Comment on page
Common Web Attack and Prevention List
Broken Access Control occurs when a user is able to access or perform actions they shouldn't have permission for.
- Attackers can exploit these flaws to access unauthorized functionality or sensitive data.
- Prevention:
- Update and enforce access control policies regularly.
- Implement deny-by-default approach and principle of least privilege.
- Implement rate limiting for API and controller access.
- Use server-side authorization checks.
Cryptographic Failures happen when weak algorithms or improper implementation are used.
- Weak encryption can expose sensitive data to attackers.
- Prevention:
- Encrypt sensitive data at rest and in transit.
- Store keys securely and rotate them regularly.
- Use strong and up-to-date algorithms.
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query.
- Attackers exploit injection flaws to execute unintended commands or access unauthorized data.
- Prevention:
- Use safe APIs that avoid interpreters or provide parameterized interfaces.
- Escape special characters using specific syntax for the interpreter.
Insecure design flaws are foundational issues that lead to other vulnerabilities.
- Design software with security in mind from the beginning.
- Minimize attack surface area and follow the principle of least privilege.
- Implement defense in depth and balance usability with security.
- Perform threat modeling to identify potential attacks.
Security misconfiguration can occur at any level of the application stack.
- Improper configurations can expose default settings, open storage, or sensitive information.
- Prevention:
- Regularly verify security settings using automated tools.
- Keep software and configurations up to date.
- Follow secure hardening guides for servers.
Vulnerable and outdated components can be exploited to run arbitrary code or access sensitive data.
- Avoid using components with known vulnerabilities.
- Remove unused dependencies and features.
- Continuously monitor for new vulnerabilities and update components.
Identification and Authentication failures can lead to compromise of credentials or impersonation.
- Implement multi-factor authentication and strong password policies.
- Don't store passwords in plaintext.
- Secure session management and avoid exposing session IDs.
Software and Data Integrity Failures occur when attackers can modify or tamper with data.
- Verify and validate all data on the client and server side.
- Use strong encryption and hashing to protect data.
- Implement version control and backup systems.
Security Logging and Monitoring Failures result in unidentified security events.
- Ensure all important security events are logged with sufficient details.
- Establish effective monitoring and alerting mechanisms.
Server-Side Request Forgery (SSRF) allows attackers to make requests on behalf of the server.
- Prevent outgoing traffic from backend systems to restrict SSRF attacks.
- Use allow-lists for server-side fetched resources.
- Validate and sanitize input to prevent SSRF vulnerabilities.
- 1.Cross-Site Scripting (XSS)
- 2.Session Hijacking
- 3.Injection Attacks
- 4.Cross-Site Request Forgery (CSRF)
- 5.Server-Side Template Injection (SSTI)
- 6.Remote File Inclusion (RFI)
- 7.Cross-Origin Resource Sharing (CORS) Misconfiguration
- 8.Clickjacking
- 9.XML External Entity (XXE) Attacks
- 10.Server-Side Code Injection
- 11.Content Spoofing
- 12.Open Redirect
- 13.HTTP Header Injection
- 14.Server-Side Request Forgery (SSRF)
- 15.Path Traversal
- 16.Insecure Direct Object References (IDOR)
- 17.LDAP Injection
- 18.Cross-Site Script Inclusion (XSSI)
- 19.Remote Code Execution (RCE)
- 20.Session Fixation
- 21.Username Enumeration
- 22.HTTP Verb Tampering
- 23.Server-Side Request Cache Poisoning
- 24.Server-Side Prototype Pollution
- 25.HTML Injection
- 26.Server-Side File Upload
- 27.JavaScript Hijacking
- 28.Server-Side Event Injection
- 29.Cross-Site WebSocket Hijacking
- 30.Cross-Site Flashing
- 31.Remote Command Execution
