Chapter 14 - Security vs Authentication

What are the two main aspects of securing a REST service?

Secure transmission (e.g., via HTTPS) and secure access (authentication/authorization).

What does HTTPS protect against?

Interception, tampering, or eavesdropping during data transmission.

Why is secure access more of a concern for developers than secure transmission?

Most attacks come through legitimate access channels, not network-layer exploits.

What protocol is HTTPS based on today?

TLS (Transport Layer Security), not SSL.

Is HTTPS secure?

Yes, if properly configured and used with secure libraries.

What is authentication vs authorization?

Authentication verifies identity; authorization checks what actions a user can perform.

How does Basic Authentication send credentials?

As a Base64-encoded string of username:password in the Authorization header

Why must Basic Authentication always be used with HTTPS?

Because Base64 is easily decodable and not secure on its own.

What is the structure of a Basic Auth HTTP header?

Authorization: Basic <base64(username:password)>

What response does the server send if credentials are missing or incorrect?

HTTP 401 with a WWW-Authenticate header indicating the realm and charset.

How is Base64 encoding different from encryption?

Base64 is just encoding for safe transport, not encryption or secure.

What Java method is used to check credentials in the example?

A method compares the stored Base64 string with the one sent by the client.

What problem does Digest Authentication solve?

It avoids sending plain or Base64-encoded passwords over the network.

What is a nonce in Digest Authentication?

A one-time-use number sent by the server to make each request unique and prevent replay attacks

What hashing algorithm is used in Digest Authentication?

MD5 (though it's outdated and weak).

How is the digest value calculated?

• HA1 = MD5(username:realm:password)

• HA2 = MD5(method:uri)

• Final = MD5(HA1:nonce:HA2)

Why is Digest Authentication more secure than Basic?

It never sends the actual password, just a hash based on it and other request data.

Why is MD5 considered insecure today?

It can be reverse-engineered or collided; it's been compromised since 1996.

What is SQL Injection?

A technique where attackers manipulate SQL queries by injecting malicious input.

How do you prevent SQL Injection?

Use prepared statements or ORM frameworks, not string concatenation.

What two factors are used to assess threat severity?

Impact and likelihood.

How is severity calculated?

Severity = Impact × Likelihood

What does STRIDE stand for?

• S: Spoofing

• T: Tampering

• R: Repudiation

• I: Information disclosure

• D: Denial of Service

• E: Elevation of privilege

What is an example of Spoofing?

Pretending to be another user (e.g., logging in as admin).

What is Information Disclosure?

Gaining unauthorized read access to confidential data

What does DREAD stand for?

• D: Damage potential

• R: Reproducibility

• E: Exploitability

• A: Affected users

• D: Discoverability

How is DREAD used?

Each factor is scored, and the total helps determine response priority.

What are the four common responses to a discovered vulnerability?

• Ignore it (not recommended)

• Warn users (can be risky)

• Remove affected feature

• Fix it (ideal, but requires time and testing)