Exam material includes
As a checklist to help with revision: you should at least be
able to explain
- the material in the book: Chapter 7 (Web Security), Chapter 5.1
(Network Security I - Network Security Concepts), and Chapter 1.1
- the material covered in the lectures (incl. the slides),
incl. the examples in the
demo web pages discussed in the lectures;
- the WebGoat and hackme.cs.ru.nl exercises: we are not going
to ask tricky details, but you may be asked things about these
challenges which should be easy to answer if you did these exercises.
The list above is not exhaustive: there can be questions on any
material in the book, discussed in the lectures, and on the
WebGoat or hackme.cs.ru.nl exercises. You will not be expected to
know the precise SQL syntax or HTML syntax in any of these
- what HTTP, HTTPS, URL/URI, HTML are for.
- the differences between GET vs POST requests.
- the different ways of realising sessions, using cookies,
using a session ID as parameter in the URL,
or as a hidden parameter (form field)
in GET/POST requests, possibilities to combine these, or use
tagged cookies to link cookies to IP address.
- what dynamically created (server side) and dynamic web pages (client side) are.
with the DOM.
- what the SOP is, and which interactions prevents
- how the attacks discussed in the lecture work,
what the differences between (variants of these) attacks are,
and what countermeasures there are to combat them,
either client- or server-side, incl.
- OS command injection
- (blind) SQL injection
- database command injection
- path/file name injection aka path traversal attack
- Remote and Local PHP File Inclusion
- HTML injection as a simple form of XSS, just for
- XSS (reflected, stored, or DOM-based), eg to steal
cookies, or carry out other actions in the victim's browser with the user's priviliges
- forced aka forceful browsing
- URL obfuscation
- SSL stripping, possibly in combination with fake
certificate chains by abusing absence of the check for leaf nodes, self-signed certificates, or URL obfuscation
- ClickJacking/UI redressing
sanitizing input and/or output, aka input validation or
output encoding/escaping, either client-side (ie. in the
browser) or server-side
browser plugins to control cookies, disable scripting, do domain highlighting, use puny-code, warn about clickjacking, do output validation (aka sanatize) outgoing HTTP traffic, ...;
access control, sandboxing or more generally applying the principle of least principle;
specifically for SQL injection: parameterised queries & stored procedures, ...
specifically for UI redressing: frame-busting, X-frame options
- which risks to privacy there are on the web, incl.
how the mechanism above work, and possible countermeasures, notably cookie blockers.
- IP addresses
- (third-party) cookies
- Flash cookies
- web beacons
- browser fingerprinting
- leaking browser history
- attacker models, the types of attackers, attack vectors
they can employ, and some of the ways cyber criminals make their money.