Appendix B: Glossary of Web Application Security Threats – Hacking the Code

Appendix B

Glossary of Web Application Security Threats

Account Hijacking Taking over the account of a legitimate user, sometimes denying the rightful user access to his or her account.

Account Hopping Manipulating an existing authentication token to gain access to another user’s account.

Brute Force Attack The process of discovering user credentials by trying every possible character combination. Brute force attacks can be optimized by first trying dictionary words, common passwords, or predictable character combinations.

Backdoor Attack Exploiting poorly implemented protection mechanisms by circumventing authentication or accessing content directly.

Banner Grabbing The process of connecting to TCP ports and reading return banners to determine the type of service and software platform.

Buffer Overflow Overwriting a buffer by sending more data than a buffer can handle, resulting in the application crashing or executing code of the attacker’s choice.

Buffer Overrun See Buffer Overflow.

Command Injection Injecting special shell metacharacters or otherwise manipulating input to cause the server to run shell commands or other code of the attacker’s choice.

Console Attack An attack launched physically from the system’s local console.

Content Spoofing Creating fake web content that mimics a web site to deceive a user into revealing login credentials or other sensitive information.

Cookie Manipulation Modifying a browser cookie to exploit a security flaws in a web application.

Cookie Hijacking Stealing the authentication cookie of a legitimate user to authenticate as and impersonate that user.

Cross-Site Request Forgery (CSRF) Exploiting a site’s trust of a user to perform a transaction in behalf of the user. Usually involves tricking a user to click on a link or embedding a link in an HTML IMG tag.

Cross-Site Scripting (XSS) An attack that involves injecting HTML or script commands into a trusted application with the purpose of hijacking a user’s cookie, session token, or account credentials.

Denial of Service (DoS) Causing an application to excessively consume system resources or to stop functioning altogether.

Directory Traversal Accessing files outside the bounds of the web application by manipulating input with directory traversal characters also known as the double dot attack

File system access Manipulating input to read, write, or delete protected files on disk.

Information leakage Revealing or failing to protect information that an attacker can use to compromise a system.

Luring Attack Tricking a victim to run code or take actions in behalf of the attacker.

Man-in-the-middle (MITM) Intercepting web traffic in such a way that the attacker is able to read and modify data in transit between two systems.

Phishing A form of man-in-the-middle attack where the attacker lures a legitimate user to enter a password through a fake e-mail or web form designed to look like that of a legitimate web site.

Privilege escalation Allowing an attacker to gain the access privileges of a higher level account.

Repudiation The ability for a user to deny having taken an action or performed a transaction. Resource exhaustion

Server-side code access Revealing the content of server-side code or configuration files by manipulating input to disguise the true file extension.

Session fixation Providing another user with a known fixed token to authenticate and then gaining access to that user’s session.

Sniffing Using a network monitoring utility to intercept passwords or other sensitive information that traverses a network.

Social engineering Using a hacker’s social skills to extract information from or otherwise manipulate employees or other trusted individuals at a target organization.

SQL injection Manipulating user input to construct SQL statements that execute on the database server.

Token brute force attacks Discovering a valid session token by submitting all possible combinations within the token’s key space.

Token hijacking Being able to access another user’s token and potentially gain access to their account.

Token keep-alive The process of periodically sending web requests to keep a session token from expiring, often used with session fixation attacks.

Token manipulation Modifying a token on the URL or in a cookie to gain unauthorized access to an application.

Token prediction Guessing or predicting a valid session token because the token scheme uses a sequential or predictable pattern.

Unauthorized access Gaining access to restricted content or data without the consent of the content owner.