Assets and Threats: Quiz 9

Web-based exploits are malicious code or behavior that's used to take advantage of co_______ flaws in a w________ application. Cybercriminals target w________-based exploits to obtain sensitive personal information. Attacks occur because w________ applications interact with multiple users across multiple networks. Malicious hackers commonly exploit this high level of interaction using inj__________ attacks.

An injection attack is malicious code inserted into a vulnerable application. The infected application often appears to work normally. That's because the injected code runs in the back_________, unknown to the user. Applications are vulnerable to injection attacks because they are programmed to receive data inputs. This could be something the user types, clicks, or something one program is sharing with another. When coded correctly, applications should be able to interpret and handle user inputs.

A common and dangerous type of injection attack that's a threat to web apps is cross-site scri___________. XSS, is an injection attack that inserts code into a vulnerable website or web application. These attacks are often delivered by exploiting the two languages used by most websites, ? and JavaScript. Both can give cybercriminals access to everything that loads on the infected web page. This can include session cookies, geolocation, and even webcams and microphones.

There are three main types of cross-site scripting attacks reflected, stored, and DOM-based.

A reflected XSS attack is an instance where a malicious script is sent to the server and activated during the server's res_____________. A common example of this is the search bar of a website. In a reflected XSS attack, criminals send their target a web link that appears to go to a trusted site. When they click the link, it sends a HTTP request to the vulnerable site server. The attacker script is then returned or reflected back to the innocent user's browser. Here, the browser loads the malicious script because it trusts the server's response. With the script loaded, information like session co_________ are sent back to the attacker.

In a stored XSS attack, the malicious script isn't hidden in a link that needs to be sent to the server. Instead a stored XSS attack is an instance when malicious script is injected directly on the server. Here, attackers target ele____________ of a site that are served to the user. This could be things like images and buttons that load when the site is visited. Infected elements activate the malicious code when a user simply visits the site. Stored XSS attacks can be damaging because the user has no way of knowing the site is infected beforehand.

In a DOM-based attack, a malicious script can be seen in the URL. In this example, the website's URL contains parameter values. The parameter values reflect input from the user. Here, the site allows users to select color themes. When the user makes a selection, it appears as part of the URL. In a DOM-based attack, criminals change the para____________ that suspecting an input. For example, they could hide malicious JavaScript in the HTML tags. The browser would process the HTML and execute the JavaScript.

The best way to defend against SQL injection is code that will sa_________ the input. Developers can write code to search for specific SQL characters. This gives the server a clearer idea of what inputs to expect. One way this is done is with pre__________ statements.

A pre__________ statement is a coding technique that executes SQL statements before passing them on to the database. When the user's input is unknown, the best practice is to use these pre__________ statements. With just a few extra lines of code, a pre__________ statement executes the code before passing it on to the server. This means the code can be validated before performing the query.