O'Reilly logo

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition by Marcus Pinto, Dafydd Stuttard

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Questions

Answers can be found at http://mdsec.net/wahh.

  1. You discover an application function where the contents of a query string parameter are inserted into the Location header in an HTTP redirect. What three different types of attacks can this behavior potentially be exploited to perform?
  2. What main precondition must exist to enable a CSRF attack against a sensitive function of an application?
  3. What three defensive measures can be used to prevent JavaScript hijacking attacks?
  4. For each of the following technologies, identify the circumstances, if any, in which the technology would request /crossdomain.xml to properly enforce domain segregation:
    1. Flash
    2. Java
    3. HTML5
    4. Silverlight
  5. “We're safe from clickjacking attacks because we don't use frames.” What, if anything, is wrong with this statement?
  6. You identify a persistent XSS vulnerability within the display name caption used by an application. This string is only ever displayed to the user who configured it, when they are logged in to the application. Describe the steps that an attack would need to perform to compromise another user of the application.
  7. How would you test whether an application allows cross-domain requests using XMLHttpRequest?
  8. Describe three ways in which an attacker might induce a victim to use an arbitrary cookie.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required