used to decide whether to grant access to restricted resources
|
|
|
What is the topic discussed in topic #7?
|
Improper Limitation of a Pathname to a Restricted Directory
|
|
|
What is the topic discussed in topic #8?
|
Unrestricted Upload of File with Dangerous Type
|
|
|
What is the topic discussed in topic #9?
|
Improper Sanitization of Special Elements used in an OS Command
|
|
|
What is the topic discussed in topic #10?
|
Missing Encryption of Sensitive Data
|
|
|
Hard-coding
|
If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it's hard-coded, it's usually a huge pain for sysadmins to fix.
|
|
|
A popular insult
|
Take a long walk off a short pier
|
|
|
What is the topic discussed in topic #13?
|
Improper Control of Filename for Include/Require Statement in PHP Program
|
|
|
What is the topic discussed in topic #14?
|
Improper Validation of Array Index
|
|
|
What is the topic discussed in topic #15?
|
Improper Check for Unusual or Exceptional Conditions
|
|
|
What is the topic discussed in topic #16?
|
Information Exposure Through an Error Message
|
|
|
What is 255+1 in a computer program?
|
255+1=0, or 0-1=65535, or maybe 40,000+40,000=14464.
|
|
|
What can be samples of opportunities for error?
|
If the programmer does not properly calculate the size of a buffer, then the buffer may be too small to contain the data that the programmer plans to write - even if the input was properly validated. Any number of problems could produce the incorrect calculation, but when all is said and done, you're going to run head-first into the dreaded buffer overflow.
|
|
|
What is the topic discussed in topic #19?
|
Missing Authentication for Critical Function
|
|
|
What is the topic discussed in topic #20?
|
Download of Code Without Integrity Check
|
|
|
Who can be this impolite users?
|
attackers
|
|
|
lack of control over resource allocation
|
is an avenue for attackers to cause a denial of service against other users of your software, possibly the entire system - and in some cases, this can be leveraged to conduct other more devastating attacks.
|
|
|
What is the topic discussed in topic #23?
|
URL Redirection to Untrusted Site
|
|
|
What is the topic discussed in topic #24?
|
Use of a Broken or Risky Cryptographic Algorithm
|
|
|
race condition
|
can involve multiple processes in which the attacker has full control over one process. Even when the race condition occurs between multiple threads, the attacker may be able to influence when some of those threads execute. Your only comfort with race conditions is that data corruption and denial of service are the norm.
|
