Application threats: CSRF, injection attacks and cookie replay

Web application exploits come in a variety of forms. There are a few that stand out: XSS, for example. But what about XSRF, which is only recently garnering the press is deserves? There are comparatively little resources for less famous exploits. But less famous does not mean less common. XSRF is positively everywhere. This learning guide includes tips, articles, white papers and expert advice on exploits that don't yet make the headlines


Jennette Mullaney, Assistant Editor With Web applications making the 2006 SANS top 20 internet security attack targets list, it behooves us to concentrate on Web exploits. Web application exploits come in a variety of forms. There are a few that stand out: XSS, for example. But what about XSRF, which is only recently garnering the press is deserves?

There are comparatively little resources for less famous exploits. However,less famous does not mean less common. XSRF is positively everywhere. This learning guide includes tips, articles, white papers and expert advice on exploits that don't yet make the headlines. If you know of an article, tip, tool or method that should be included, send me an e-mail with the information and I'll be happy to add it. – Jennette Mullaney, assistant editor.

TABLE OF CONTENTS
   Cross-site request forgery
   Injection attacks
   SSI injection
   LDAP injection
   XPath injection
   Cookie replay
   Other Useful Resources

  Cross-site request forgery (XSRF)

[Return to Table of Contents]
This exploit goes by many names. Its two abbreviations, CSRF and XSRF, can stand either for cross-site request forgery or cross-site reference forgery. Even more confusing, the term session riding is sometimes used to describe this attack. What's certain, though, is that cross-site request forgery is a nasty, incredibly common vulnerability. And that's true no matter what you call it.

  Injection Attacks

[Return to Table of Contents]
Everyone knows about SQL injection, but injection attacks are by no means exclusive to SQL. Injection attacks have many similarities and some major differences. The following is a collection of general tips and profiles of three injection attacks you might not be aware of.

  SSI injection

[Return to Table of Contents]

  LDAP injection

[Return to Table of Contents]

  XPath injection

[Return to Table of Contents]

  Cookie replay

[Return to Table of Contents]
Cookies contain sensitive information, and when they fall into the wrong hands they can do serious damage.

  Other useful resources

[Return to Table of Contents]

Jeff WilliamsExpert advice on application security activities

Do you have a question about application security attacks? Our Application Security Activities expert Jeff Williams may have the answer. Read advice he has given or submit your own questions.


Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

This was first published in November 2006

Dig deeper on Software Requirements Gathering Techniques

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close