- 32.Server-Side Denial of Service (DoS)
- 33.XML Injection
- 34.Cross-Site Request Smuggling (XRS)
- 35.Server-Side Web Cache Poisoning
- 36.HTTP Parameter Pollution
- 37.Server-Side Content Spoofing
- 38.Blind SQL Injection
- 39.Cross-Site Search Engine Optimization (SEO) Spam
- 40.Server-Side URL Redirect
- 41.XML Attribute Blowup
- 42.Cross-Site Port Attacks
- 43.Server-Side Cross-Site Scripting (XSS)
- 44.HTTP Response Splitting
- 45.Cross-Site Content Hijacking
- 46.Server-Side Formula Injection
- 47.Server-Side Header Injection
- 48.Object Injection
- 49.Cross-Site Printing
- 50.Server-Side Server-Side Template Injection (SSTI)
- 51.Clickjacking with Cursorjacking
- 52.SOAP Array Abuse
- 53.Server-Side Resource Injection
- 54.Cross-Site Session Transfer
- 55.Server-Side HTTP Parameter Pollution
- 56.Cross-Site Tracking
- 57.Server-Side Template Manipulation
- 58.Cross-Site JSONP Hijacking
- 59.Server-Side Server-Side Code Injection
- 60.HTML5 Storage XSS
- 61.Server-Side XML Injection
- 62.Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch
- 63.Server-Side Code Injection via Content-Type
- 64.Session Sidejacking
- 65.Server-Side Server-Side Request Forgery (SSRF)
- 66.JavaScript Security
- 67.Server-Side Server-Side Request Splitting
- 68.Cross-Site WebSocket Hijacking via DNS Rebinding
- 69.Server-Side Web Cache Poisoning via Content Spoofing
- 70.XML Attribute Tampering
- 71.Server-Side Server-Side Content Spoofing
- 72.HTTP Parameter Tampering
- 73.Server-Side XML External Entity (XXE) Attacks
- 74.Cross-Site Server-Side Request Forgery (SSRF)
- 75.Server-Side SQL Injection
- 76.Server-Side Web Cache Poisoning via HTTP Parameter Pollution
- 77.LDAP Injection via DNS Rebinding
- 78.Server-Side Inclusion Attacks
- 79.Client-Side Clickjacking
- 80.Server-Side Command Injection
- 81.Server-Side Server-Side XML Injection
- 82.Cross-Site JSONP Hijacking via DNS Rebinding
- 83.Server-Side JSONP Hijacking
- 84.Cross-Domain Search Timing Attacks
- 85.Server-Side Server-Side Request Splitting via HTTP Parameter Pollution
- 86.Server-Side SOAP Array Abuse
- 87.Server-Side Server-Side Template Injection (SSTI) via Template Injection
- 88.Cross-Site Content Spoofing
- 89.Server-Side Server-Side Code Injection via MIME Type
- 90.Server-Side Session Fixation
- 91.Cross-Site CSRF Scanners
- 92.Server-Side Template Injection via Document Builder
- 93.Server-Side Server-Side HTTP Parameter Pollution
- 94.Cross-Site Server-Side Request Forgery (SSRF) via DNS Rebinding
- 95.Server-Side Remote File Inclusion (RFI)
- 96.Server-Side Code Execution via File Upload
- 97.Cross-Domain Web Storage Abuse
- 98.Server-Side Server-Side HTTP Response Splitting
- 99.Server-Side Server-Side XML External Entity (XXE) Attacks
- 100.Cross-Site Content Injection
Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users.
- Types of XSS attacks: Stored XSS, Reflected XSS, DOM-based XSS.
- Prevention:
- Input validation and output encoding.
- Content Security Policy (CSP) to restrict scripts execution.
Session Hijacking is the exploitation of a valid user session by an attacker.
- Attackers can gain unauthorized access to user sessions and perform actions on their behalf.
- Prevention:
- Use HTTPS for entire site.
- Regenerate session after login.
- Implement session timeout.
Injection attacks occur when untrusted data is sent to an interpreter, leading to unintended commands or data access.
- Types of injection attacks: SQL Injection, Command Injection, LDAP Injection.
- Prevention:
- Input validation and sanitization.
- Use parameterized queries or prepared statements.
- Utilize ORM tools.
Cross-Site Request Forgery (CSRF) tricks users into performing unwanted actions on a website.
- Attackers exploit the trust of a user's authenticated session to execute undesired actions.
- Prevention:
- Use anti-CSRF tokens.
- Implement SameSite Cookie attribute.
- Re-authenticate for sensitive operations.
Server-Side Template Injection allows an attacker to inject malicious templates into a server-side template engine.
