MCQs on WSS part-2
Hello Readers,
I hope u have already gone through part-1 of this WSS quiz series. In this blog of series, we will be focusing on topics like Web Service Threats, Vulnerabilities and standards of Web Service Security.
Before proceeding for the quiz, I will suggest you to go through the following points. These are not in the flow of topics but are just pointers so that you know what to study before starting this quiz. So let's start with some of the pointers that you should have knowledge about:
Pointers:
- The common threats are: unauthorized access, Parameter manipulation, Network eavesdropping, Disclosure of configuration data, Message replay.
- Counter measures for Unauthorized Access are Use of password digest in SOAP headers for the purpose of authentication, Use of Kerberos tickets in SOAP headers for the purpose of authentication, Use of Windows authentication, Use of X.509 certificates in SOAP headers for the purpose of authentication.
-
- In this an attacker is able to view Web Service message as they flow across the network.
- Vulnerabilities: Message encryption is not used, Transport level encryption is not used.
- Countermeasures: Use transport level encryption technique such as SSL or IP Sec, Encrypt the message pay load to provide privacy.
- Message Reply:
- With this an attacker captures and modify the data and send it to the receiver.
- Vulnerabilities: The messages are not encrypted, Messages are not digitally signed, As there is no unique Id, duplicate message are not detected.
- Countermeasures: Use encrypted message, Use a unique message id.
- Standard Web Service Security:
- XML (eXtensible Markup Language) 1.1
- SOAP 1.2 (Simple Object Access Protocol)
- WSDL (Web Services Description Language) 1.1
- UDDI (Universal, Description, Discovery, and Integration) 3.0.2
- Proxyservers exist to act as an intermediary between the hacker and the target and services to keep the hacker anonymous to the network.
-
Attack surface can be defined as the sum of all the possible points in software or system where unauthorized users can enter as well as extract data from the system. More the security, lesser is the attack surface.
- Risk and vulnerability cannot be used interchangeably. Risk can be defined as the potential of an impact that can grow from exploiting the vulnerability. There is some vulnerability that doesn’t possess risk, known as “Vulnerabilities without risk”.
- Vulnerabilities is defined as the weakness in a system that can be exploited by cyber-criminals and attackers. Risk can be defined as the potential of an impact that can grow from exploiting the vulnerability. There is some vulnerability that doesn’t possess risk, known as “Vulnerabilities without risk”.
- An exploit is a piece of software or a segment of command that usually take advantage of a bug to cause unintended actions and behaviors. Using exploits, attackers can gain access in a system or allow privilege escalation also.
- Pivoting is a technique used by penetration testers to compromise any system within a network for targeting other systems. They test systems within the same network for vulnerabilities using this technique.
- A security bug is a software bug that attackers can take advantage to gain unauthorized access in a system. They can harm all legitimate users, compromise data confidentiality and integrity.
- Window of vulnerability is the time frame from when the loophole in security was introduced or released till the time when the bug was fixed, or the illicit access was removed or the attacker was disabled.
- ISMS (Information Security Management System) is a set of policies concerning various information security management. ISMS (Information Security Management System) was developed for managing risk management principles and countermeasures for ensuring security through rules and regulations
- Zero-day vulnerability is a type of vulnerability unknown to the creator or vendor of the system or software. Until such bugs get fixed, hackers take advantage of these vulnerabilities to exploit the system.
- The SAML technology is used as part of Single Sign-on Systems (SSO) and allows a user logging into a system from a Web browser to have access to distributed SOA resources.
- WS-Security (WSS) is an extension of SOA that enforces security by applying tokens such as Kerberos, SAML, or X.509 to messages.
- WS-Security Policy provides a set of network policies that extend WS-Security, WS-Trust, and WS-SecureConversion so messages complying to a policy must be signed and encrypted.
- A Web service using WS-Trust can implement this system through the use of a Security Token Service (STS).
- A web service contract is described using Web Services Description Language (WSDL). In contract-last, you expose an existing service interface as a web service whose service contract is generated automatically. In contract-first, you design the service contract in terms of XML and then write code to fulfill it.
- .The standard for deploying web services on the Java EE platform as of Java EE 1.4 was called JAX-RPC. It supported SOAP 1.0 and 1.1, but didn’t support message-oriented web services.
ConversionConversion EmoticonEmoticon