Questions
Answers can be found at http://mdsec.net/wahh
.
- You discover an application function where the contents of a query string parameter are inserted into the
Location
header in an HTTP redirect. What three different types of attacks can this behavior potentially be exploited to perform? - What main precondition must exist to enable a CSRF attack against a sensitive function of an application?
- What three defensive measures can be used to prevent JavaScript hijacking attacks?
- For each of the following technologies, identify the circumstances, if any, in which the technology would request
/crossdomain.xml
to properly enforce domain segregation:- a. Flash
- b. Java
- c. HTML5
- d. Silverlight
- “We're safe from clickjacking attacks because we don't use frames.” What, if anything, is wrong with this statement?
- You identify a persistent XSS vulnerability within the display name caption used by an application. This string is only ever displayed to the user who configured...