- Attackers can execute arbitrary code and gain control over the server.
- Prevention:
- Input validation and sanitization of user-supplied templates.
- Avoid executing user-supplied templates.
Remote File Inclusion (RFI) is an attack that allows an attacker to include remote files on a server.
- Attackers can execute malicious code or gain unauthorized access to server files.
- Prevention:
- Avoid dynamic file inclusion from user input.
- Whitelist allowed file paths.
CORS Misconfiguration allows unauthorized access to restricted resources by misconfiguring the CORS policy.
- Attackers can bypass browser restrictions and access sensitive data.
- Prevention:
- Set appropriate CORS policies.
- Validate and sanitize user input.
Clickjacking is a technique that tricks users into clicking on malicious elements hidden within legitimate web pages.
- Attackers can perform actions on behalf of the user without their knowledge.
- Prevention:
- Implement X-Frame-Options header.
- Use frame-busting techniques.
XML External Entity (XXE) Attacks exploit the way XML parsers handle external entity references.
- Attackers can read local files, perform remote requests, or launch denial-of-service attacks.
- Prevention:
- Disable XML entity expansion.
- Use secure XML parsing libraries.
Server-Side Code Injection allows an attacker to inject and execute arbitrary code on the server-side.
- Attackers can gain unauthorized access, escalate privileges, or execute malicious commands.
- Prevention:
- Input validation and sanitization of user input.
- Use secure coding practices.
Content Spoofing involves modifying the appearance of a website to deceive users.
- Attackers can impersonate legitimate websites and steal sensitive information.
- Prevention:
- Implement strong validation and sanitization of user-generated content.
- Ensure secure communication (HTTPS).
Open Redirect allows an attacker to redirect users to a malicious website while disguising the URL.
- Attackers can trick users into visiting malicious websites and perform phishing attacks.
- Prevention:
- Implement strict input validation and sanitization.
- Use server-side redirect mechanisms.
HTTP Header Injection allows attackers to manipulate or inject malicious headers in HTTP requests or responses.
- Attackers can perform various attacks, including cache poisoning and session hijacking.
- Prevention:
- Properly validate and sanitize user input.
- Implement secure coding practices.
- Utilize web application firewalls (WAFs) for additional protection.
Path Traversal allows attackers to access files or directories outside the intended directory.
- Attackers can access sensitive files, execute arbitrary code, or escalate privileges.
- Prevention:
- Implement proper input validation and sanitization.
- Use secure coding practices.
- Avoid user input in file paths or use strict file access controls.
Insecure Direct Object References (IDOR) occur when a user can access and manipulate unauthorized objects.
- Attackers can access sensitive data or perform unauthorized actions.
- Prevention:
- Implement proper access controls and authorization checks.
- Use indirect object references instead of exposing internal identifiers.
LDAP Injection occurs when untrusted data is inserted into LDAP statements, allowing attackers to manipulate LDAP queries.
- Attackers can bypass authentication, extract sensitive information, or perform unauthorized actions.
- Prevention:
- Use parameterized queries or prepared statements specific to LDAP.
- Properly validate and sanitize user input.
Cross-Site Script Inclusion (XSSI) allows attackers to include external scripts into a web page.
- Attackers can steal sensitive information or perform malicious actions on behalf of the user.
- Prevention:
- Implement strict input validation and output encoding.
- Use Content Security Policy (CSP) to restrict script inclusion.
Remote Code Execution (RCE) enables attackers to execute arbitrary code on a remote server.
- Attackers can gain full control over the server, execute malicious commands, or perform lateral movement.
- Prevention:
- Keep software and libraries up to date.
- Implement proper input validation and sanitization.
- Apply least privilege principles.
Session Fixation is an attack where an attacker forces a user's session ID to a known value.
- Attackers can hijack user sessions and gain unauthorized access to sensitive data.
- Prevention:
- Use session management techniques that regenerate session IDs after authentication.
Username Enumeration allows attackers to determine valid usernames on a system.
- Attackers can use this information for further attacks such as brute-forcing passwords.
- Prevention:
- Implement consistent error messages for both valid and invalid usernames.
- Use strong account lockout policies to mitigate brute-force attacks.
HTTP Verb Tampering involves modifying or manipulating HTTP methods used in requests.
- Attackers can perform unauthorized actions or bypass security measures.
- Prevention:
- Implement proper access controls and authorization checks.
- Use HTTP methods appropriate for the intended operation.
Server-Side Request Cache Poisoning occurs when an attacker manipulates server-side cache mechanisms to serve malicious content.
- Attackers can poison the cache and serve malicious content to other users.
- Prevention:
- Implement secure cache control mechanisms.
- Use input validation and sanitization before storing data in the cache.
Server-Side Prototype Pollution is a vulnerability that allows attackers to modify or manipulate JavaScript objects' prototypes on the server-side.
- Attackers can modify the behavior of server-side code and execute arbitrary code.
- Prevention:
- Use input validation and sanitization to prevent user-supplied data from polluting prototypes.
- Keep software and libraries up to date to address known vulnerabilities.
HTML Injection occurs when untrusted data is inserted into HTML code without proper validation or encoding.
- Attackers can inject malicious code, steal sensitive information, or perform phishing attacks.
- Prevention:
- Properly validate and sanitize user-generated content.
- Use output encoding techniques to prevent code injection.
Server-Side File Upload vulnerabilities allow attackers to upload and execute arbitrary files on a server.
- Attackers can upload malicious files and gain unauthorized access or execute arbitrary code.
- Prevention:
- Validate file extensions and content types.
- Store uploaded files in a secure location with proper access controls.
JavaScript Hijacking occurs when an attacker intercepts or manipulates JavaScript code sent from the server to the client.
- Attackers can steal sensitive information, modify web page behavior, or perform unauthorized actions.
- Prevention:
- Implement secure communication channels (HTTPS).
- Use mechanisms such as Subresource Integrity (SRI) to ensure the integrity of loaded scripts.
Server-Side Event Injection allows attackers to inject malicious event handlers into server-side events.
- Attackers can execute arbitrary code or perform unauthorized actions.
- Prevention:
- Implement strict input validation and sanitization of event handler parameters.
- Avoid executing user-supplied event handlers.
Cross-Site WebSocket Hijacking enables attackers to hijack WebSocket connections between clients and servers.
- Attackers can steal sensitive information or perform unauthorized actions.
- Prevention:
- Implement authentication and authorization mechanisms for WebSocket connections.
- Use secure communication channels (HTTPS).
Cross-Site Flashing is a vulnerability that allows attackers to inject malicious Adobe Flash files into websites.
- Attackers can execute arbitrary code or steal sensitive information.
- Prevention:
- Avoid the use of Adobe Flash, which is being phased out and has inherent security risks.
- Keep plugins and libraries up to date.
Remote Command Execution occurs when an attacker can execute commands on a remote server.
- Attackers can execute arbitrary commands, gain unauthorized access, or perform further malicious actions.
- Prevention:
- Avoid executing user-supplied commands or data without proper validation and sanitization.
- Use input filtering and output encoding to prevent command injection.
Server-Side Denial of Service (DoS) attacks aim to disrupt the availability of server resources or services.
- Attackers can exhaust server resources, causing service interruptions or complete unavailability.
- Prevention:
- Implement rate limiting and traffic monitoring to detect and mitigate DoS attacks.
- Regularly update and patch software to address vulnerabilities.
XML Injection occurs when untrusted data is inserted into XML documents without proper validation or encoding.
- Attackers can inject malicious XML content, modify data, or perform unauthorized actions.
- Prevention:
- Validate and sanitize user input before inserting it into XML documents.
- Use secure XML parsing libraries and avoid executing user-supplied XML.
Cross-Site Request Smuggling (XRS) attacks exploit inconsistencies in how different components handle HTTP requests.
- Attackers can bypass security measures, manipulate requests, or gain unauthorized access to sensitive data.
- Prevention:
- Implement secure configurations and consistent handling of HTTP requests across components.
- Regularly update and patch software to address vulnerabilities.
Server-Side Web Cache Poisoning involves manipulating server-side caches to serve malicious content to users.
- Attackers can poison caches and serve malicious content or perform phishing attacks.
- Prevention:
- Implement secure cache control mechanisms.
- Use proper input validation and sanitization before storing data in the cache.
HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in HTTP requests.
- Attackers can bypass security controls, manipulate data, or perform unauthorized actions.
- Prevention:
- Implement strict input validation and sanitization of parameters.
- Use server-side checks to prevent parameter pollution.
Server-Side Content Spoofing involves modifying server responses to deceive users or deliver malicious content.
- Attackers can manipulate website content, perform phishing attacks, or distribute malware.
- Prevention:
- Implement secure configurations to prevent content tampering.
- Validate and sanitize user input to prevent content injection.
Blind SQL Injection occurs when an attacker can inject malicious SQL statements without receiving direct feedback.
- Attackers can extract sensitive information, modify data, or perform unauthorized actions.
- Prevention:
- Use parameterized queries or prepared statements.
- Implement strict input validation and sanitization to prevent SQL injection.
Cross-Site SEO Spam involves injecting spam content into web pages to manipulate search engine rankings.
- Attackers can promote malicious websites, distribute malware, or engage in other black hat SEO techniques.
- Prevention:
- Regularly monitor and review website content for SEO spam.
- Implement proper input validation and sanitization.
Server-Side URL Redirect occurs when an attacker can manipulate or inject malicious URLs in server responses.
- Attackers can redirect users to malicious websites, perform phishing attacks, or conduct further exploits.
- Prevention:
- Validate and sanitize user input before generating URLs.
- Implement proper validation of redirect destinations.
XML Attribute Blowup is an attack that exploits vulnerabilities in XML parsers, causing resource exhaustion.
- Attackers can exhaust server resources, leading to denial of service or other security breaches.
- Prevention:
- Use secure XML parsing libraries that mitigate attribute blowup attacks.
- Implement proper input validation and sanitization.
Cross-Site Port Attacks involve exploiting vulnerabilities in cross-site scripting or other techniques to scan internal network ports.
- Attackers can discover open ports and services, leading to potential further attacks.
- Prevention:
- Implement strong input validation and output encoding to prevent cross-site scripting attacks.
- Ensure that internal services and ports are properly protected and restricted.
Server-Side Cross-Site Scripting (XSS) occurs when untrusted data is reflected in server responses without proper validation or encoding.
- Attackers can inject malicious scripts into server responses, leading to the execution of arbitrary code.
- Prevention:
- Implement strict input validation and output encoding to prevent XSS attacks.
- Use content security policies (CSP) to restrict script execution.
HTTP Response Splitting involves injecting additional headers or content into HTTP responses.
- Attackers can manipulate web pages, perform phishing attacks, or bypass security controls.
- Prevention:
- Implement strict input validation and sanitization.
- Ensure proper encoding and sanitization of user-generated content.
Cross-Site Content Hijacking occurs when attackers steal or manipulate content from other websites.
- Attackers can display misleading or malicious content, perform phishing attacks, or distribute malware.
- Prevention:
- Implement content security policies to prevent content hijacking.
- Regularly monitor and review website content for unauthorized modifications.
Server-Side Formula Injection allows attackers to inject malicious formulas into server-side components.
- Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
- Prevention:
- Implement proper input validation and sanitization.
- Avoid executing user-supplied formulas or expressions.
Server-Side Header Injection involves injecting malicious headers into server responses.
- Attackers can manipulate web page behavior, perform session hijacking, or perform other malicious actions.
- Prevention:
- Implement strict input validation and sanitization of headers.
- Use secure coding practices to prevent header injection vulnerabilities.
Object Injection occurs when an attacker can manipulate or inject malicious objects into an application.
- Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.
- Prevention:
- Implement strict input validation and sanitization.
- Use secure coding practices and avoid deserializing untrusted data.
Cross-Site Printing is an attack that exploits vulnerabilities in web browsers or printing services to disclose sensitive information.
- Attackers can print sensitive data without authorization or manipulate the printed content.
- Prevention:
- Implement strict access controls to printing services.
- Regularly update web browsers and printing software to address security vulnerabilities.
Server-Side Server-Side Template Injection (SSTI) allows attackers to inject malicious templates into server-side template engines.
- Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
- Prevention:
- Use secure templating engines with built-in sandboxing or template escaping mechanisms.
- Validate and sanitize user-supplied templates.
Clickjacking with Cursorjacking combines clickjacking and cursor manipulation techniques to trick users into clicking on hidden elements.
- Attackers can perform actions on behalf of the user without their knowledge or consent.
- Prevention:
- Implement X-Frame-Options header to prevent clickjacking attacks.
- Use frame-busting techniques to mitigate cursorjacking attacks.
SOAP Array Abuse involves manipulating SOAP arrays to cause memory exhaustion or denial of service attacks.
- Attackers can exhaust server resources, leading to service disruption or unavailability.
- Prevention:
- Implement proper input validation and sanitization of SOAP requests.
- Use secure SOAP libraries that mitigate array abuse vulnerabilities.
Server-Side Resource Injection allows attackers to inject malicious resources into server-side components.
- Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
- Prevention:
- Implement strict input validation and sanitization.
- Avoid executing user-supplied resources or dynamically loading external resources.
Cross-Site Session Transfer occurs when an attacker steals a user's session and uses it on a different site.
- Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.
- Prevention:
- Implement strict session management mechanisms.
- Use session identifiers that are bound to the originating domain.
Server-Side HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in server-side requests.
- Attackers can bypass security controls, manipulate data, or perform unauthorized actions.
- Prevention:
- Implement strict input validation and sanitization of parameters.
- Use server-side checks to prevent parameter pollution.
Cross-Site Tracking involves tracking users across multiple websites without their knowledge or consent.
- Attackers can collect sensitive information, track user behavior, or perform targeted advertising.
- Prevention:
- Implement proper privacy measures such as cookie policies and consent mechanisms.
- Regularly review and monitor third-party tracking scripts.
Server-Side Template Manipulation allows attackers to modify server-side templates to inject malicious content.
- Attackers can manipulate website content, perform phishing attacks, or execute arbitrary code.
- Prevention:
- Use secure templating engines that prevent template injection vulnerabilities.
- Validate and sanitize user input before rendering templates.
Cross-Site JSONP Hijacking involves hijacking JSONP requests to steal sensitive data from different domains.
- Attackers can access sensitive information, perform session hijacking, or execute arbitrary code.
- Prevention:
- Implement strict validation of JSONP callbacks and sources.
- Use CSRF tokens or other anti-CSRF measures to prevent JSONP hijacking.
Server-Side Server-Side Code Injection occurs when untrusted data is injected and executed as code on the server-side.
- Attackers can execute arbitrary code, gain unauthorized access, or perform unauthorized actions.
- Prevention:
- Use secure coding practices and avoid executing user-supplied code.
- Implement proper input validation and sanitization.
HTML5 Storage XSS involves injecting malicious scripts into HTML5 storage mechanisms.
- Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.
- Prevention:
- Implement strict input validation and output encoding.
- Use Content Security Policy (CSP) to restrict script execution.
Server-Side XML Injection occurs when untrusted data is injected into XML documents on the server-side.
- Attackers can manipulate XML data, perform unauthorized actions, or disclose sensitive information.
- Prevention:
- Implement proper input validation and sanitization.
- Use secure XML parsing libraries and avoid executing user-supplied XML.
Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch involves injecting malicious scripts using MIME type inconsistencies.
- Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.
- Prevention:
- Use strict content type validation and enforce proper MIME type handling.
- Implement proper output encoding to prevent script inclusion vulnerabilities.
Server-Side Code Injection via Content-Type occurs when untrusted data is injected into server requests' Content-Type header.
- Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.
- Prevention:
- Implement strict input validation and sanitization of Content-Type headers.
- Use secure coding practices and avoid executing user-supplied code.
Session Sidejacking involves intercepting and hijacking user sessions over unencrypted connections.
- Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.
- Prevention:
- Implement secure communication channels (HTTPS) to encrypt session data.
- Use secure session management techniques.
Server-Side Server-Side Request Forgery (SSRF) via DNS Rebinding occurs when an attacker manipulates DNS resolution to make requests to internal resources.
- Attackers can bypass firewall restrictions, perform port scanning, or access internal resources.
- Prevention:
- Implement strict input validation and sanitization of user-supplied URLs.
- Use allow-lists or access controls to restrict outbound requests.
Server-Side Web Cache Poisoning via Content Spoofing involves manipulating server-side caches to serve spoofed or malicious content to users.