Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
47 Cards in this Set
- Front
- Back
Uses a web browser for it's user interface and is platform agnostic. It is reactive and responsive. Data is stored locally or across on a server. Asynchronous access to server if/when required. Can be available offline |
Web Application |
|
A language that describes the presentation aspects (look and format) of an HTML document. Allows separation of concerns between content and presentation. |
Cascading Style Sheets (CSS) |
|
Brings life to a Web Application adding interactivity and dynamism |
Javascript |
|
A simple format for representing objects using key-value pairs |
JavaScript Object Notation (JSON) |
|
Gateway to the network. A Javascript object that allows communication to the outside network (e.g. servers). This forms the basis of network communication |
XMLHttpRequest |
|
Uses an algorithm (called a cipher) and a secret key to transform the source text (called plain text) into encrypted text (called cipher text) |
Encryption |
|
The reverse of encryption. It uses the decryption algorithm and the key to decrypt cipher text into plain text |
Decryption |
|
The study of encryption and decryption |
Cryptography |
|
A type of cipher that shifts each character by some n positions (where n is between 0 and 26) wrapping around the edges. Can be cracked using frequency analysis or examining the possible 26 combinations |
Caesar cipher |
|
A type of cipher that groups characters into some groups and shifts all characters in the group by the same amount. Can be cracked by doing a Kasiski test |
Vigenere cipher |
|
When an XOR cipher's key is random, the key length is the same as the length of the plain text and the key is never reused. This offers perfect security where the only way of cracking it is by brute force |
One-time Pad Encryption |
|
A type of key exchange that allows us to establish a secret shared key using an unsecure channel |
Diffie Hellman Key Exchange |
|
Encryption that uses the same (shared) key for both encryption and decryption |
Symmetric Encryption (Private Key Encryption) |
|
Encryption that uses one key for encryption and the other for decryption. One key is private and the other is public |
Asymmetric Encryption (Public Key Cryptography) |
|
A one-way function that is easy to compute but difficult to compute the inverse |
Hash Function |
|
A function that can be used to create authenticated hashes |
Keyed Hash Function |
|
The hash produced by the keyed hash. It provides both integrity as well as authenticity assurance |
Message Authentication Code (MAC) |
|
Issues digital certificates, binding the person (to whom the certificate is issued) and the person's public key. |
Certificate Authority |
|
Authenticates the server and uses digital signatures to verify the server's certificate. Uses public key cryptography and message authentication codes to ensure the authenticity and integrity of message exchanges. Uses nonce to mitigate replay attacks |
Transport Layer Security (TLS) |
|
The HTTP method that establishes the TLS tunnel |
CONNECT |
|
Allows a single physical server to serve many sites |
Virtual Hosting |
|
A type of attack that is based on social engineering e.g. "please fill in your pin here" |
Phishing Attacks |
|
Structured Query Language used for standardized access to relational databases. Can be used to pick data, insert new data or delete tables |
SQL Injection |
|
The process of removing, replacing or escaping characters that lead to attacks e.g. the single quote |
Sanitization |
|
When data in cookies and hidden fields are stolen by someone that has access to the data path (network) |
Session Hijacking |
|
A type of authentication that encodes a username and password using base64. Very easy to decode and unsafe |
Basic Authentication |
|
A type of authentication that uses a multistep hashing to transfer the authentication information more securely. It applies the hashing to the username, password, nonce, HTTP method, and requested URI |
Digest Authentication |
|
When someone poses as the user by replaying the intercepted response from the user. Only possible in the limit specified in the timestamp |
Replay Attack |
|
A code injection vulnerability where an attacker is able to inject scripts into a sites web content and execute them under the privileges of the site e.g. HTML injection, Javascript injection |
Cross-site Scripting (XSS) |
|
When a user logged on to a site is tricked to interact with the site to do something the user never wanted to do |
Cross-site Request Forgery (CSRF) |
|
When the client is led to believe the data comes from a trusted server |
Cross-site Scripting (XSS) |
|
When the server is led to believe the data comes from a trusted client |
Cross-site Request Forgery (CSRF) |
|
Tells us what a software system should not do |
Abuse case |
|
One of the software security requirements. Sensitive data should be kept private to the parties applicable to the data |
Confidentiality |
|
One of the software security requirements. Data should not be damaged by unauthorized parties. |
Integrity |
|
One of the software security requirements. A system should be responsive enough to service requests |
Availability |
|
Supports software security requirements. Defines the notion of identity. Achieved by some data that is private to the principal (identity) |
Authentication |
|
Supports software security requirements. Associated principals and actions and defines if a principal has the right to perform an action |
Authorisation |
|
Supports software security requirements. Keeping enough information so that security breaches can be investigated |
Accounting |
|
Type of threat model that is located at the network edge and is able to examine the contents of what they receive and submit input that may not be valid. Possible attacks include SQL Injection, XSS, and CSRF |
Network User |
|
Type of threat model that has access to the network and can examine contents of what they receive and submit invalid data as well as the contents of what others send and receive. Possible attacks include Session hijacking, DDOS and replay attacks |
Snooping User |
|
Type of threat model that has access to the user's machine (or server) and has the ability to measure or interfere with IO (keystrokes, display) and read or modify the filesystem and memory. Possible attacks include Trojan horses, key loggers and data theft |
Co-located User |
|
One of the basic principles of secure design. Aims to prevent flaws by keeping things simple. This involves keeping defaults secure and simplifying user interfaces |
Favouring Simplicity |
|
One of the basic principles of secure design. The system needs to trust that it's components are secure |
Trust with Reluctance |
|
One of the basic principles of secure design. Providing a line of defense so that if one line of defense is broken, then there is another different type of defense that needs to be tackled |
Defend in Depth |
|
A browser would allow scripts from a web page to access resources in a second page only if the two pages share the same origin (URI Scheme, domain name, and port number). It does not apply to images, videos stylesheets, scripts and iframes or any resource that has been obtained through an XMLHttpRequest. |
Same-origin Policy |
|
A mechanism that allows a page from accessing resources at a second page when the same-origin policy is violated. It relies of the client browser and the server exchanging a set of HTTP headers conveying information relating to the client, resources and access rights |
Cross-origin Resource Sharing (CORS) |