Cross Site Request Forgery (CSRF)

OWASP: A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Introduction: […]

Missing Function Level Access Control

Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality. And that […]

Cross-Site Scripting (XSS)

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or […]

Hacking the Web Services

What are web services? Web service is application logic. Web service is way of establishing communication between two applications or two software’s. Web services are platform independent. HTTP and XML is the basis for Web services. Consider below example, Here is Business application and is Bank application, hence needs the SERVICES from […]

XML External Entity Injection

XML is an open standard format for exchanging information. Structure of the xml document can be specified using DTD (Document Type Definition).DTD supports entities What is Entity? To represent any value that will come several times in the xml structure we will use entities. Entities are of two types 1. Internalentities: Data will be available […]