Application Security

That’s a lot of questions! I’ll provide a brief overview of each topic, and suggest some books for further reading.

Salt in Hashing

  • A salt is a random value added to a password before hashing, making it harder for attackers to use precomputed tables (rainbow tables) to crack the password.
  • Salting makes it unique even if two users have the same password.

Hashing and Leaked Credentials

  • If hashed usernames and passwords are leaked, an attacker can try to crack the passwords using dictionary attacks, brute force, or rainbow tables.
  • To protect against this, use strong passwords, salt and hash passwords, and implement rate limiting and account lockout policies.

Keylogger

  • A keylogger is a malicious software that captures and records keyboard input, potentially stealing sensitive information like passwords.

OAuth and SSO

  • OAuth (Open Authorization) is an authorization framework that allows users to grant third-party applications limited access to their resources without sharing their credentials.
  • SSO (Single Sign-On) is a mechanism that allows users to access multiple applications with a single set of credentials.
  • Both are more secure than traditional username/password authentication, but can be vulnerable to implementation flaws and token theft.

HTTP Headers and Methods

  • HTTP headers contain metadata about the request or response, such as authentication tokens or content types.
  • HTTP methods include:
    • POST: Create a new resource
    • PUT: Update an existing resource
    • GET: Retrieve a resource
    • DELETE: Delete a resource

Burp Suite

  • Burp Suite is a web application security testing tool that can help identify vulnerabilities like SQL injection and cross-site scripting (XSS).

API

  • An API (Application Programming Interface) is a set of defined rules that enable different applications to communicate with each other.

Business Logic

  • Business logic refers to the rules and processes that govern the behavior of a system or application.

Business Stock

  • I couldn’t find a clear definition for “business stock” in the context of security or programming. It may refer to a company’s inventory or assets.

JSON Web Token

  • A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

Encoding, Encryption, and Hashing

  • Encoding: representing data in a different format (e.g., base64)
  • Encryption: protecting data by making it unreadable without a key (e.g., AES)
  • Hashing: one-way transformation of data into a fixed-size string (e.g., SHA-256)