One click; that is all it takes for hackers to steal the information they desire. As the Internet continues to grow with new web applications, associated security threats also grow. Two of the most common, and dangerous, threats to web applications are Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (CSS); in fact, both threats appear in the 2013 OWASP Top 10 list of critical security risks. Understanding the threat of CSRF and CSS is essential to reducing the risk faced by users and developers of web applications.
CSRF
Cross-Site Request Forgery (CSRF) is an attack technique that exploits browser and HTTP weaknesses to send unauthorized requests to a web server using end-user credentials (Maes, Heyman, Desmet, & Joosen, 2009). Often, as a convenience, web applications will store end-user information in cookies managed by a browser; when a web application finds this data in the browser, it is assumed to be coming from a trusted source (Maes, et al., 2009). This trust, however, is the main exploit of a CSRF attack. Once a hacker gets access to an end-user browser, any web application storing credentials in the browser becomes vulnerable to attack (Maes, et al., 2009). This access is typically gained through URL manipulation or injecting hidden form fields into a web page using Cross-Site Scripting.
CSS
Another attack exploiting trust is Cross-Site Scripting (CSS). CSS works by adding malicious HTML, JavaScript, or other client-side scripts to a web application
The purpose of this paper is to touch on the issue of Hacking. It will go into detail about the history, evolution, future and prevention of Hacking. In addition, this paper will discuss different types of hackers and their motivation behind hacking. This paper examines the major impact caused by malicious hackers and give modern examples of such attacks. To conclude, it will predict how hacking will be in the near future and give the precautionary measures Information Security professionals can take to mitigate the risk of being victimized.
Vulnerability 3: Cross-Site Scripting (XSS): It is one of the most common application layer hacking techniques ("What is cross-site," 2015).
Harwood, M. (2011). Security strategies in Web applications and social networking. Sudbury, Mass.: Jones & Bartlett Learning.
The common gateway interface (CGI) is a standard way for a Web server to pass a Web user's request to an application program and to receive data back to forward to the user. It is part of the Web's Hypertext Transfer Protocol (HTTP). A disadvantage of a CGI application (or "executable file," as it is sometimes called) is that each time it is run, it runs as a separate process with its own address space, resulting in extra instructions that have to be performed, especially if many instances of it are running on behalf of users The improper use of CGI scripts affords users a number of vulnerabilities in system security.
If we turn the clock backwards about 10 or 15 years, we find that people do not care much for the security of the web due to the lack of trying to exploit web applications for personal interests. But more recently, the issues related to the security of the Web began to grow, but unfortunately, there are many Web applications that have been developed, but these applications are started without any design for security.
The hacker is usually a registered customer and is familiar with the application in question. The hacker may alter a cookie stored on her computer and send it back to the Web site. Because the application does not expect changes to the cookie, it may process the poisoned cookie. The effects are usually the changing of fixed data fields, such as changing prices on an e-commerce site or changing the identity of the user logged in to the site—or anyone else the hacker chooses. The hacker is then able to perform transactions using someone else’s account information. The ability to actually perform this hack is actually as a result of poor encryption techniques on the Web developer’s
Because Web servers are one of the few system components on a target network that typically communicates with third parties, they are frequently the targets of malicious attacks by intruders. Intruders can easily launch automated attacks against thousands of systems simultaneously to identify the relatively few vulnerable systems.
Dougherty, C., Householder, A., & Houle, K. (2002). Computer attack trends challenge Internet security. Computer, 35(4), 0005-7.
My paper focuses on a security assessment of Quality Web Design (QWD), which is a very successful company that is well-known for its magnificent and appealing websites; they work
A majority of the software risks are associated with the poor programming practices, such as allowing changed in web page or SQL query structures; unrestricted upload of files; improper handling of operating system commands and log message content; unchecked Uniform Resource Locator (URL) redirection and race condition; inappropriate resource management; and weaker defenses including access control, authentication, encryption, and critical resource allocation porousness (Stallings & Brown, 2012). One of the most popular web application attacks is known as Cross Site Scripting (XSS), where the attacker maligns a vulnerable web page or server. When a user visits the compromised web page, the infected code executes in the browser using the web server privileges. XSS attacks can be of many forms, such as: reflected XSS, where the server directly processes the infected script; persistent XSS, where a stored infected script in the server is passed to the client’s browser and gets stored there; stealing of cookies; defacement of the web pages; phishing; execution of exploits; and violation of privacy (Chugh & Gupta,
This scripting language is also increasingly being used as an attack mechanism by predators that exploit vulnerabilities within the client’s web browser; unpatched software or other JavaScript based applications for mounting their attack (Karanth et al, 2011). The assailant commonly obtains the information for identify theft and for personal financial gains (Wadlow, 2009).
Web applications are nowadays serving as a company’s public face to the internet. This has created the need to identify threats and attacks directed to data servers and web applications. Hackers exploit vulnerabilities in input validation and authentication affecting the web application in order to gain illegal access and disclose sensitive data or manipulate it to their benefits.
The increasing volume and sophistication of cyber security threats including targeted data theft, phishing scams and other online vulnerabilities demand that we remain vigilant about securing our systems and information.
Instead of attempting to directly obtain credentials for a financial site, social networking and email sites are targeted. The attack seeks to obtain username and password combinations, on the (likely) assumption that in many cases, users will use the same or similar combinations on other web sites. The second part of the attack is to conduct a CSS History Hack, where the phishers can determine whether the user has visited specified sites.31 The CSS History Hack uses the ‘a:visited’ component in CSS which alters the behavior of links that have been visited.32 Banking sites visited by users may be obtained, and the phishers can then visit these and attempt to gain access using the compromised credential combinations.
With the beginning of internet, various online attacks have been increased and among them, the most popular attack is phishing. Phishing is an online security attack where the hacker targets in achieving sensitive information like passwords, credit card information etc. from the users by making them to believe what they see is what it is. It is the combination of social engineering and technical methods to convince the user to reveal their personal data. The paper discusses about the Phishing social engineering attack theoretically and their issues in the life of human Beings. At the same time this paper also provides different techniques to detect these attacks so that they can be easily dealt with in case one of them occurs. The paper gives a thorough survey of various Phishing attacks along with their preventive measures.