1. Cross-Site Request Forgery (CSRF)
Through CSRF attacker can by-pass authentication protocols and manipulate a user’s browser into submitting valid HTTP requests to a target site.For example a user logs in to particular application and also opens another browser and navigates to some malicious site. The site can contain hidden iframe with some script that auto-posts a form back to the application.
2. Cross Site Scripting (CSS)
User attempts to embed script into the request/post parameters
3. Debug Error message enabled in production environment
Path, version and stack trace information can be gathered and used for further attacks. Attacker will be able to view SQL executed which could lead to SQL injection attacks.
4. SQL injection
Avoid the use of dynamic SQL (use setXXX() method on the prepared statement than appending it dynamically to the query)
5. Use of Java Script eval function
The attacker can inject any arbitrary code to eval function.
6. Sensitive data input fields autocomplete active
Set autocomplete=”off” to sensitive input fields. If this feature is turned on the information will be stored in plain text somewhere on the computer (in the registry, or elsewhere)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment