Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Lists of threats and attacks - Web Application Security

Published on: 8/15/2014
Topic: Web Application Security
The below section enlist the common attacks applicable to most of web applications and must be considered. For a business critial application the checks & balances should be much more exaustive that can be identified with formal Threat Modeling exercise.

Most Common Attacks

  • Buffer overflows
  • Cross-site scripting
  • SQL injection
  • SOAP/Frame/OS Command/SMTP/LDAP Injection
  • Canonicalization attacks
  • Query string manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation
  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attacks
  • Credential theft
  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks
  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of clear text configuration secrets
  • Lack of individual accountability
  • Accessing sensitive data in storage
  • Accessing sensitive data in memory (including process dumps)
  • Accessing sensitive data from user cache
  • Accessing sensitive data from server cache & Session store
  • Session hijacking
  • Session replay
  • Man-in-the-middle attacks
  • Stealing decryption keys
  • Encryption cracking
  • Revealing sensitive system or application details
  • Denial of service attacks
  • Local Privacy Attacks
  • Redirection Attacks

[Show All Sections]