Session Hijacking

Session Hijacking is the exploitation of the web session control mechanism, where the hacker exploits vulnerable connections and steals HTTP cookies to gain unauthorized access to sensitive information/data stored in web servers. This kind of attack, also known as Cookie Hijacking or TCP Session Hijacking, can be performed in many kinds of ways. Besides using

Read More »

Session Fixation

This hacking methodology basically involves the taking over of the victim’s session with the web server after he’s logged in. This is made possible by exploiting limitations in the application’s Session ID (SID) management. While authenticating a user, the vulnerable application doesn’t assign a new SID, making it possible to use an existing SID for

Read More »

Path Traversal

Path Traversal attacks are made possible when access to web content is not properly controlled and the web server is compromised. This is basically an HTTP exploit that gives the hackers unauthorized access to restricted directories. They eventually manipulate the web server and execute malicious commands outside its root directory/folder. These attacks are executed with

Read More »

LDAP Injection

Lightweight Directory Access Protocol (LDAP) is an open and vendor-neutral directory service protocol that runs on a layer above the TCP/IP stack. It provides the appropriate mechanism for accessing and modifying data directories, things that are commonly used today while developing intranet and internet (web) applications. LDAP injections (queries) can be used to exploit vulnerable

Read More »

OS Command Injection

OS Command Injection attacks occur when the hacker attempts to execute system level commands through a vulnerable web application.  These high impact server/application injections help the hacker to bypass administrator privileges and execute malicious OS commands. Just like SQL injections, OS Command injections can be blind or error-based. Meta-characters (&, |, /;) are usually used

Read More »

Cross-site Request Forgery (CSRF)

CSRF attacks manipulate the inability of the web applications to authenticate user access, putting entire networks at risk. This session-riding, which allows the hacker to use an active session of the victim to perform actions on his behalf without his prior knowledge or consent, are hard to detect as they are disguised into normal user

Read More »

Privacy Violation

Despite security regulations (OWASP Top-10, PCI DSS, HIPPA, MISRA, etc) that are being enforced in the various industrial sectors, privacy violation is still a common occurrence today. Passwords, certificates, credit card details, social security numbers, addresses, mobile numbers and email IDs are usually targeted in these kinds of malicious attacks. The main culprits behind these

Read More »

SQL Injection (SQLi)

SQL Injections, which have been appearing in the OWASP Top-10 for years, are basically unsanitized user input vulnerabilities. These maliciously complied SQL statements are used to illegally communicate with the application’s database for harvesting information, manipulating data and in many cases even assuming full control of the application data. The most common exploitations take place

Read More »

Cross-Site Scripting (XSS)

XSS attacks occur when malicious code is injected into trusted/well-known websites. It utilizes the user’s browser as its breeding ground, with the malware being transferred in the form of browser side scripts. XSS payloads trick the victim’s browser into executing dangerous commands, eventually leading to cookie theft and data manipulation.    There are four main

Read More »