VULNERABILITY:

A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, and even steal sensitive data.

COMMON VULNERABILITY:

1. Brute Force attacks

2. CSRF vulnerability

3. Clickjacking Vulnerability

4. Long Password DoS Attack

5. Client-Side Validation Bypass Vulnerability

6. SQL Injection

7. Broken Authentication

8. Rate Limit issues

9. XSS

10. Broken Access Control



1.Brute Force Attacks:

Brute force attacks involve systematically trying every possible combination of usernames and passwords until the correct credentials are found. For instance, an attacker may use automated tools to repeatedly attempt to log in to an online account, such as email or banking, by trying various username and password combinations. This method is time-consuming but can be effective, especially if users have weak or easily guessable passwords.

Ex :- An attacker uses automated software to repeatedly try different combinations of usernames and passwords on an online banking website until they successfully log in, gaining unauthorized access to a user's account.




Implementation:


Video Implementation: 

 NOTE:  **watch on pc for better experience**




2.CSRF (Cross-Site Request Forgery) :

CSRF allows attackers to trick users into unknowingly making unwanted requests to a web application where they are authenticated. For instance, a malicious actor might send a victim a phishing email containing a link. When clicked, this link triggers actions within an authenticated web application without the victim's consent, potentially leading to unauthorized transfers or changes in settings.

Ex:-A victim receives an email with a link that, when clicked, transfers funds from their authenticated online banking account to the attacker's account without their knowledge or consent.


Video Implementation:

 NOTE:  **watch on pc for better experience**




3.Clickjacking Vulnerability :

Clickjacking involves overlaying a transparent or hidden layer over a legitimate webpage to deceive users into clicking on something different from what they see. For example, an attacker could place an invisible layer over a "Like" button on a webpage, making users inadvertently click on a hidden malicious action, such as sharing sensitive information or making unauthorized purchases.

Ex:-An attacker creates a fake social media page that appears to have a "Like" button. However, this button is overlaid on a hidden "Transfer Funds" button on an online banking site. When the user clicks what they perceive as the "Like" button, they inadvertently transfer money to the attacker's account.



4.Long Password DoS (Denial of Service) Attack:

Long password DoS attacks target applications that cannot handle excessively long passwords. Attackers submit extraordinarily long passwords, overwhelming the server's resources and causing it to become unresponsive. This results in legitimate users being unable to access the application during the attack.

Ex:-An attacker submits an exceptionally long password to a login page on a popular e-commerce website. The server, unable to handle the huge input, crashes, making the website inaccessible to legitimate users.



5.Client-Side Validation Bypass Vulnerability:

Inadequate client-side validation allows attackers to manipulate or bypass input restrictions set by a web application. For example, if an online form only validates email addresses on the client side, an attacker can submit malicious data directly to the server, potentially causing security issues.

Ex:-A web application allows users to submit forms with JavaScript-based email validation on the client side only. An attacker bypasses this validation and submits a script that steals user data directly to the server.



6.SQL Injection :

SQL injection occurs when attackers manipulate input to inject malicious SQL queries into an application's database. For example, by entering specially crafted input into a search box, an attacker can trick the application into executing unintended SQL queries, potentially accessing or modifying sensitive data.

Ex:-An attacker enters a specially crafted input into a search bar on a forum website. The input contains SQL code that manipulates the database. The attacker can then access or modify other users' data, potentially obtaining sensitive information like passwords.

Implementation:



7.Broken Authentication:

Broken authentication vulnerabilities occur when authentication mechanisms are improperly implemented. This can lead to unauthorized access to accounts or data. Weak password policies, improper session management, or inadequate user credential validation can result in attackers gaining unauthorized access to user accounts.

Ex:-A web application fails to enforce session timeouts, allowing a user to stay logged in indefinitely. If another person gains access to the user's computer, they can access the victim's account without needing to enter credentials.


Video Implementation:

 NOTE:  **watch on pc for better experience**



8.Rate Limit Issues:

Rate limit issues allow attackers to perform actions on a web application more frequently than intended. For instance, if an API lacks proper rate limiting, an attacker can make an excessive number of requests in a short time, potentially causing resource exhaustion or service degradation.

Ex:-An API lacks proper rate limiting, allowing an attacker to flood the system with thousands of requests per second, overwhelming the server's resources and causing it to slow down or crash.



Video Implementation:

 NOTE:  **watch on pc for better experience**




9.Cross-Site Scripting (XSS) Vulnerability:

Cross-Site Scripting (XSS) is a widespread web application vulnerability that occurs when an attacker injects malicious scripts (usually JavaScript) into web pages viewed by other users. These scripts run within the context of a user's browser, enabling attackers to steal sensitive information, manipulate the page's content, or perform actions on behalf of the user without their consent.

Ex:-Imagine a popular online forum where users can post comments. An attacker exploits an XSS vulnerability by injecting malicious JavaScript code into their comment. This code may look innocent, like part of a comment or a harmless link, making it difficult for users to suspect foul play.

When other users visit the page and view the compromised comment, their browsers unknowingly execute the injected JavaScript.



Implementation:



10.Broken Access Control:

Broken access control vulnerabilities arise when an application fails to enforce proper access restrictions, enabling unauthorized users to access restricted resources. For example, if an e-commerce website doesn't properly check user permissions, a malicious user might access or modify another user's account information or orders.

Ex:-A file-sharing application fails to enforce proper access controls. A user can access and download files uploaded by other users by simply altering the URL, exposing sensitive information.


Video Implementation:

 NOTE:  **watch on pc for better experience**






Comments

Post a Comment

Popular posts from this blog

Image
  WEB APP VULNERABILITY-2  Vulnerabilities: 1. Subdomain Takeover 2. Host Header Injection 3. Content Spoofing 4. EXIF Geolocation Data Not Stripped From Uploaded Images 5. Open Redirect Vulnerability 6. Open Directory 1. Subdomain Takeover:    Subdomain takeover is a critical web security vulnerability that occurs when an attacker gains control over a subdomain of a website. This vulnerability usually arises when an organization points a subdomain to an external resource, such as a cloud service or a third-party platform, but later ceases to control that resource. Yet, the DNS records for the subdomain remain active. Exploiting this situation, an attacker can register the external resource and effectively hijack the subdomain. This malicious act can lead to a range of threats, including redirecting traffic to malicious sites, launching phishing campaigns, or injecting malicious content into the legitimate website.   Mitigation:  To mitigate the risk of sub...
Read more
Image
  Web-App Vulnerability: 1. Denial-of-Service (DOS) Attack via Long Password 2. Cross-Site Scripting (XSS) 3. Client-Side Validation Bypass 4. Open Directory Vulnerability 5. Insecure Direct Object Reference (IDOR) 1.Denial-of-Service (DoS) Attack via Long Password:  A Denial-of-Service (DoS) attack via a long password is a cyberattack aimed at disrupting a service's availability by submitting an exceptionally long or resource-intensive password during the authentication process. The attack unfolds as follows: Authentication : In typical systems, users provide a username and password for authentication. Long Password : Attackers use an abnormally long or resource-intensive password during authentication. Resource Strain : Processing this input consumes excessive server resources (CPU, memory), causing the system to become unresponsive or crash. Service Denial : Legitimate users are unable to access the service due to resource exhaustion, resulting in a denial of service. To de...
Read more