zoukankan      html  css  js  c++  java
  • Penetration Test

    Application Exploits, Part III

    CROSS-SITE SCRIPTING(XSS)
    • Injection attack in which an attacker sends malicious code(client-side script) to a web application that a subsequent client runs
      • Stored/persistent
        • Attack data(script) stored discretely on the server
      • Reflected
        • Non-persistent attack in which attack code is sent to another client
      • DOM(Document Object Model)
        • XSS attack that uses XML, not HTML, to transport attack code
    CROSS-SITE REQUEST FORGERY(CSRF/XSRF)
    • Similar to XSS; occurs within an authenticated session
    • XSRF attacks a user
    • Attacker can cause authorized user to take some action by clicking a link
    CLICKJACKING
    • Tricking user into clicking a different link or object that was intended
    • Attackers can use transparent or opaque layers to embed attack links
    SECURITY MISCONFIGURATION
    • Directory traversal
      • Allows users to navigate outside a web server's root directory
    • Cookie manipulation
      • Access to cookies can allow an attacker to change the way in which a web application operates in general, or just for a specific user/session
    FILE INCLUSION
    • Related to directory traversal
    • Attacker is allowed to build path to .exe file or a file to access
    • File can be local or remote
    QUICK REVIEW
    • XSS is an injection attack on a server using scripting code and has three types: stored/persistent, reflective, or DOM
    • XSRF/CSRF attacks the user and occurs within an authenticated session
    • XSS and XSRF both use client/server interaction to launch attacks based on specially crafted links or scripts
    • Passive attacks exploits security misconfigurations (e.g directory traversal, cookie manipulation, and file inclusion)
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    如何将伪数组转换成真正的数组
    JS 中对变量类型的五种判断方法
    ajax详解
    onload和ready的区别
    ES5继承
    跨域的三种解决方式
    如何处理使用js兼容所有浏览器的问题
    Canvas修行之黑客帝国代码雨
    Webpack+React+ES6入门指南[转]
    对于Mongodb数据库的学习
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/13782666.html
Copyright © 2011-2022 走看看