Web-based Attacks Flashcards
cross-site request forgery (CSRF/XSRF)
A web attack that leverages a trusted user to perform
commands via the user’s browser against a vulnerable server.
cross-site scripting (XSS)
A form of web application attack when a site contains some
type of reflected input. Often exploited using script injection.
Path traversal attack (“dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”)
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
Directory traversal attack
A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory” are passed through to the operating system’s file system API. An affected application can be exploited to gain unauthorized access to the file system.
XML Injection
How does code injection work?
XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents.
With a successful XML Injection attack, the attacker can steal the entire database, or can even log in as the administrator of the website. Other security issues such as XSS and DOS attack can be leveraged with malicious XML Injections.