Web Security - Injections and Attacks Flashcards
Types of Injection Attacks
Web Security
- Command Injection Attacks
- File Inclusion Attacks
- HTML Injections
- SQL Injections
- Cross-Site Scripting/XSS Attacks
Define
Command Injection Attacks
Web Security
When an attacker injects malicious code into the shell
Define
File Inclusion Attack
Web Security
When an application is tricked into running or exposing files on the server with PHP
Define
HTML Injection Attack
Web Security
Using tags to modify an HTML application
Define
SQL Injection
Web Security
Manipulating SQL queries to select, insert, update, and delete info/data
Defenses against Injection Attacks
Web Security
- Sanitization of user input to remove meta-characters and default allow
- Use PHP sanitization to clean/validate input data
Defenses against SQL Injections
Web Security
- Prohibit user-supplied data to modify
- Store procedures/isolate app from SQL operations
- Prepare statements for clear separation of data and code
Define
Cross-Site Scripting/XSS Attacks
Web Security
Injected malicious executable scripts using script tag
What are the two types of XSS attacks?
Web Security
Stored and reflected
Define
Stored XSS Attack
Web Security
Permanently stored injected code on a server
Define
Reflected XSS Attack
Web Security
Injected code reflected off victim’s server that is controlled by the attacker and activated through victim clicking the link
Defenses against XSS Attacks
Web Security
Sanitize all data and input to prevent new code and characters through output escaping and content security policy
Define
Output Escaping
Web Security
Sepcial characters are replabledwith character entities to prevent user input from having characters that build HTML elements
Define
Content Security Policy
Web Security
Allows server to specifiy what is or isn’t allowed during page rendering with the help of the browser
Types of UI Attacks
Web Security
- Phishing Attacks
- Manipulating URLS
- Clickjacking
- Click Interception
