Brain Storming: Quiz-1(Web App)

Hi,

Hope you guys are doing well. Today while going through my old mails, I came across the theoretical Web App Security Quiz which I created last year while working in my old company. Although its been more than one year, questions are still worth giving a shot. That's why I thought to share it with others.

Rules: There are no rules, that means you are free to use internet to search for answers but in the end its totally up to you to test your knowledge & skills. And try to finish the quiz within 15 minutes.

Note: Questions are scenario based and theoretical, take your time to think and then write down your answers. If you want to discuss or you have any issue, please feel free to ask.

Questions:

1) User supplied data is reflecting on a page inside the value attribute of an input tag and on that webpage HTML Entities with its default settings is being used for mitigating the XSS. Is it possible to perform XSS here. Explain your answer(i.e. why & how).

<input type='text' value='user supplied data'>

2) What is a Cookie Same Site Attribute? What is the benefit of using it in a Web Application?

3) In a web application, there is a directory named as /admin/. This directory can be accessed via only one place i.e. when user logs in from the webserver console and if user tries to access it from a different location 403 error is displayed. This particular restriction is placed by restricting access to directory by whitelisting IP of webserver console in the .htaccess file. If no other vulnerabilities like directory listing, file upload, etc. exists, is it possible for an attacker to access that directory from a different location? Explain your answer.

4) There is an application which is using Akamai Services and XSS is properly mitigated in this application by using Input Validation & Output Encoding. In addition to this "X-Originating-IP", "X-Forwarded-For", "X-Remote-IP" & "X-Remote-Addr" headers are also disabled on the server. There is a section named as - "User Log" in the application which displays the IP address of the computer which was used to access the application. Developer has left this section as he thought that there is no need of applying any XSS protection. Is it possible to exploit XSS in this section. Explain your answer.

5) Write a XSS payload when "parenthesis (), backtick ` & pseudo protocols" are blocked.

6) Is it possible to perform a "Two Way CSRF Attack"? Give a scenario to support your answer.

7) An application is having request & response headers related to CORS in the following fashion:

Request: 
Origin: null

Response: 
Access-Control-Allow-Origin: null 
Access-Control-Allow-Credentials: true

After authentication, a sensitive token is sent by the application in its response. Is it possible to steal it by exploiting the above mentioned configuration of CORS. If yes, then explain your answer.

8) What is benefit of exploiting XMLRPC with "system.multicall" method?

9) Write any attack which can be performed by exploiting "pingback.ping" method in XMLRPC.

10) If user supplied data is reflecting inside a page with "Content-Type: text/xml". How you will perform XSS in such scenarios ?

These questions are related to the scenarios which I faced while testing the applications or are taken from the blogs of other security researchers(Kudos to them, for sharing their work!). Once you are done with answering the questions, you can either send it to me for validating it or you can use Google for finding the correct answer.

Remain curious & keep learning. All the best!