Replay attacks, Application Attack Flashcards
Replay attacks
Attacker captures a transaction message, then replays exact transaction to potentially transfer funds multiple times w/o user’s consent.
How do we avoid a replay attack?
Use a session ID w/ a password hash to create a unique authentication hash each time.
Session hijacking (Side jacking)
Manipulating a session token, attacker impersonates user and access their data or perform actions w/o authorization.
How do we prevent session hijacking?
Encrypt end-to-end
Encrypt end-to-somewhere; personal VPN, avoid capture over local wireless network.
Horizontal privilege escalation
Gain higher level access to a system.
User A can access User B resources.
*must be prioritized to patched
Injection attacks are enabled because of-
Bad programming, app should properly handle input & output.
To solve buffer overflows (not a simple exploit) , developers need to-
Perform bound checking, attackers spend a lot of time looking for openings.
Website pages consist of-
Client-side code, Server-side code
Client side
Renders page on screen
HTML, JavaScript
Server side
-Performs request from client, transfers money from one account to another, post a vid on YT.
-HTML, PHP
Cross-site request forgery
Takes advantage of trust that a web app has for the user.
What actions can be taken upon to avoid cross-site forgery?
-App should have anti-forgery techniques added
-Usually a cryptographic token to prevent a forgery.
