Learning Guide

Application threats: CSRF, injection attacks and cookie replay


With Web applications making the 2006 SANS top 20 internet security attack targets list, it behooves us to concentrate on Web exploits. Web application exploits come in a variety of forms. There are a few

    Requires Free Membership to View

that stand out: XSS, for example. But what about XSRF, which is only recently garnering the press is deserves?

There are comparatively little resources for less famous exploits. However,less famous does not mean less common. XSRF is positively everywhere. This learning guide includes tips, articles, white papers and expert advice on exploits that don't yet make the headlines. If you know of an article, tip, tool or method that should be included, send me an e-mail with the information and I'll be happy to add it. – Jennette Mullaney, assistant editor.

TABLE OF CONTENTS
   Cross-site request forgery
   Injection attacks
   SSI injection
   LDAP injection
   XPath injection
   Cookie replay
   Other Useful Resources

  Cross-site request forgery (XSRF)

[Return to Table of Contents]
This exploit goes by many names. Its two abbreviations, CSRF and XSRF, can stand either for cross-site request forgery or cross-site reference forgery. Even more confusing, the term session riding is sometimes used to describe this attack. What's certain, though, is that cross-site request forgery is a nasty, incredibly common vulnerability. And that's true no matter what you call it.

  Injection Attacks

[Return to Table of Contents]
Everyone knows about SQL injection, but injection attacks are by no means exclusive to SQL. Injection attacks have many similarities and some major differences. The following is a collection of general tips and profiles of three injection attacks you might not be aware of.

  SSI injection

[Return to Table of Contents]

  LDAP injection

[Return to Table of Contents]

  XPath injection

[Return to Table of Contents]

  Cookie replay

[Return to Table of Contents]
Cookies contain sensitive information, and when they fall into the wrong hands they can do serious damage.

  Other useful resources

[Return to Table of Contents]

Expert advice on application security activities

Do you have a question about application security attacks? Our Application Security Activities expert Jeff Williams may have the answer. Read advice he has given or submit your own questions.


Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

This was first published in November 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: