Professional Documents
Culture Documents
1-Define path Traversal and Explain how you can Find and prevent Path
Traversal Vulnerabilities.
A path traversal attack (also known as directory traversal) aims to access files
and directories that are stored outside the web root folder. By manipulating
variables that reference files with “dot-dot-slash (../)” sequences and its
variations or by using absolute file paths, it may be possible to access
arbitrary files and directories stored on file system including application
source code or configuration and critical system files. It should be noted that
access to files is limited by system operational access control (such as in the
case of locked or in-use files on the Microsoft Windows operating system).
Be sure you understand how the underlying operating system will process
filenames handed off to it.
For Windows IIS servers, the web root should not be on the system disk, to
prevent recursive traversal back to system directories.
Use indexes rather than actual portions of file names when templating or
using language files (ie value 5 from the user submission = Czechoslovakian,
rather than expecting the user to return “Czechoslovakian”)
Ensure the user cannot supply all parts of the path – surround it with your
path code
Validate the user’s input by only accepting known good – do not sanitize the
data
2-Explain Authentication
Encryption and Encoding are the terms commonly interchanged and used
incorrectly. There is a lot of difference between these two terms and it is very
vital to know the differences
1. Encryption :
It is a process used to convert
simple readable data known as plain text to unreadable data known as
ciphertext which can only be converted to plain text if the user knows the
encryption key. It is used basically to keep our data safe. The main purpose of
the encryption is to convert our data in such a form that it is garbage for the
person who does not know the encryption key. It is used to prevent
unauthorized aces. The reverse of encryption is decryption and it is used to
get back the plain text from the ciphertext. For decryption, we must know the
encryption key and the encryption algorithm.
2. Encoding :
It is the process to transform data in such a format that it can be easily used
by different types of systems. The algorithm used to encode the data is
publicly available and it can be easily decoded in the readable form if the
person knows the algorithm. It does not require any key to decode the
information. The main purpose is data usability instead of confidentiality. The
main aim of encoding is to transform the data so that it can be properly used
by a different type of system. It is not used to protect the data as it is easy to
reverse in comparison to encryption.
Each protocol has it's own method of how data is formatted when send and
what to do when received, how to check for error in data transmission, or how
data is compressed in packets/segments over network.
HTTP
IP
SMTP
VOIP, etc.
FIREWALL
IMPORTANCE