1 / 7

Understanding Web Vulnerabilities: Types of Attacks and Prevention Strategies

This comprehensive guide explores various web vulnerabilities, including Cross-Site Scripting (XSS) attacks classified into non-persistent and persistent types, as well as advanced injection techniques like SQL Injection, XPath Injection, and Cross-Site Request Forgery (CSRF). It highlights key examples such as malicious file uploads, open redirects, and path traversal issues. Additionally, it addresses session management vulnerabilities and SSL misconfigurations that can lead to information leakage. Understanding these attack vectors can help in implementing effective security measures.

titus
Télécharger la présentation

Understanding Web Vulnerabilities: Types of Attacks and Prevention Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The attacks • XSS • type 1: non-persistent • type 2: persistent • Advanced: other keywords (<style>, prompt()) or other technologies such as Flash

  2. The attacks • SQL Injection • first order: non-persistent • second order: persistent

  3. The attacks • Cross Channel Scripting • Similar to XSS and SQLI (contains all non-XSS, non-SQLI code injection vulnerabilites) • examples: • Xpath Injection: unsanitzed data used in XML • Malicious File Upload • Open Redirects: (http://www.vulnerable.com?redirect=http://www.attacker.com) • Path Traversal (http://foo.com/../../barfile)

  4. The attacks • Session Management • credentials sent over unencrypted HTTP • weak password recovery questions • weak CAPTCHAs • predicable authentication id values • insecure session cookies

  5. The attacks • Cross-Site Request Forgery • Alice is logged into her bank account • Trudy sends Alice an e-mail containing a link with a request to transfer money to Trudy's account • could require a click (<a href=”malicious_link”>) • or not (<img src=”malicious link”>) • When the request is sent by Alice (eg by attempting to view the image), her authentication cookie is sent with it

  6. The attacks • SSL/Server Config • misconfigurations in the web server or SSL

  7. Information Leakage • Various methods of gaining sensitive information such as database names, source code or user names • die() function • path vulnerabilities

More Related