Internet Technology (AS21)
Internet technology module at FHNW 2021, major in BIT by Devid Montecciari
Internet technology module at FHNW 2021, major in BIT by Devid Montecciari
Set of flashcards Details
| Flashcards | 130 |
|---|---|
| Language | English |
| Category | Computer Science |
| Level | University |
| Created / Updated | 20.09.2021 / 11.01.2024 |
| Weblink |
https://card2brain.ch/box/20210920_internet_technology_as21
|
| Embed |
<iframe src="https://card2brain.ch/box/20210920_internet_technology_as21/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is a @SpringBootApplication?
A @SpringBootApplication annotation can be used to enable those three features, that is:
- @EnableAutoConfiguration: enable Spring Boot’s autoconfiguration mechanism.
- @ComponentScan: enable @Component scan on the package where the application is located.
- @Configuration: allow to register extra beans in the context or import additional configuration classes.
What is injection
- injection means tricking an application into including unintended commands in the data set to an interpreter
- interpreters take strings and interpret them as commands (SQL, os shell, ldap...etc)
- SQL injection is still quite common. many applications still susceptible even though it is usually very simple to avoid
- typical impac is usually severe. entire db can be read or modified.
- How it works
- application presents a form to the attacker
- attacker sends an attack in the form data
- application forwards attack to the database in a SQL query
- database runs query containing attack and sends encrypted results back to application
- application decrypts data as normal and sends results to the user
Describe why it is possbile to do an SQL injection and how to prevent it
an application is vulnerable to attack when user-supplied data is not validated, filtered, or sanitized by the application and dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter
how to prevent that is to require keeping data separate from commands and queries. the preferred option is to use a safe API /object-relational mapping tool such as jPA. and for any dynamic queries, escape special characters.
What is Broken Authentication?
- Http is a "stateless" protocol means credentials have to go with every request and you should use SSL for everything requiring authentication
- session management flaws are SESSION ID used to track state since hTTP doesn't and it is just as good as credentials to attackers. it is typically exposed on the network , browser, logs.
how do you avaoid broken authentication?
verify your architecture:
- authentication should be simple, centralized, and standarized
- use the standard session id provided by your container
- be sure SSL protects both credentials and session id at all times
verify the implementation
- forget automated analysis approaches
- check your SSL certificate
- examine all the authentication-related functions
- verify that logoff actually destroys the session
What is Cross-Site Scripting?
XSS occurs any time raw data from attackers is sent to an innocent user's browser.
Raw data stored in database, reflected from web input, sent directly into rich js client
how do you store secrets securely?
- Sensitive information such as passwords, access tokens, database credentials etc., should be handled with care.
- A good practice is to store secrets in a vault such as Vault by HashiCorp (vaultproject.io).
- Another (may not be an optimal) possibility would be to keep secrets out of your source code and version control (.gitignore !!).
- An application-local.yml containing a plaintext secret must be ignored by git.
- A secret can also be provided by an environment variable (e.g. in Heroku)
- A secret can then be injected into a variable.
What is the difference between a framework and a library?
- Framework is a formatted structure, which may have both your code and library file. this describes a given structure of "how" you should present your code
- Library is simply a collection of functions wrapped up tino a package that can be imported into a code project and re-used.
The key difference between a library and a framework is inversion of control. when you call a method from a library, you are in control but with a framework the control is inverted: the framework calls you
What is templating?
Templating is a way to compse out of components (partial-views) a main template and a way to interpolate (bind) data withing a template (or partial-viel/component)..and getting a resulting view.
What is MVC?
Model view controller. is one of the most widespread and influential patterns. it is an architectural pattern and not a design matter.
