Palisade Magazine



Quiz Graphic

Best practices for PHP Security

in April 2009

PHP is a server side scripting language used for building dynamic web pages to provide customized information to the users. PHP is known for its simplicity in its programming syntax and security is often overlooked by novice programmers. PHP is as secure as any other programming language and offer many levels of security. Which of the following are the best practices for securing PHP applications?

  1. Disable allow_url_fopen
  2. Turn off global variables
  3. Enable display_errors
  4. Hide the files

more →

Mitigating the risk of CSRF attacks

in February 2009

Cross Site Request Forgery (CSRF) is an attack that tricks the victim into taking some action on the vulnerable application without the victim’s knowledge. CSRF attack can be carried out in different ways. Which of the following aspects in an ASP.NET application would not help mitigate the risk of CSRF attacks?

  1. Use of ViewStateUserKey
  2. Use of CSRFGuard httpModule
  3. Secure against XSS attacks
  4. Setting the HttpOnly attribute of the session cookie

more →

Specifying life time for a webpage

in October 2008

We have often come across the message “Webpage has expired” when attempting to access a recently accessed page. This message comes as a result of the web server specifying an expiration time for the webpage when it is stored on the browser’s cache. How does a web server specify the life time for a page to the browser’s cache?

  1. Using the Expires header
  2. Using the Max-age directive along with Expires header
  3. Setting the Must-Revalidate header in the response
  4. All of the above

more →

Proposal to amend Same Origin Policy

in July 2008

Same origin policy of browser prevents scripts loaded in one domain to access resource from another domain. However, this policy imposes several limitations to Web 2.0 apps and restricts interactivity between sites. A new proposal has been formed by W3C, to incorporate Web 2.0 developer’s demands, by allowing cross site requests. Which among the following is the said proposal?

  1. Configuring Domain Authorization Rules on the application server side
  2. Access Control for Cross-site Requests
  3. Configuring Application level ACL

more →

Cross Site Printing

in June 2008

What is Cross Site Printing?

  1. A typo for Cross Site Scripting
  2. A new Printing technology from Microsoft
  3. A new attack that prints to your internal printers when you visit a website
  4. None of these

more →

Safe Authentication Controls

in June 2007

Which of the following is/are required as safe authentication controls at login page?

  1. Enable SSL
  2. Define acceptable Inputs
  3. Use Salted Hash technique
  4. Disable password save and AutoComplete/fill-in
  5. All of them

more →


in May 2007

Which of these is not a recommended best practice for implementing CAPTCHAs?

  1. Have a fixed set of images with dynamic filenames
  2. Send the CAPTCHA to the client with a random token
  3. Invalidate the token after one use
  4. None of the above

more →

Anti-phishing Measure

in March 2007

Which of these best describes an Anti-Phishing Measure?

  1. Insert a Javascript in the website that records the number users visiting the website per day.
  2. Insert a Javascript the website for customizing the website based on user’s browser type or version.
  3. Insert a Javascript in the website which sends an alert whenever website is run under any URL other than the authentic.
  4. Insert a Javascript in the website to protect email addresses from being harvested by spambots.

more →

Log file privileges

in February 2007

What sort of privilege on the log file does an application need to log transactions?

  1. Read, Write
  2. Read, Write, Append, Delete
  3. Write, Append
  4. Append

more →

SSL handshake for multiple pages

in December 2006

Your Internet Banking site is fully SSL enabled. Login-page, Account summary page and Fund transfer page are all HTTPS enabled. When you bank online - login, check your account summary and do a fund transfer, is SSL authentication and handshake happening separately for each page or is it one handshake for all the three pages?

  1. HTTP is stateless, so is SSL. Full SSL handshake needed for each HTTP page.
  2. SSL is stateful, only one full handshake for multiple HTTP pages in a session.
  3. SSL is security at IP layer. One handshake for one set of source/destination IP address.

more →

Life time of phishing sites

in November 2006

What is the average lifetime of a phishing site today?

  1. < 1 hour
  2. < 1 day
  3. About 5 days
  4. About 3 months

more →

Identifying HTTP Request Smuggling attacks

in October 2006

HTTP requests go through various applications like Cache, proxy, firewall etc. before reaching to the web server. An attacker sends multiple specially-crafted HTTP requests which cause the intermediate entities between the attackers browser and web server to see different sets of requests.What type of attack is this?

  1. Cross Site Tracing attack
  2. HTTP Request Smuggling attack
  3. Cross site Request forging attack
  4. SQL Injection attack

more →

Choose the most effective password

in September 2006

Which of the following is the most effective password?

  1. XH#4@r4$8
  2. Kate1980
  3. Asterixh@sgoneHome

more →

Identifying buffer overflow attack

in August 2006

An attacker enters a long nasty looking string into the date field. The input overwrites parts of the running program and executes commands on the server. What type of attack just took place?

  1. SQL Injection attack
  2. Buffer Overflow attack
  3. Cross Site Scripting attack

more →

Protecting passwords against stealing

in July 2006

Which of these techniques helps in preventing passwords being stolen from the browser?

  1. Using SSL for the authentication pages
  2. Using salted hashing for transmitting passwords
  3. Using an intermediate page after login
  4. All of the above

more →

Directory Traversal Attacks

in June 2006

It is very essential to control the access to web content for running a secure web server. Directory traversal is an exploit that takes advantage of the lack of controls on the web server to access restricted directories and execute commands. So how can we prevent these directory traversal attacks on the web servers?

  1. Applying latest security patches
  2. Turning off directory-browsing
  3. Performing strong input validation with white lists
  4. Placing web-root directories and virtual directories on a separate partition from the system files
  5. Using tools
  6. All of the above.

more →

Measures to prevent/detect buffer overflows

in May 2006

Buffer overflow is a common enough problem that most applications face. So how does a software developer ensure that his/her application is safe from buffer overflows?

  1. Secure Designing and Coding
  2. Configure non-executable stack
  3. Use safer versions of functions
  4. Use of safe libraries.
  5. Use tools.
  6. Any of the above.

more →

Phishing & Pharming targets

in April 2006

Which of the following websites is least likely to be a target of phishing / pharming attacks?

  1. An ecommerce-enabled website having SSL encryption, password authentication mechanism, and which sends customer account statements via email.
  2. An internet banking website with SSL encryption, two-factor authentication and which does not send any customer information via email.
  3. An ecommerce-enabled website with no SSL-based login and a simple password authentication mechanism.
  4. An internet banking website with SSL encryption and multi-factor authentication. Additionally the website displays unique visual clues to each user.

more →

Email Address Harvesting

in March 2006

Which is/are the secure methods, among given options, to prevent email addresses harvesting?

  1. Re-format/ munging address
  2. Substitute ASCII codes in address
  3. Obscure address through javascript
  4. Hide address in image
  5. Options 3 and 4

more →

Quiz: Handling Secrets in .Net

in February 2006

Which of these is not a good strategy for handling secrets in .Net?

  1. Use SecureZeroMemory to clear secrets in the memory
  2. Use aspnet_setreg to encrypt passwords in the registry
  3. Use .Net’s isolated storage to store secrets safely

more →

Best Practices in Dot Net applications

in January 2006

Which of the following is/are best practices for logout in .net applications?

  1. Using FormsAuthentication.SignOut method
  2. Set the requireSSL attribute for the AuthCookie
  3. Set the HttpOnly cookies attribute for the AuthCookie
  4. Implement Short Timeout for the AuthCookie
  5. All of the above

more →

Best Input Validation Strategy

in December 2005

What’s the best strategy to validate the inputs in our application?

  1. Look out for malicious input during validation and filter that out
  2. Specify what’s good, and allow only that
  3. I love a combination of both

more →

Protecting Code

in November 2005

Our applet implements an algorithm that’s proprietary and a trade secret. How do I protect the algorithm from getting stolen at the browser?

  1. Digitally sign the applet
  2. Encrypt the applet using RSA
  3. Use Code Obfuscation
  4. None of the above

more →

Detecting frauds from log files

in October 2005

Which logging mechanism is best to trace back to the culprit in case of an application fraud, for example, when a fraudster may have illegally transferred money from somebody else’s account to his own account?

  1. Web-Server error logs
  2. Application logs
  3. W3C logs
  4. System logs

more →

Session IDs

in September 2005

When is the best time to assign session ids?

  1. Have a single session id for a complete browser instance.
  2. Assign a session ID to a user on the login page.
  3. On logout change the session ID to a new value.
  4. Assign a session id after authentication, change it at logout.

more →

Secure Socket Layers

in August 2005

What kind of attacks does SSL prevent?

  1. SQL Injection
  2. Sniffing
  3. Variable Manipulation
  4. Phishing Attacks

more →

Transmitting Session IDs

in July 2005

What is the best method for transmitting session IDs?

  1. Sending the session ID in plain text in the URL.
  2. Sending hashed session ID in the URL.
  3. Sending the session ID as a hidden value in the form.
  4. Embed the session ID in the Cookie.

more →

Preventing Phishing attacks

in June 2005

Which is the best method to protect my customers from phishing attacks?

  1. Have strong authentication mechanisms like Hardware Tokens, E-mail Signing etc.
  2. Include personalized web pages to make it hard to impersonate the site
  3. Creating awareness among customers about phishing

more →

Masking Web Server Banners

in May 2005

How should I mask my web server’s banners to get enhanced security?

  1. Edit the server’s source code or the binary to change the default string
  2. Edit configuration files or install a plug-in to mask the banner of your server
  3. Never mind, obscuring banners doesn’t enhance security!

more →

Cross Site Scripting Attacks

in April 2005

How can I prevent Cross Site Scripting attacks on my application?

  1. Ensure no input is reflected in an output page
  2. Use HTTP Only cookies to protect cookies from scripts
  3. Escape all special characters when preparing the output

more →

Implementing 'Forgot Password' feature

in March 2005

Which is the best method for implementing the Forgot Password feature?

  1. Displaying the old password after asking a reminder question
  2. Displaying a new password after the reminder question
  3. Sending a temporary password by mail
  4. Sending a temporary link to a ‘Change Password’ page by mail

more →

Encrypting Sensitive Documents

in December 2004

I want to encrypt sensitive documents in my application. What is the best approach to take while designing a cryptographic solution?

  1. Develop a proprietary encryption algorithm that only I know about
  2. Learn how to implement a standard algorithm like AES or 3DES
  3. Use my platform’s Crypto API classes that implement well-known algorithms
  4. Learn how to manage keys used in the encryption

more →

SQL Injection Attacks

in November 2004

How can I protect my application from SQL Injection attacks?

  1. Check all user inputs for special characters like " ‘ "
  2. Use Database stored procedures
  3. Use parametrized queries instead of dynamic SQL statements
  4. All of the above

more →

Cached Pages

in October 2004

How can an application ensure that its pages are not cached or left on the client after a user has logged out?

  1. Set pragma: no-cache
  2. Set page expire = -1
  3. Set cache-control: no-cache, no-store
  4. Set cache-control: must-revalidate

more →

Protecting Session Cookies

in September 2004

How should I protect the session cookie in my web application from getting stolen?

  1. Use strongly random strings for the session token.
  2. Set the “secure” attribute for the session cookie.
  3. Set the “httponly” attribute for the cookie.
  4. All of the above.

more →

Securing non-HTML content

in August 2004

An online banking application lets the user export account statements as text files or Excel spreadsheets. How should the application generate, store and dispatch these non-HTML content to the user’s browser?

  1. Maintain these files in the web server’s file system, and redirect the user to the correct file when requested.
  2. Store the data in a database, and create the files temporarily in the local file system when a user requests it. Then redirect the user to this temporary file.
  3. Store the files in a database, read it with a server program and dispatch the files directly to the browser by setting the content-type directive.

more →

Encrypting passwords

in July 2004

The cryptographic technique to use for transmitting passwords during authentication is:

  1. Digital signature
  2. Symmetric encryption
  3. Hashing
  4. Salted Hash

more →