- What are the following types of attack?
- Man In The Middle (MITM)
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- How can you defend against each of them?
KinRosaAyubGillian
- Attacks that exploit weeknesses or vulnerabilities in code
- DDoS is a common type of web attack (Labour party cyber systems attacked twice in two days) which aims to disrupt systems by overwhelming the server or network
- People often use web attacks to gain access to databases in order to obtain sensitive data
- Web applications have direct access to backend data such as databases, which makes it more difficult to secure them against attacks
- Firewalls and SSL provide no protection against a web application attack, because access to the website has to be made public. Certain ports are needed and remain open for legitimate access to databases, but this presents a vulnerability
- SQL Injection attacks (targets databases directly) are the most common and the most dangerous type of vulnerability
- there is a hacker attack every 39 seconds
- half a billion personal record stolen in 2018 - 25% more than the previous year
- 90% of cybersecurity breaches are due to human error - e.g. clicking on a malicious link, replying to a fake email, leaving laptop on train
- 95% of breached records are from government, retail, and technology - not because less secure, but they're high value targets with personal information
- most companies take nearly 6 months to detect a data breach (even major ones) - by the time you're notified that there's a breach, your data is probably already compromised
- the hacker intercepts communication between two parties, or they manage to gain access to their device.
- In order for this attack to be successful you must interception and decryption.
- the hacker needs a way of injecting malicious software into the device.
- the victim isn't aware of the man in the middle
- wifi WiFi eavesdropping.
- email phishing.
- Paul and Ann Lupton
- always check before you use public wifi
- always be careful of phishing emails
- use HTTPS because of the extra layer of security.
- Injections 💉
- Malicious code sent
- If successful, system will run the malicious code as intended (e.g. script tags as Javascript)
- Stored attacks: bad script stored on server
- E.g. posting message
- Reflected attacks: bad script put in request and reflected straight back in response
- E.g. search term
Get personal data e.g. cookies: login data
Manipulate behaviour e.g. redirect unsuspecting users to bad places e.g. phishing sites
Demonstration!
Encoding against problematic characters like < >
search result:
Make it text!
E.g. put user input into quotation marks (store/write as strings)
Check is valid URL format before using?
This website is very comprehensive!
https://cheatsheetseries.owasp.org/
(not just for XSS attacks)
GET http://netbank.com/transfer.do?acct=AttackerA&amount=$100 HTTP/1.1
<a href="http://netbank.com/transfer.do?acct=AttackerA&amount=$100">Read more!</a>
<form action="http://netbank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="AttackerA"/>
<input type="hidden" name="amount" value="$100"/>
<input type="submit" value="View my pictures!"/>
</form>
</body>
A token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side.
The token will then be included as a request parameter when the form is submitted.
<input type="hidden" name="csrfmiddlewaretoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />
This token is generated by any method that ensures unpredictability and uniqueness.
- https://portswigger.net/web-security/csrf
- https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html