Questions
1 question per paper
Difficulty
Easy
Importance
Low yield, but critical for fundamental conceptual marks.
Overview
Web Security Basics covers the fundamental principles of protecting web applications from malicious attacks and securing data transmission. Understanding these concepts is essential for university exams to demonstrate knowledge of how vulnerabilities like XSS and SQLi undermine security and how protocols like HTTPS mitigate them.
Cross-Site Scripting (XSS)
XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute malicious scripts in the victim's browser. It primarily targets the user rather than the server directly.
- Stored XSS: Script is permanently stored on the target server.
- Reflected XSS: Script is reflected off a web server through a request parameter.
- DOM-based XSS: Vulnerability exists entirely in the client-side code.
- Impact: Cookie theft, session hijacking, and unauthorized actions.
- Prevention: Use input validation and output encoding.
SQL Injection (SQLi)
SQL Injection is a code injection technique where an attacker executes malicious SQL statements to control a web application's database server. This can lead to unauthorized access, data modification, or deletion of sensitive information.
- Classic SQLi: Uses the error-based or union-based exploitation technique.
- Blind SQLi: Server does not return data, but inference is made through response timing.
- Mechanism: Manipulating query input to alter the underlying SQL logic.
- Prevention: Use of Prepared Statements and Parameterized Queries.
- Prevention: Principle of least privilege for database accounts.
HTTPS and SSL/TLS
HTTPS is the secure version of HTTP that uses SSL/TLS protocols to encrypt communication between a client and a server. It ensures data integrity, confidentiality, and authentication of the web server.
- SSL (Secure Sockets Layer): The legacy precursor to modern TLS.
- TLS (Transport Layer Security): Current standard for secure communication.
- Handshake Process: Establishes cipher suites and authentication via digital certificates.
- Certificate Authority (CA): Trusted entities that issue SSL certificates.
- Asymmetric Encryption: Used for the initial key exchange.
Formula Sheet
HTTPS = HTTP + TLS/SSL
Cipher Suite = {Key Exchange, Authentication, Encryption, Message Authentication Code}
Exam Tip
Always link the mitigation strategy to the specific vulnerability; for instance, always pair 'SQL Injection' with 'Parameterized Queries' to gain maximum marks.
Common Mistakes
- Confusing XSS (which targets users) with SQLi (which targets database servers).
- Failing to distinguish between SSL and TLS, treating them as identical without mentioning the deprecation of SSL.
- Providing generic security advice instead of specific technical mitigation techniques like parameterized queries.
More Revision Notes
Ready to test yourself?
Play topic-wise Web Security Basics questions in Aspirant Arcade — gamified MCQ practice.
Download Free