Chapter 80 Β· Flashcards

Application Security β€” Flashcards

10 cards covering input validation, fuzzing, secure cookies, SAST limitations, code signing, sandboxing environments, and application security monitoring.

0 / 10 flipped
Concept
What is input validation, and which attack classes does it directly prevent?
Answer
Input validation verifies that every piece of data entering the application matches the expected type, format, length, and character set. It must cover every input source: web forms, API parameters, URL strings, headers, file uploads.

Attack classes it prevents:
β€’ SQL injection β€” rejecting special chars like ', --, ; in fields that query databases
β€’ Cross-site scripting (XSS) β€” rejecting/escaping < > and script tags in text inputs
β€’ Buffer overflow β€” enforcing maximum input length
β€’ Command injection β€” rejecting shell metacharacters

Companion process: normalization β€” decode and standardize input before validation to prevent encoding bypass attacks.
Term
Fuzzing / Fuzz Testing
Definition
An automated security testing technique that submits large volumes of unexpected, malformed, or random input to an application to discover vulnerabilities. A fuzzer does not know valid input β€” it deliberately provides invalid values: oversized strings, null bytes, wrong data types, boundary values, special characters.

If the application crashes, hangs, or behaves unexpectedly, a vulnerability has been found β€” typically a gap in input validation.

Attacker use: fuzz production applications to find exploitable vulnerabilities.
Defender use: fuzz your own application during development and QA to find vulnerabilities before attackers do.

Fuzzers find edge cases that human testers would never think to try.
Term
Secure Cookie β€” Secure attribute
Definition
A flag set on a browser cookie that instructs the browser to only transmit the cookie over HTTPS (encrypted) connections. The browser will refuse to send a Secure-flagged cookie over HTTP.

What it prevents: network interception of session cookies β€” an attacker on the same network cannot capture the session token over an unencrypted connection because the browser never sends it over HTTP.

What it does NOT do: encrypt the cookie's contents; it only controls when the cookie is transmitted.

Companion: HttpOnly attribute β€” prevents JavaScript from reading the cookie, blocking XSS-based session theft. Both attributes should be set on session cookies.
Concept
What SHOULD and what SHOULD NOT be stored in cookies?
Answer
Appropriate cookie content:
β€’ Session tokens (random, server-validated identifiers)
β€’ User preferences (theme, language)
β€’ Non-sensitive tracking identifiers

Never store in cookies:
β€’ Passwords (even hashed)
β€’ Financial data (credit card numbers, bank details)
β€’ Personally identifiable information (SSN, date of birth)
β€’ Authorization levels or roles

Why: Cookies are not designed for secure storage. They are accessible to JavaScript (unless HttpOnly is set), transmitted to the server with every request, logged by servers, and visible to browser extensions. The design assumption is that cookie contents are not highly sensitive β€” session tokens are acceptable because they are meaningless without the server's session database.
Term
SAST β€” Static Application Security Testing
Definition
A security testing technique that analyzes application source code (or compiled binary) for vulnerabilities without executing the application.

Finds well:
β€’ Buffer overflow β€” unsafe functions (gets, strcpy without bounds)
β€’ SQL injection β€” string concatenation in queries
β€’ Hardcoded credentials
β€’ Use of deprecated/broken algorithms (MD5, DES)
β€’ Insecure function calls

Integrates into CI/CD pipelines for automated scanning on every code commit. Catches vulnerabilities during development β€” cheapest time to fix them.

Key limitation: not everything is visible in code; false positives require human review.
Concept
What types of vulnerabilities can SAST NOT find, and why?
Answer
SAST identifies code patterns β€” it cannot evaluate logic, intent, or runtime behavior.

What SAST misses:
β€’ Cryptographic implementation errors β€” the code calls a crypto function; SAST cannot evaluate if the parameters (key size, IV handling, padding mode) are correct
β€’ Authentication design flaws β€” session token predictability, race conditions in auth flow
β€’ Business logic vulnerabilities β€” price manipulation, workflow bypass, privilege escalation through intended features
β€’ Vulnerabilities from component interaction β€” emerge at runtime, not visible in any single file

False positives: SAST flags safe code that resembles vulnerable patterns β€” developers must manually review every finding. SAST output is not a definitive vulnerability list.
Term
Code Signing
Definition
Using asymmetric encryption and digital certificates to verify that software has not been modified since publication and genuinely originates from the claimed developer.

Answers two questions:
β€’ Integrity: Has this application been altered since the developer released it?
β€’ Authenticity: Did this application actually come from the claimed developer?

Protects against:
β€’ Supply chain tampering (modified installer on download mirror)
β€’ Malware masquerading as legitimate software

For internal apps: organizations can run their own CA; internal CA root cert is distributed to all devices so they trust the internal developer's signatures.
Concept
Walk through the code signing process. Who signs what with which key at each step?
Answer
1. CA signs developer's public key (using CA's private key) β†’ creates developer's code-signing certificate. CA vouches for the developer's identity.

2. Developer signs code with their private key β†’ attaches digital signature + certificate to the application package.

3. User's OS verifies using developer's public key (from the cert) β†’ decrypts signature, independently hashes the code, compares hashes.

β€’ Match + trusted cert chain β†’ install proceeds
β€’ No match or untrusted cert β†’ OS warning: application may be tampered or from unknown publisher

Memory anchor: CA signs the developer. Developer signs the code. OS verifies everything.
Term
Sandboxing β€” concept and purpose
Definition
An isolation mechanism that restricts an application to only the resources it needs, preventing access to unrelated files, processes, and system components.

Purpose: limits blast radius of a compromise. Even if an app is exploited, the attacker is bounded by the sandbox.

Implementations:
β€’ Dev sandbox β€” development isolated from production
β€’ Virtual machines β€” VMs isolated from each other
β€’ Mobile OS β€” each app in its own container; can't read other apps' data
β€’ Browser iframes β€” embedded content isolated from parent page
β€’ Windows UAC β€” apps run at standard privilege; admin actions require elevation

Key principle: sandboxing doesn't prevent compromise β€” it contains it.
Concept
What are the four capabilities of application security monitoring?
Answer
1. Real-time monitoring: Current user activity, request volumes, access patterns β€” operational visibility and immediate detection of active attacks or anomalies.

2. Blocked attack log: Records SQL injection attempts, unauthorized access attempts, and WAF blocks that were successfully stopped β€” shows what's being attempted even when defenses hold.

3. Audit logs: Timestamped records of authentication events, admin actions, file accesses, configuration changes β€” primary forensic record for incident investigation and compliance demonstration.

4. Anomaly detection: Identifies behavior deviating from established baselines β€” spike in failed logins, unusual data volume, off-hours access β€” flags potential insider threats and novel attacks that don't match known signatures.