Scribd
Upload
26 views5 pages

Understanding HTTP Methods and Security

Uploaded by

Confidence Chijioke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views5 pages

Understanding HTTP Methods and Security

Uploaded by

Confidence Chijioke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

a.

HTTP is widely used for accessing and retrieving web resources, enabling the retrieval, and
rendering of web pages, handling form submissions, and facilitating communication between
clients and sewers. GET and POST are HTTP methods that specify the desired action be
performed on a resource. Contrast both HTTP methods.

b. A financial institution's security team has been proactive in fortifying their systems and
networks
against cyber threats. They have implemented firewalls, intrusion detection systems, access
controls, and regular vulnerability assessments. Despite these measures, they want to further
validate the security posture of their infrastructure and identify any potential vulnerabilities that
may have been overlooked. As their Security consultant, you recommended Penetration
Testing. Explain Penetration Testing in details.

c. In Security. Passwords provide basic User Authentication. Each authorized user is assigned
an Account identified by a character string Usename (or numeric userid). However, Password
Authentication can be defeated by several technical approaches. Write short notes (with
examples) of the Five(5) approaches to defeat Passwords.

d. Web attacks significant dangers to individuals, organizations, and the overall security of the
internet — including Data breaches, Financial loss and Service disruptions. Discuss the
following
Web Attacks and their Mitigation Strategies
i. Cross-Site Request Forgery Attacks
ii. Phishing Attacks

SOLUTION
a. Contrasting HTTP GET and POST Methods
GET Method:

Purpose: Retrieves data from a server without modifying server state


Data Transmission: Parameters sent in URL query string (visible in browser address bar)
Data Limitations: Limited by URL length constraints (typically 2048 characters)
Caching: Responses can be cached by browsers and proxies
Idempotent: Multiple identical requests produce the same result
Security: Less secure as data appears in URL, server logs, and browser history
Bookmarking: URLs can be bookmarked and shared
Example: [Link]
POST Method:

Purpose: Submits data to server, often causing state changes or side effects
Data Transmission: Data sent in request body (not visible in URL)
Data Limitations: No inherent size restrictions (server-dependent)
Caching: Responses typically not cached
Non-idempotent: Multiple requests may produce different results
Security: More secure as data not exposed in URL
Bookmarking: Cannot bookmark POST requests directly
Example: Form submissions, file uploads, database modifications

b. Penetration Testing Detailed Explanation


Definition: Penetration testing (pen testing) is a simulated cyber attack against computer
systems, networks, or applications to evaluate security defenses and identify vulnerabilities
before malicious actors can exploit them.

Phases of Penetration Testing:

1. Planning and Reconnaissance

Define scope, objectives, and rules of engagement


Gather intelligence about target systems (passive reconnaissance)
Identify potential entry points and attack surfaces

2. Scanning and Enumeration

Active reconnaissance to discover live systems, services, and vulnerabilities


Port scanning, network mapping, and service identification
Vulnerability scanning using automated tools

3. Gaining Access

Attempt to exploit identified vulnerabilities


Test authentication mechanisms and access controls
Try to gain initial foothold in target systems

4. Maintaining Access

Establish persistent access to compromised systems


Escalate privileges to gain higher-level access
Move laterally through the network
5. Analysis and Reporting

Document all findings, vulnerabilities, and successful exploits


Assess business impact and risk levels
Provide remediation recommendations

Types of Penetration Testing:

Black Box: No prior knowledge of target systems


White Box: Full knowledge of target infrastructure
Gray Box: Partial knowledge of target systems

Benefits for the Financial Institution:

Validates existing security controls effectiveness


Identifies vulnerabilities before attackers do
Tests incident response procedures
Provides compliance validation
Offers realistic risk assessment

c. Five Approaches to Defeat Passwords


1. Brute Force Attacks Systematically trying all possible password combinations until the
correct one is found.

Example: Using automated tools to try millions of password combinations against a login
system
Mitigation: Account lockout policies, rate limiting, strong password requirements

2. Dictionary Attacks Using lists of common passwords, words, and phrases to guess
passwords.

Example: Trying passwords like "password123", "admin", "qwerty" from compiled lists
Mitigation: Avoiding common passwords, password complexity requirements

3. Social Engineering Manipulating individuals to reveal their passwords through psychological


tactics.

Example: Phishing emails asking users to "verify" their password, or calling pretending to
be IT support
Mitigation: Security awareness training, verification procedures
4. Credential Stuffing Using previously breached username/password combinations across
multiple sites.

Example: Using credentials from a social media breach to access banking accounts
Mitigation: Unique passwords for each account, multi-factor authentication

5. Keylogging and Malware Installing malicious software to capture keystrokes and steal
passwords.

Example: Trojan horses that record everything typed on infected computers


Mitigation: Antivirus software, virtual keyboards, regular system updates

d. Web Attacks and Mitigation Strategies


i. Cross-Site Request Forgery (CSRF) Attacks
Description: CSRF attacks trick authenticated users into performing unwanted actions on web
applications where they're currently logged in. The attack exploits the trust a web application
has in the user's browser.

How it Works:

User logs into legitimate website (e.g., online banking)


User visits malicious website while still logged in
Malicious site contains hidden requests to the legitimate site
Browser automatically includes authentication cookies with the request
Legitimate site processes the request as if user intended it

Example:

<img src="[Link]

This hidden image tag would attempt to transfer money when loaded.

Mitigation Strategies:

CSRF Tokens: Include unique, unpredictable tokens in forms that must be validated
SameSite Cookie Attribute: Restrict cookie transmission to same-site requests
Referer Header Validation: Verify requests originate from legitimate pages
Double Submit Cookie: Require matching token in both cookie and request parameter
Custom Headers: Require custom headers that can't be set by simple HTML forms
ii. Phishing Attacks
Description: Phishing attacks deceive users into revealing sensitive information or performing
actions by impersonating legitimate entities through fraudulent communications.

Types of Phishing:

Email Phishing: Fraudulent emails mimicking legitimate organizations


Spear Phishing: Targeted attacks against specific individuals or organizations
Vishing: Voice-based phishing using phone calls
Smishing: SMS-based phishing attacks
Pharming: Redirecting users to fake websites through DNS manipulation

Common Techniques:

Urgent language creating false sense of emergency


Spoofed sender addresses and domains
Fake login pages capturing credentials
Malicious attachments or links
Social engineering to build trust

Mitigation Strategies:

User Education: Regular security awareness training about phishing tactics


Email Filtering: Deploy advanced email security solutions with threat detection
Multi-Factor Authentication: Reduce impact of compromised credentials
Domain Authentication: Implement SPF, DKIM, and DMARC to prevent email spoofing
URL Filtering: Block access to known malicious websites
Incident Response: Establish procedures for reporting and responding to phishing
attempts
Regular Updates: Keep software and security systems current
Verification Procedures: Establish out-of-band verification for sensitive requests

Both attacks exploit human psychology and technical vulnerabilities, making a combination of
technical controls and user education essential for effective defense.

You might also like