Mitigate Web Application Vulnerabilities and Attacks Flashcards
An injection attack occurs when the attacker inserts malicious code through an
application interface
Directory Traversal
A web application vulnerability that allows an attacker either to download a file
from an arbitrary location on the host file system or to upload an executable or
script file to open a backdoor
File Inclusion
An attacker executes a script to inject a remote file into the web app or website
Remote File Inclusion
An attacker adds a file to the web app or website that already exists on the
hosting server
Local File Inclusion
A malicious script hosted on the attacker’s site or coded in a link injected onto a
trusted site designed to compromise clients browsing the trusted site,
circumventing the browser’s security model of trusted zones
Cross-Site Scripting
An attack that inserts code into a back-end database used by the trusted site
Persistent XSS
An attack that exploits the client’s web browser using client-side scripts to modify
the content and layout of a web page
Document Object Model (DOM) XSS
Structured Query Language (SQL) is used to select, insert, delete, or update data within a database
SQL Injection
Insertion of additional information or code through data input from a client to an
application
Injection Attack
Attack consisting of the insertion or injection of an SQL query via input data from
the client to a web application
SQL Injection
XML data submitted without encryption or input validation is vulnerable to spoofing,
request forgery, and injection of arbitrary code
XML Vulnerabilities
XML encodes entities that expand to exponential sizes, consuming memory on
the host and potentially crashing it
XML Bomb (Billion Laughs Attack)
An attack that embeds a request for a local resource
XML External Entity (XXE)
Any technique used to ensure that the data entered into a field or variable in an
application is handled appropriately by that application
Input Validation
A string is stripped of illegal characters or substrings and converted to the
accepted character set
Normalization