Web Security Cheat Sheetposted by John Spacey, February 28, 2011
A quick cheat sheet of web security threats.
EavesdroppingSpying on someone who is using a website to steal data, passwords etc... Eavesdropping may be physical or electronic.
Packet SniffingViewing messages between a user's browser and a website. Website traffic may traverse public or unsecured networks — unencrypted http traffic can easily be viewed by third parties. Unencrypted Wifi connections are often the target of Packet Sniffers.
SpamAnnoying or fraudulent bulk email that is often used to steal website credentials.
DNS PoisoningThe Domain Name System (DNS) is like a phone book for the internet. It maps domain names to IP addresses. DNS servers are distributed — most networks have their own DNS. DNS Poisoning occurs when attackers gain access to a DNS server and change domains to point to their own sites.
IP SpoofingIP packets can easily be changed to appear to be from a different IP.
Man in the Middle AttacksA form of eavesdropping where the attacker gets in the middle of a conversation between two victims. The victims think they are talking to each other but in fact they are both talking to the man in the middle.
Cross-site ScriptingInjection of client-side scripts into web pages. Attackers find a vulnerability in a website that allows them to place their own client side code into pages.
SQL InjectionUser input that that causes the server to execute embedded SQL code.
Malicious BotsWeb robots that attack a website — stealing content, automatically creating accounts, posting spam etc...
PhishingFake websites designed to steal data such as passwords. Often used in conjunction with spam or DNS poisoning.
MalwareA catch-all term for all malicious software — viruses, trojan horses, spyware, adware, scareware, crimeware and any unwanted programs that get installed without user permission.
Compromised KeysStolen encryption keys make encrypted data readable to third parties.
Compromised PasswordsPasswords are often stolen by malware or phishing sites. Passwords may also be guessed by web robots using lists of common passwords.
Data ModificationChanging data such as http headers to deceive a target website. IP Spoofing is one example of data modification.
Denial-of-Service AttackCausing a website to go down by making a large number of requests to the site. Usually responses are ignored — so that the attacker is using far less resources than the victim site.
When multiple computers are involved in the attack it is referred to as a Distributed Denial-of-Service (DDos) attack. Often zombie computers that have been taken over by malware are used in DDos attacks.
Cross-site Request ForgeryExploits the trust that a site has in a user's browser by tricking that browser or user into submitting requests.
Example: a website about golf that puts links to a bank website into their pages. The user clicks the links thinking that they are navigating the golf website but in fact they made requests to their banking site. The banking site trusts the user's browser (session cookies) and executes the requests.
Malicious File ExecutionHostile data in user uploaded files.
Buffer OverflowA buffer overflow occurs when a program puts too much data in an area of memory.
Buffer overflow is one of the most common threats to web sites. Attackers send data to the application that is designed to trigger the buffer overflow.
Buffer overflow can corrupt data, crash the website or cause the execution of malicious code.
Integer OverflowInputting unexpected integer values such as negative integers or very large numbers. Integer overflow can cause a website to crash or have unexpected behaviour.
Content SpoofingUser input that injects content into a website such as links to other sites.
LDAP InjectionUser input that that causes the server to execute embedded LDAP commands.
Mail Command InjectionUser input that that causes the server to execute embedded mail commands.
OS CommandingUser input that that causes the server to execute embedded operating system commands.
Path TraversalManipulating URLs to cause the web site to expose contents of directories or execute files on the server.
Predictable Resource LocationFinding hidden web server resources such as temp files, backup files, administration tools, logs,configuration files, demos and samples. Such resources may expose vulnerabilities that can be exploited.
Abuse of FunctionalityLeveraging the functionality of the web site itself in an attack. Example: using password recovery functions to steal credentials etc..
FingerprintingProfiling the web server (often with automated tools) to discover vulnerabilities and avenues of attack.
Null Byte PoisoningAdding URL-encoded null byte characters to user input. Null bytes are often used as string termination points or delimiter characters by system level functions. Null byte poisoning can change the behaviour of the website or allow the attacker to run malicious commands on the server.
Brute ForceBrute force attacks involve automatic, repeated attempts to guess encryption keys, passwords or vulnerabilities.
Tip of the IcebergThe security threats listed here are just the tip of the iceberg. There are thousands of security threats to web servers and many variations of each threat. New threats are evolving all the time.
Think your website is safe from DDoS? Think again.|
Your architecture toolkit|
What is security trying to achieve?|