Question

In: Computer Science

Use the Internet to research defenses against cross-site attacks (XSS and XSRF). What are the common...

Use the Internet to research defenses against cross-site attacks (XSS and XSRF). What are the common defenses? How difficult are they to implement? Why are these defenses not used extensively? Write you finding here in your original post. Minimum 150 words for your response.

Solutions

Expert Solution

Although there have been a variety of proposed prevention

mechanisms, not all of them are effective in all scenarios. The

most popular implementation to prevent Cross-site Request

Forgery, is to make use of a challenge token that is associated with

a particular user and can be found as a hidden value in every state

changing form which is present on the web application. This pro-

tects the form because an attacker crafting a request will also need

to guess the anti-CSRF token for them to successfully trick a vic-

tim into sending a valid request. This token should be invalidated

after some time and after the user logs out. For the anti-CSRF

mechanism to be implemented properly, it will also need to be

cryptographically secure, so that the token itself cannot be easily

guessed, which is a possibility if the token is being generated

based on a predictable pattern.

One method of defending against XSS is checking the user’s

inputs against a whitelist, or known as sanitizing user inputs.

Blacklists are usually not recommended because it is difficult to

encompass all tricky and corner cases. Another method is escap-

ing user inputs, which means replacing certain characters with the

escape sequence, before they are passed to the HTML parser. The

Content security policy is implemented by the browser to help

mitigate XSS attacks. The web servers will specify a whitelist of

domains that are allowed for executable scripts. All other scripts,

including in-line scripts, are not allowed. XSS cannot defeat chal-

lenge-response defenses such as Captcha, re-authentication or

one-time passwords. All of this means work and time and effort,

which is why these defenses are not used as extensively as they should be.


Related Solutions

Explain the legal basis for a cause of action against an auditor. What are the defenses...
Explain the legal basis for a cause of action against an auditor. What are the defenses available to the auditor to rebut such charges.
What is the difference between cross-site scripting (XSS) attack and cross-site request forgery (XSRF) attack?
What is the difference between cross-site scripting (XSS) attack and cross-site request forgery (XSRF) attack?
SQL injection attacks continue to be a significant attack vector for threat actors. Use the Internet...
SQL injection attacks continue to be a significant attack vector for threat actors. Use the Internet to research these attacks. What are some recent attacks that have been initiated by SQL injection? How were they conducted? What defenses are there against them? Write a one-page paper on your research.
Research real-world attacks that have been made against TCP and report on one of them. (i)...
Research real-world attacks that have been made against TCP and report on one of them. (i) How was the attack accomplished? (ii) How was the target able to mitigate or stop the attack? (iii) Who was the attacker (v) what was their apparent motivation?
Use the Internet to research UEFI. What are its advantages? What are its disadvantages? What criticisms...
Use the Internet to research UEFI. What are its advantages? What are its disadvantages? What criticisms have been leveled against it? Do you agree with the criticism?
This research report is broken into two parts: Use the Internet to research information on the...
This research report is broken into two parts: Use the Internet to research information on the different EAP protocols that are supported in WPA2 Enterprise (see Table 8-5). Write a brief description of each and indicate the relative strength of its security.   2. Is the wireless network you own as secure as it should be? Examine your wireless network or that of a friend or neighbor and determine which security model it uses. Next, outline the steps it would take...
Use the Internet to research and determine what materials are available for patient referrals or patient...
Use the Internet to research and determine what materials are available for patient referrals or patient education; determine how you would direct or navigate patients to resource material. 1. Browse the internet. 2. Determine if you would like to research community resources for office referrals or patient education and select a specific topic. 3. Look up the appropriate topic on the Internet and determine what resources are available. 4. Determine how you would navigate patients to community resources and encourage...
A successful attack to the Internet DNS would be devastating. Explain what type of attacks can...
A successful attack to the Internet DNS would be devastating. Explain what type of attacks can be made towards DNS. Why, to-date, such attacks in practice have not been successful? In your answer, you should consider caching in particular. Why such technique has not only proven to provide better performance, which is its original goal, but also protection against security attacks.
Kindly research and present against the use of artificial sweeteners.  
Kindly research and present against the use of artificial sweeteners.  
Describe how DDoS attacks may be mounted against TCP and UDP services. In what way will...
Describe how DDoS attacks may be mounted against TCP and UDP services. In what way will being connection-oriented be different for TCP and UDP?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT