Main Site Sponsor Medium Blog Youtube Discord LinkedIN

Common Web Attack and Prevention List

OWASP Top 10

Broken Access Control

Broken Access Control occurs when a user is able to access or perform actions they shouldn't have permission for.

  • Attackers can exploit these flaws to access unauthorized functionality or sensitive data.

  • Prevention:

    • Update and enforce access control policies regularly.

    • Implement deny-by-default approach and principle of least privilege.

    • Implement rate limiting for API and controller access.

    • Use server-side authorization checks.

Cryptographic Failures

Cryptographic Failures happen when weak algorithms or improper implementation are used.

  • Weak encryption can expose sensitive data to attackers.

  • Prevention:

    • Encrypt sensitive data at rest and in transit.

    • Store keys securely and rotate them regularly.

    • Use strong and up-to-date algorithms.

Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query.

  • Attackers exploit injection flaws to execute unintended commands or access unauthorized data.

  • Prevention:

    • Use safe APIs that avoid interpreters or provide parameterized interfaces.

    • Escape special characters using specific syntax for the interpreter.

Insecure Design

Insecure design flaws are foundational issues that lead to other vulnerabilities.

  • Design software with security in mind from the beginning.

  • Minimize attack surface area and follow the principle of least privilege.

  • Implement defense in depth and balance usability with security.

  • Perform threat modeling to identify potential attacks.

Security Misconfiguration

Security misconfiguration can occur at any level of the application stack.

  • Improper configurations can expose default settings, open storage, or sensitive information.

  • Prevention:

    • Regularly verify security settings using automated tools.

    • Keep software and configurations up to date.

    • Follow secure hardening guides for servers.

Vulnerable and Outdated Components

Vulnerable and outdated components can be exploited to run arbitrary code or access sensitive data.

  • Avoid using components with known vulnerabilities.

  • Remove unused dependencies and features.

  • Continuously monitor for new vulnerabilities and update components.

Identification and Authentication Failures

Identification and Authentication failures can lead to compromise of credentials or impersonation.

  • Implement multi-factor authentication and strong password policies.

  • Don't store passwords in plaintext.

  • Secure session management and avoid exposing session IDs.

Software and Data Integrity Failures

Software and Data Integrity Failures occur when attackers can modify or tamper with data.

  • Verify and validate all data on the client and server side.

  • Use strong encryption and hashing to protect data.

  • Implement version control and backup systems.

Security Logging and Monitoring Failures

Security Logging and Monitoring Failures result in unidentified security events.

  • Ensure all important security events are logged with sufficient details.

  • Establish effective monitoring and alerting mechanisms.

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) allows attackers to make requests on behalf of the server.

  • Prevent outgoing traffic from backend systems to restrict SSRF attacks.

  • Use allow-lists for server-side fetched resources.

  • Validate and sanitize input to prevent SSRF vulnerabilities.

Notable Web Attack Vectors

Table of Contents

  1. Cross-Site Scripting (XSS)

  2. Session Hijacking

  3. Injection Attacks

  4. Cross-Site Request Forgery (CSRF)

  5. Server-Side Template Injection (SSTI)

  6. Remote File Inclusion (RFI)

  7. Cross-Origin Resource Sharing (CORS) Misconfiguration

  8. Clickjacking

  9. XML External Entity (XXE) Attacks

  10. Server-Side Code Injection

  11. Content Spoofing

  12. Open Redirect

  13. HTTP Header Injection

  14. Server-Side Request Forgery (SSRF)

  15. Path Traversal

  16. Insecure Direct Object References (IDOR)

  17. LDAP Injection

  18. Cross-Site Script Inclusion (XSSI)

  19. Remote Code Execution (RCE)

  20. Session Fixation

  21. Username Enumeration

  22. HTTP Verb Tampering

  23. Server-Side Request Cache Poisoning

  24. Server-Side Prototype Pollution

  25. HTML Injection

  26. Server-Side File Upload

  27. JavaScript Hijacking

  28. Server-Side Event Injection

  29. Cross-Site WebSocket Hijacking

  30. Cross-Site Flashing

  31. Remote Command Execution

  32. Server-Side Denial of Service (DoS)

  33. XML Injection

  34. Cross-Site Request Smuggling (XRS)

  35. Server-Side Web Cache Poisoning

  36. HTTP Parameter Pollution

  37. Server-Side Content Spoofing

  38. Blind SQL Injection

  39. Cross-Site Search Engine Optimization (SEO) Spam

  40. Server-Side URL Redirect

  41. XML Attribute Blowup

  42. Cross-Site Port Attacks

  43. Server-Side Cross-Site Scripting (XSS)

  44. HTTP Response Splitting

  45. Cross-Site Content Hijacking

  46. Server-Side Formula Injection

  47. Server-Side Header Injection

  48. Object Injection

  49. Cross-Site Printing

  50. Server-Side Server-Side Template Injection (SSTI)

  51. Clickjacking with Cursorjacking

  52. SOAP Array Abuse

  53. Server-Side Resource Injection

  54. Cross-Site Session Transfer

  55. Server-Side HTTP Parameter Pollution

  56. Cross-Site Tracking

  57. Server-Side Template Manipulation

  58. Cross-Site JSONP Hijacking

  59. Server-Side Server-Side Code Injection

  60. HTML5 Storage XSS

  61. Server-Side XML Injection

  62. Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch

  63. Server-Side Code Injection via Content-Type

  64. Session Sidejacking

  65. Server-Side Server-Side Request Forgery (SSRF)

  66. JavaScript Security

  67. Server-Side Server-Side Request Splitting

  68. Cross-Site WebSocket Hijacking via DNS Rebinding

  69. Server-Side Web Cache Poisoning via Content Spoofing

  70. XML Attribute Tampering

  71. Server-Side Server-Side Content Spoofing

  72. HTTP Parameter Tampering

  73. Server-Side XML External Entity (XXE) Attacks

  74. Cross-Site Server-Side Request Forgery (SSRF)

  75. Server-Side SQL Injection

  76. Server-Side Web Cache Poisoning via HTTP Parameter Pollution

  77. LDAP Injection via DNS Rebinding

  78. Server-Side Inclusion Attacks

  79. Client-Side Clickjacking

  80. Server-Side Command Injection

  81. Server-Side Server-Side XML Injection

  82. Cross-Site JSONP Hijacking via DNS Rebinding

  83. Server-Side JSONP Hijacking

  84. Cross-Domain Search Timing Attacks

  85. Server-Side Server-Side Request Splitting via HTTP Parameter Pollution

  86. Server-Side SOAP Array Abuse

  87. Server-Side Server-Side Template Injection (SSTI) via Template Injection

  88. Cross-Site Content Spoofing

  89. Server-Side Server-Side Code Injection via MIME Type

  90. Server-Side Session Fixation

  91. Cross-Site CSRF Scanners

  92. Server-Side Template Injection via Document Builder

  93. Server-Side Server-Side HTTP Parameter Pollution

  94. Cross-Site Server-Side Request Forgery (SSRF) via DNS Rebinding

  95. Server-Side Remote File Inclusion (RFI)

  96. Server-Side Code Execution via File Upload

  97. Cross-Domain Web Storage Abuse

  98. Server-Side Server-Side HTTP Response Splitting

  99. Server-Side Server-Side XML External Entity (XXE) Attacks

  100. Cross-Site Content Injection

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users.

  • Types of XSS attacks: Stored XSS, Reflected XSS, DOM-based XSS.

  • Prevention:

    • Input validation and output encoding.

    • Content Security Policy (CSP) to restrict scripts execution.

Session Hijacking

Session Hijacking is the exploitation of a valid user session by an attacker.

  • Attackers can gain unauthorized access to user sessions and perform actions on their behalf.

  • Prevention:

    • Use HTTPS for entire site.

    • Regenerate session after login.

    • Implement session timeout.

Injection Attacks

Injection attacks occur when untrusted data is sent to an interpreter, leading to unintended commands or data access.

  • Types of injection attacks: SQL Injection, Command Injection, LDAP Injection.

  • Prevention:

    • Input validation and sanitization.

    • Use parameterized queries or prepared statements.

    • Utilize ORM tools.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) tricks users into performing unwanted actions on a website.

  • Attackers exploit the trust of a user's authenticated session to execute undesired actions.

  • Prevention:

    • Use anti-CSRF tokens.

    • Implement SameSite Cookie attribute.

    • Re-authenticate for sensitive operations.

Server-Side Template Injection (SSTI)

Server-Side Template Injection allows an attacker to inject malicious templates into a server-side template engine.

  • Attackers can execute arbitrary code and gain control over the server.

  • Prevention:

    • Input validation and sanitization of user-supplied templates.

    • Avoid executing user-supplied templates.

Remote File Inclusion (RFI)

Remote File Inclusion (RFI) is an attack that allows an attacker to include remote files on a server.

  • Attackers can execute malicious code or gain unauthorized access to server files.

  • Prevention:

    • Avoid dynamic file inclusion from user input.

    • Whitelist allowed file paths.

Cross-Origin Resource Sharing (CORS) Misconfiguration

CORS Misconfiguration allows unauthorized access to restricted resources by misconfiguring the CORS policy.

  • Attackers can bypass browser restrictions and access sensitive data.

  • Prevention:

    • Set appropriate CORS policies.

    • Validate and sanitize user input.

Clickjacking

Clickjacking is a technique that tricks users into clicking on malicious elements hidden within legitimate web pages.

  • Attackers can perform actions on behalf of the user without their knowledge.

  • Prevention:

    • Implement X-Frame-Options header.

    • Use frame-busting techniques.

XML External Entity (XXE) Attacks

XML External Entity (XXE) Attacks exploit the way XML parsers handle external entity references.

  • Attackers can read local files, perform remote requests, or launch denial-of-service attacks.

  • Prevention:

    • Disable XML entity expansion.

    • Use secure XML parsing libraries.

Server-Side Code Injection

Server-Side Code Injection allows an attacker to inject and execute arbitrary code on the server-side.

  • Attackers can gain unauthorized access, escalate privileges, or execute malicious commands.

  • Prevention:

    • Input validation and sanitization of user input.

    • Use secure coding practices.

Content Spoofing

Content Spoofing involves modifying the appearance of a website to deceive users.

  • Attackers can impersonate legitimate websites and steal sensitive information.

  • Prevention:

    • Implement strong validation and sanitization of user-generated content.

    • Ensure secure communication (HTTPS).

Open Redirect

Open Redirect allows an attacker to redirect users to a malicious website while disguising the URL.

  • Attackers can trick users into visiting malicious websites and perform phishing attacks.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Use server-side redirect mechanisms.

HTTP Header Injection

HTTP Header Injection allows attackers to manipulate or inject malicious headers in HTTP requests or responses.

  • Attackers can perform various attacks, including cache poisoning and session hijacking.

  • Prevention:

    • Properly validate and sanitize user input.

    • Implement secure coding practices.

    • Utilize web application firewalls (WAFs) for additional protection.

Path Traversal

Path Traversal allows attackers to access files or directories outside the intended directory.

  • Attackers can access sensitive files, execute arbitrary code, or escalate privileges.

  • Prevention:

    • Implement proper input validation and sanitization.

    • Use secure coding practices.

    • Avoid user input in file paths or use strict file access controls.

Insecure Direct Object References (IDOR)

Insecure Direct Object References (IDOR) occur when a user can access and manipulate unauthorized objects.

  • Attackers can access sensitive data or perform unauthorized actions.

  • Prevention:

    • Implement proper access controls and authorization checks.

    • Use indirect object references instead of exposing internal identifiers.

LDAP Injection

LDAP Injection occurs when untrusted data is inserted into LDAP statements, allowing attackers to manipulate LDAP queries.

  • Attackers can bypass authentication, extract sensitive information, or perform unauthorized actions.

  • Prevention:

    • Use parameterized queries or prepared statements specific to LDAP.

    • Properly validate and sanitize user input.

Cross-Site Script Inclusion (XSSI)

Cross-Site Script Inclusion (XSSI) allows attackers to include external scripts into a web page.

  • Attackers can steal sensitive information or perform malicious actions on behalf of the user.

  • Prevention:

    • Implement strict input validation and output encoding.

    • Use Content Security Policy (CSP) to restrict script inclusion.

Remote Code Execution (RCE)

Remote Code Execution (RCE) enables attackers to execute arbitrary code on a remote server.

  • Attackers can gain full control over the server, execute malicious commands, or perform lateral movement.

  • Prevention:

    • Keep software and libraries up to date.

    • Implement proper input validation and sanitization.

    • Apply least privilege principles.

Session Fixation

Session Fixation is an attack where an attacker forces a user's session ID to a known value.

  • Attackers can hijack user sessions and gain unauthorized access to sensitive data.

  • Prevention:

    • Use session management techniques that regenerate session IDs after authentication.

Username Enumeration

Username Enumeration allows attackers to determine valid usernames on a system.

  • Attackers can use this information for further attacks such as brute-forcing passwords.

  • Prevention:

    • Implement consistent error messages for both valid and invalid usernames.

    • Use strong account lockout policies to mitigate brute-force attacks.

HTTP Verb Tampering

HTTP Verb Tampering involves modifying or manipulating HTTP methods used in requests.

  • Attackers can perform unauthorized actions or bypass security measures.

  • Prevention:

    • Implement proper access controls and authorization checks.

    • Use HTTP methods appropriate for the intended operation.

Server-Side Request Cache Poisoning

Server-Side Request Cache Poisoning occurs when an attacker manipulates server-side cache mechanisms to serve malicious content.

  • Attackers can poison the cache and serve malicious content to other users.

  • Prevention:

    • Implement secure cache control mechanisms.

    • Use input validation and sanitization before storing data in the cache.

Server-Side Prototype Pollution

Server-Side Prototype Pollution is a vulnerability that allows attackers to modify or manipulate JavaScript objects' prototypes on the server-side.

  • Attackers can modify the behavior of server-side code and execute arbitrary code.

  • Prevention:

    • Use input validation and sanitization to prevent user-supplied data from polluting prototypes.

    • Keep software and libraries up to date to address known vulnerabilities.

HTML Injection

HTML Injection occurs when untrusted data is inserted into HTML code without proper validation or encoding.

  • Attackers can inject malicious code, steal sensitive information, or perform phishing attacks.

  • Prevention:

    • Properly validate and sanitize user-generated content.

    • Use output encoding techniques to prevent code injection.

Server-Side File Upload

Server-Side File Upload vulnerabilities allow attackers to upload and execute arbitrary files on a server.

  • Attackers can upload malicious files and gain unauthorized access or execute arbitrary code.

  • Prevention:

    • Validate file extensions and content types.

    • Store uploaded files in a secure location with proper access controls.

JavaScript Hijacking

JavaScript Hijacking occurs when an attacker intercepts or manipulates JavaScript code sent from the server to the client.

  • Attackers can steal sensitive information, modify web page behavior, or perform unauthorized actions.

  • Prevention:

    • Implement secure communication channels (HTTPS).

    • Use mechanisms such as Subresource Integrity (SRI) to ensure the integrity of loaded scripts.

Server-Side Event Injection

Server-Side Event Injection allows attackers to inject malicious event handlers into server-side events.

  • Attackers can execute arbitrary code or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and sanitization of event handler parameters.

    • Avoid executing user-supplied event handlers.

Cross-Site WebSocket Hijacking

Cross-Site WebSocket Hijacking enables attackers to hijack WebSocket connections between clients and servers.

  • Attackers can steal sensitive information or perform unauthorized actions.

  • Prevention:

    • Implement authentication and authorization mechanisms for WebSocket connections.

    • Use secure communication channels (HTTPS).

Cross-Site Flashing

Cross-Site Flashing is a vulnerability that allows attackers to inject malicious Adobe Flash files into websites.

  • Attackers can execute arbitrary code or steal sensitive information.

  • Prevention:

    • Avoid the use of Adobe Flash, which is being phased out and has inherent security risks.

    • Keep plugins and libraries up to date.

Remote Command Execution

Remote Command Execution occurs when an attacker can execute commands on a remote server.

  • Attackers can execute arbitrary commands, gain unauthorized access, or perform further malicious actions.

  • Prevention:

    • Avoid executing user-supplied commands or data without proper validation and sanitization.

    • Use input filtering and output encoding to prevent command injection.

Server-Side Denial of Service (DoS)

Server-Side Denial of Service (DoS) attacks aim to disrupt the availability of server resources or services.

  • Attackers can exhaust server resources, causing service interruptions or complete unavailability.

  • Prevention:

    • Implement rate limiting and traffic monitoring to detect and mitigate DoS attacks.

    • Regularly update and patch software to address vulnerabilities.

XML Injection

XML Injection occurs when untrusted data is inserted into XML documents without proper validation or encoding.

  • Attackers can inject malicious XML content, modify data, or perform unauthorized actions.

  • Prevention:

    • Validate and sanitize user input before inserting it into XML documents.

    • Use secure XML parsing libraries and avoid executing user-supplied XML.

Cross-Site Request Smuggling (XRS)

Cross-Site Request Smuggling (XRS) attacks exploit inconsistencies in how different components handle HTTP requests.

  • Attackers can bypass security measures, manipulate requests, or gain unauthorized access to sensitive data.

  • Prevention:

    • Implement secure configurations and consistent handling of HTTP requests across components.

    • Regularly update and patch software to address vulnerabilities.

Server-Side Web Cache Poisoning

Server-Side Web Cache Poisoning involves manipulating server-side caches to serve malicious content to users.

  • Attackers can poison caches and serve malicious content or perform phishing attacks.

  • Prevention:

    • Implement secure cache control mechanisms.

    • Use proper input validation and sanitization before storing data in the cache.

HTTP Parameter Pollution

HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in HTTP requests.

  • Attackers can bypass security controls, manipulate data, or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and sanitization of parameters.

    • Use server-side checks to prevent parameter pollution.

Server-Side Content Spoofing

Server-Side Content Spoofing involves modifying server responses to deceive users or deliver malicious content.

  • Attackers can manipulate website content, perform phishing attacks, or distribute malware.

  • Prevention:

    • Implement secure configurations to prevent content tampering.

    • Validate and sanitize user input to prevent content injection.

Blind SQL Injection

Blind SQL Injection occurs when an attacker can inject malicious SQL statements without receiving direct feedback.

  • Attackers can extract sensitive information, modify data, or perform unauthorized actions.

  • Prevention:

    • Use parameterized queries or prepared statements.

    • Implement strict input validation and sanitization to prevent SQL injection.

Cross-Site Search Engine Optimization (SEO) Spam

Cross-Site SEO Spam involves injecting spam content into web pages to manipulate search engine rankings.

  • Attackers can promote malicious websites, distribute malware, or engage in other black hat SEO techniques.

  • Prevention:

    • Regularly monitor and review website content for SEO spam.

    • Implement proper input validation and sanitization.

Server-Side URL Redirect

Server-Side URL Redirect occurs when an attacker can manipulate or inject malicious URLs in server responses.

  • Attackers can redirect users to malicious websites, perform phishing attacks, or conduct further exploits.

  • Prevention:

    • Validate and sanitize user input before generating URLs.

    • Implement proper validation of redirect destinations.

XML Attribute Blowup

XML Attribute Blowup is an attack that exploits vulnerabilities in XML parsers, causing resource exhaustion.

  • Attackers can exhaust server resources, leading to denial of service or other security breaches.

  • Prevention:

    • Use secure XML parsing libraries that mitigate attribute blowup attacks.

    • Implement proper input validation and sanitization.

Cross-Site Port Attacks

Cross-Site Port Attacks involve exploiting vulnerabilities in cross-site scripting or other techniques to scan internal network ports.

  • Attackers can discover open ports and services, leading to potential further attacks.

  • Prevention:

    • Implement strong input validation and output encoding to prevent cross-site scripting attacks.

    • Ensure that internal services and ports are properly protected and restricted.

Server-Side Cross-Site Scripting (XSS)

Server-Side Cross-Site Scripting (XSS) occurs when untrusted data is reflected in server responses without proper validation or encoding.

  • Attackers can inject malicious scripts into server responses, leading to the execution of arbitrary code.

  • Prevention:

    • Implement strict input validation and output encoding to prevent XSS attacks.

    • Use content security policies (CSP) to restrict script execution.

HTTP Response Splitting

HTTP Response Splitting involves injecting additional headers or content into HTTP responses.

  • Attackers can manipulate web pages, perform phishing attacks, or bypass security controls.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Ensure proper encoding and sanitization of user-generated content.

Cross-Site Content Hijacking

Cross-Site Content Hijacking occurs when attackers steal or manipulate content from other websites.

  • Attackers can display misleading or malicious content, perform phishing attacks, or distribute malware.

  • Prevention:

    • Implement content security policies to prevent content hijacking.

    • Regularly monitor and review website content for unauthorized modifications.

Server-Side Formula Injection

Server-Side Formula Injection allows attackers to inject malicious formulas into server-side components.

  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.

  • Prevention:

    • Implement proper input validation and sanitization.

    • Avoid executing user-supplied formulas or expressions.

Server-Side Header Injection

Server-Side Header Injection involves injecting malicious headers into server responses.

  • Attackers can manipulate web page behavior, perform session hijacking, or perform other malicious actions.

  • Prevention:

    • Implement strict input validation and sanitization of headers.

    • Use secure coding practices to prevent header injection vulnerabilities.

Object Injection

Object Injection occurs when an attacker can manipulate or inject malicious objects into an application.

  • Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Use secure coding practices and avoid deserializing untrusted data.

Cross-Site Printing

Cross-Site Printing is an attack that exploits vulnerabilities in web browsers or printing services to disclose sensitive information.

  • Attackers can print sensitive data without authorization or manipulate the printed content.

  • Prevention:

    • Implement strict access controls to printing services.

    • Regularly update web browsers and printing software to address security vulnerabilities.

Server-Side Server-Side Template Injection (SSTI)

Server-Side Server-Side Template Injection (SSTI) allows attackers to inject malicious templates into server-side template engines.

  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.

  • Prevention:

    • Use secure templating engines with built-in sandboxing or template escaping mechanisms.

    • Validate and sanitize user-supplied templates.

Clickjacking with Cursorjacking

Clickjacking with Cursorjacking combines clickjacking and cursor manipulation techniques to trick users into clicking on hidden elements.

  • Attackers can perform actions on behalf of the user without their knowledge or consent.

  • Prevention:

    • Implement X-Frame-Options header to prevent clickjacking attacks.

    • Use frame-busting techniques to mitigate cursorjacking attacks.

SOAP Array Abuse

SOAP Array Abuse involves manipulating SOAP arrays to cause memory exhaustion or denial of service attacks.

  • Attackers can exhaust server resources, leading to service disruption or unavailability.

  • Prevention:

    • Implement proper input validation and sanitization of SOAP requests.

    • Use secure SOAP libraries that mitigate array abuse vulnerabilities.

Server-Side Resource Injection

Server-Side Resource Injection allows attackers to inject malicious resources into server-side components.

  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Avoid executing user-supplied resources or dynamically loading external resources.

Cross-Site Session Transfer

Cross-Site Session Transfer occurs when an attacker steals a user's session and uses it on a different site.

  • Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.

  • Prevention:

    • Implement strict session management mechanisms.

    • Use session identifiers that are bound to the originating domain.

Server-Side HTTP Parameter Pollution

Server-Side HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in server-side requests.

  • Attackers can bypass security controls, manipulate data, or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and sanitization of parameters.

    • Use server-side checks to prevent parameter pollution.

Cross-Site Tracking

Cross-Site Tracking involves tracking users across multiple websites without their knowledge or consent.

  • Attackers can collect sensitive information, track user behavior, or perform targeted advertising.

  • Prevention:

    • Implement proper privacy measures such as cookie policies and consent mechanisms.

    • Regularly review and monitor third-party tracking scripts.

Server-Side Template Manipulation

Server-Side Template Manipulation allows attackers to modify server-side templates to inject malicious content.

  • Attackers can manipulate website content, perform phishing attacks, or execute arbitrary code.

  • Prevention:

    • Use secure templating engines that prevent template injection vulnerabilities.

    • Validate and sanitize user input before rendering templates.

Cross-Site JSONP Hijacking

Cross-Site JSONP Hijacking involves hijacking JSONP requests to steal sensitive data from different domains.

  • Attackers can access sensitive information, perform session hijacking, or execute arbitrary code.

  • Prevention:

    • Implement strict validation of JSONP callbacks and sources.

    • Use CSRF tokens or other anti-CSRF measures to prevent JSONP hijacking.

Server-Side Server-Side Code Injection

Server-Side Server-Side Code Injection occurs when untrusted data is injected and executed as code on the server-side.

  • Attackers can execute arbitrary code, gain unauthorized access, or perform unauthorized actions.

  • Prevention:

    • Use secure coding practices and avoid executing user-supplied code.

    • Implement proper input validation and sanitization.

HTML5 Storage XSS

HTML5 Storage XSS involves injecting malicious scripts into HTML5 storage mechanisms.

  • Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.

  • Prevention:

    • Implement strict input validation and output encoding.

    • Use Content Security Policy (CSP) to restrict script execution.

Server-Side XML Injection

Server-Side XML Injection occurs when untrusted data is injected into XML documents on the server-side.

  • Attackers can manipulate XML data, perform unauthorized actions, or disclose sensitive information.

  • Prevention:

    • Implement proper input validation and sanitization.

    • Use secure XML parsing libraries and avoid executing user-supplied XML.

Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch

Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch involves injecting malicious scripts using MIME type inconsistencies.

  • Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.

  • Prevention:

    • Use strict content type validation and enforce proper MIME type handling.

    • Implement proper output encoding to prevent script inclusion vulnerabilities.

Server-Side Code Injection via Content-Type

Server-Side Code Injection via Content-Type occurs when untrusted data is injected into server requests' Content-Type header.

  • Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.

  • Prevention:

    • Implement strict input validation and sanitization of Content-Type headers.

    • Use secure coding practices and avoid executing user-supplied code.

Session Sidejacking

Session Sidejacking involves intercepting and hijacking user sessions over unencrypted connections.

  • Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.

  • Prevention:

    • Implement secure communication channels (HTTPS) to encrypt session data.

    • Use secure session management techniques.

Server-Side Server-Side Request Forgery (SSRF) via DNS Rebinding

Server-Side Server-Side Request Forgery (SSRF) via DNS Rebinding occurs when an attacker manipulates DNS resolution to make requests to internal resources.

  • Attackers can bypass firewall restrictions, perform port scanning, or access internal resources.

  • Prevention:

    • Implement strict input validation and sanitization of user-supplied URLs.

    • Use allow-lists or access controls to restrict outbound requests.

Server-Side Web Cache Poisoning via Content Spoofing

Server-Side Web Cache Poisoning via Content Spoofing involves manipulating server-side caches to serve spoofed or malicious content to users.

  • Attackers can trick users into interacting with forged content, perform phishing attacks, or distribute malware.

  • Prevention:

    • Implement secure cache control mechanisms.

    • Regularly review and monitor cached content for unauthorized modifications.

HTTP Parameter Tampering

HTTP Parameter Tampering occurs when an attacker modifies or manipulates HTTP parameters to bypass security controls or perform unauthorized actions.

  • Attackers can manipulate data, gain unauthorized access, or perform malicious actions.

  • Prevention:

    • Implement strict input validation and sanitization of HTTP parameters.

    • Use server-side checks and secure coding practices to prevent parameter tampering.

Server-Side XML External Entity (XXE) Attacks

Server-Side XML External Entity (XXE) Attacks exploit XML parsing vulnerabilities to access internal resources or perform remote requests.

  • Attackers can read sensitive files, perform denial-of-service attacks, or access internal systems.

  • Prevention:

    • Disable XML external entity parsing.

    • Use secure XML parsing libraries that mitigate XXE vulnerabilities.

Cross-Site Server-Side Request Forgery (SSRF) via DNS Rebinding

Cross-Site Server-Side Request Forgery (SSRF) via DNS Rebinding involves manipulating DNS resolution to make requests to internal resources from a different domain.

  • Attackers can bypass firewall restrictions, perform port scanning, or access internal resources.

  • Prevention:

    • Implement strict input validation and sanitization of user-supplied URLs.

    • Use allow-lists or access controls to restrict outbound requests.

Server-Side SQL Injection

Server-Side SQL Injection occurs when untrusted data is inserted into SQL queries on the server-side.

  • Attackers can manipulate database queries, extract sensitive information, or perform unauthorized actions.

  • Prevention:

    • Use parameterized queries or prepared statements specific to the database system.

    • Implement strict input validation and sanitization to prevent SQL injection.

Server-Side Web Cache Poisoning via HTTP Parameter Pollution

Server-Side Web Cache Poisoning via HTTP Parameter Pollution involves manipulating HTTP parameters to poison server-side caches and serve malicious content to users.

  • Attackers can trick users into interacting with malicious content, perform phishing attacks, or distribute malware.

  • Prevention:

    • Implement secure cache control mechanisms.

    • Use strict input validation and sanitization of HTTP parameters.

LDAP Injection via DNS Rebinding

LDAP Injection via DNS Rebinding involves manipulating DNS resolution to inject LDAP commands into an application.

  • Attackers can execute LDAP queries, extract sensitive information, or perform unauthorized actions.

  • Prevention:

    • Use parameterized LDAP queries or prepared statements.

    • Implement strict input validation and sanitization of user-supplied LDAP queries.

Server-Side Inclusion Attacks

Server-Side Inclusion Attacks occur when untrusted data is included and executed as part of server-side components.

  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.

  • Prevention:

    • Avoid executing user-supplied data or code without proper validation and sanitization.

    • Implement secure coding practices and use safe inclusion methods.

Client-Side Clickjacking

Client-Side Clickjacking involves tricking users into clicking on hidden or disguised elements on web pages.

  • Attackers can perform actions on behalf of the user without their knowledge or consent.

  • Prevention:

    • Implement X-Frame-Options header to prevent clickjacking attacks.

    • Use frame-busting techniques to mitigate clickjacking vulnerabilities.

Server-Side Command Injection

Server-Side Command Injection occurs when untrusted data is injected and executed as commands on the server-side.

  • Attackers can execute arbitrary commands, gain unauthorized access, or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Avoid executing user-supplied commands or data without proper validation and sanitization.

Server-Side Server-Side XML Injection

Server-Side Server-Side XML Injection occurs when untrusted data is injected into XML documents on the server-side.

  • Attackers can manipulate XML data, perform unauthorized actions, or disclose sensitive information.

  • Prevention:

    • Implement proper input validation and sanitization.

    • Use secure XML parsing libraries and avoid executing user-supplied XML.

Cross-Site JSONP Hijacking via DNS Rebinding

Cross-Site JSONP Hijacking via DNS Rebinding involves hijacking JSONP requests using DNS rebinding techniques.

  • Attackers can access sensitive information, perform session hijacking, or execute arbitrary code.

  • Prevention:

    • Implement strict validation of JSONP callbacks and sources.

    • Use CSRF tokens or other anti-CSRF measures to prevent JSONP hijacking.

Server-Side Remote File Inclusion (RFI)

Server-Side Remote File Inclusion (RFI) allows attackers to include and execute remote files on a server.

  • Attackers can execute arbitrary code, gain unauthorized access, or perform unauthorized actions.

  • Prevention:

    • Avoid dynamic inclusion of remote files based on user input.

    • Whitelist allowed remote file sources.

Server-Side Code Execution via File Upload

Server-Side Code Execution via File Upload occurs when an attacker uploads and executes malicious files on a server.

  • Attackers can execute arbitrary code, gain unauthorized access, or perform unauthorized actions.

  • Prevention:

    • Validate file types, sizes, and content during the upload process.

    • Store uploaded files in a secure location with proper access controls.

Cross-Domain Web Storage Abuse

Cross-Domain Web Storage Abuse involves unauthorized access or manipulation of web storage (e.g., localStorage, sessionStorage) across different domains.

  • Attackers can access sensitive data, perform session hijacking, or perform unauthorized actions.

  • Prevention:

    • Implement proper access controls and authorization checks for web storage.

    • Use strict origin validation to restrict access to web storage.

Server-Side Server-Side HTTP Response Splitting

Server-Side Server-Side HTTP Response Splitting occurs when untrusted data is inserted into HTTP responses, causing them to be split into multiple responses.

  • Attackers can manipulate web page content, perform session hijacking, or bypass security controls.

  • Prevention:

    • Implement strict input validation and sanitization.

    • Ensure proper encoding and sanitization of user-generated content.

Server-Side Server-Side XML External Entity (XXE) Attacks

Server-Side Server-Side XML External Entity (XXE) Attacks exploit XML parsing vulnerabilities to access internal resources or perform remote requests.

  • Attackers can read sensitive files, perform denial-of-service attacks, or access internal systems.

  • Prevention:

    • Disable XML external entity parsing.

    • Use secure XML parsing libraries that mitigate XXE vulnerabilities.

Cross-Site Content Injection

Cross-Site Content Injection involves injecting unauthorized content into web pages, usually via vulnerabilities like XSS or Server-Side Includes (SSI).

  • Attackers can inject malicious content, manipulate web page behavior, or perform unauthorized actions.

  • Prevention:

    • Implement strict input validation and output encoding to prevent content injection.

    • Use secure coding practices and regularly update software and libraries.

PreviousPart 2NextThreat Modeling

Last updated