6️⃣6 - Common Attacks
Other Common Web Attacks
Topics
in addition to SQLi and XSS, there are several other common web attacks that malicious actors may use to exploit vulnerabilities in web applications. Here are a few notable ones:
HTTP Method Tampering: is a type of security vulnerability that can be exploited in web apps, that occurs when an attacker manipulates the HTTP request method used to interact with a web server.
Cross-Site Request Forgery (CSRF): CSRF attacks trick users into unknowingly submitting a web request on a site where they are authenticated. This can lead to actions being performed on the user's behalf without their consent.
Cross-Site Script Inclusion (XSSI): XSSI attacks involve an attacker including external scripts in a web page, often exploiting misconfigurations in the application's content security policy.
Clickjacking: Clickjacking involves hiding malicious actions behind a legitimate-looking interface. Users unknowingly interact with the hidden elements, allowing attackers to perform actions on their behalf.
Security Misconfigurations: Improperly configured security settings, such as default passwords or unnecessary services running, can expose vulnerabilities that attackers exploit.
File Inclusion Attacks: This includes Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI occurs when an attacker can include files on a server through the web browser. RFI occurs when an attacker can include remote files, often from a malicious server.
Command Injection: Attackers can inject malicious commands into input fields that are then executed by the application. This can lead to unauthorized access or other malicious activities.
XML External Entity (XXE) Attacks: XXE attacks exploit vulnerabilities in XML processors by injecting malicious XML content. This can lead to disclosure of internal files or denial of service.
Server-Side Request Forgery (SSRF): SSRF attacks involve tricking a server into making unintended requests, often to internal resources, which can lead to unauthorized access or data exposure.
Brute Force Attacks: Attackers attempt to gain access to user accounts by systematically trying all possible combinations of usernames and passwords.
Session Hijacking and Session Fixation: Session hijacking involves stealing a user's session token to gain unauthorized access. Session fixation involves setting a user's session token, often through phishing, to hijack their session later.
Web Basics
Practise
🔬 There are many vulnerable testing web apps like:
bWAPP
DVWA - My Writeups
Theory and Lab platform
❗ Disclaimer
Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!
Last updated