1 / 7

The attacks

The attacks. XSS type 1: non-persistent type 2: persistent Advanced: other keywords (<style>, prompt()) or other technologies such as Flash. The attacks. SQL Injection first order: non-persistent second order: persistent. The attacks. Cross Channel Scripting

titus
Download Presentation

The attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The attacks • XSS • type 1: non-persistent • type 2: persistent • Advanced: other keywords (<style>, prompt()) or other technologies such as Flash

  2. The attacks • SQL Injection • first order: non-persistent • second order: persistent

  3. The attacks • Cross Channel Scripting • Similar to XSS and SQLI (contains all non-XSS, non-SQLI code injection vulnerabilites) • examples: • Xpath Injection: unsanitzed data used in XML • Malicious File Upload • Open Redirects: (http://www.vulnerable.com?redirect=http://www.attacker.com) • Path Traversal (http://foo.com/../../barfile)

  4. The attacks • Session Management • credentials sent over unencrypted HTTP • weak password recovery questions • weak CAPTCHAs • predicable authentication id values • insecure session cookies

  5. The attacks • Cross-Site Request Forgery • Alice is logged into her bank account • Trudy sends Alice an e-mail containing a link with a request to transfer money to Trudy's account • could require a click (<a href=”malicious_link”>) • or not (<img src=”malicious link”>) • When the request is sent by Alice (eg by attempting to view the image), her authentication cookie is sent with it

  6. The attacks • SSL/Server Config • misconfigurations in the web server or SSL

  7. Information Leakage • Various methods of gaining sensitive information such as database names, source code or user names • die() function • path vulnerabilities

More Related