Application Attacks Flashcards
Mock Exam Revision
CSRF/XSRF attack
CSRF/XSRF (Cross-Site Request Forgery) is an attack where unauthorised commands are transmitted from a victim’s browser to a trusted site where the user is authenticated. Exploits the site’s trust in the user’s session (cookies). Prevented via anti-CSRF tokens, same-site cookies, and strict reference policies.
- Exploits the trust a website has in the user’s web browser.
- A user is tricked by an attacker into submitting unauthorised web requests.
- Website executes attacker’s requests.
A type of exploit that relies on overwriting contents of memory to cause unpredictable results in an application is referred to as:
A. IV attack
B. Privilege escalation
C. Buffer overflow
D. DLL injection
Buffer Overflow
A software vulnerability where writing excess data beyond a memory buffer’s allocated space corrupts adjacent memory, potentially allowing arbitrary code execution. Common in C/C++ due to lack of bounds checking. Defences include stack canaries, DEP (Data Execution Prevention), and secure coding practices.
Which type of exploit targets web applications that generate content used to store and transport data?
A. SQL injection attack
B. CSRF/XSRF attack
C. XML injection attack
D. LDAP injection attack
XML Injection Attack
Exploits vulnerabilities in XML parsers by injecting malicious tags, entities, or scripts. Subtypes include:
XXE (XML External Entity): Reads server files.
XPath Injection: Manipulates database queries.
Defences include input sanitisation, schema validation, and parser hardening.
Which of the following exploits targets a protocol used for managing and accessing networked resources?
A. CSRF/XSRF attack
B. XML injection attack
C. LDAP injection attack
D. SQL injection attack
LDAP (Lightweight Directory Access Protocol) Injection Attack
Exploits insecure LDAP queries by injecting malicious search filters or commands. Similar to SQL injection but targets directory services. Defences include input sanitisation, LDAP query escaping, and strict access controls.