Advanced Persistent Threats (APT):
These threats are typically sophisticated, long-term cyber attacks conducted by highly organized, well-funded, and technically proficient groups, such as nation states. APTs are known to attack high-value targets such as governments and large businesses. For example, the Stuxnet virus may be considered an APT from the Iranian perspective. Advanced stands for the ability of the attack to evade detection and gain and maintain access to an objective, such as networks or web applications. Persistent stands for the unrelenting nature of the attack and the difficulty in detecting and/or removing the hacker once detected. Threat stands for the hacker’s ability and intention to cause harm.
A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known as middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also “Web Application.”
An automated process of trial and error used to guess the “secret” protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys.
An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application's process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating system commands.
Small amount of data sent by the web server to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a user’s state as users traverse a web site. See also “Cookie Manipulation.”
Altering or modification of cookie values on the client’s web browser to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input.
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF):
An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also “Client-Side Scripting.”
Denial of Service (DoS):
An attack technique that consumes all of a web site’s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also “Functional Abuse.”
A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.
Document Object Model Cross Site Scripting:
An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also “Null Injection.”
An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also “Predictable File Location.”
Form Field Manipulation:
Alteration or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also “Parameter Tampering,” “Cookie Manipulation.”
Format String Attack:
An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.
An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site’s access controls. See also “Denial of Service.”
HyperText Transfer Protocol (HTTP):
A protocol scheme used on the World Wide Web. HTTP describes the way a web client requests data and how a web server responds to those requests.
HTTP Request Smuggling:
HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks such as “web cache poisoning,” “session hijacking,” and “cross-site scripting” as well as the ability to bypass web application firewall protection. The attacker sends multiple specially-crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a web server, or a firewall and a web server) to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
HTTP Response Smuggling:
HTTP response smuggling is an enhancement of the basic “HTTP response splitting” technique, which can evade anti-HTTP response splitting measures. HTTP response smuggling makes use of “HTTP request smuggling”-like techniques to exploit the discrepancies between what an anti-HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti-HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique. For example, several anti-HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy's cache.
HTTP Response Splitting:
An HTTP response splitting attack causes the web server to send out two HTTP responses, where it typically only sends out one HTTP response. This can be described as HTTP response injection, and is typically conducted by injecting malicious data into an HTTP response header, and using CR+LF characters to shape and terminate the first response, and then completely shape and control the additional response. Having this second, "unexpected" response enables the attacker to fool a client that receives this extra response by forcing this client to first emit a second request. The client then matches the second, attacker-controlled response to the second, attacker-controlled request. The net result (looking at the second request-response pair) is that the client is forced to send an arbitrary request to the vulnerable server, and in response, the client receives an arbitrary response crafted by the attacker. This condition enables “cross-site scripting” and “cache poisoning.”
When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also “Verbose Messages.”
Insufficient Session Expiration:
When a web site permits an attacker to reuse old session credentials or session IDs for authorization.
Refers to the application layer, the seventh layer of the “stack.” The user connects to a company’s website through the application level. A layer 7 web application firewall sits at the application level and controls inputs and outputs from the user or application.
An attack technique used to exploit web sites by sending in meta-characters, which have particular significance to a web application as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also “Null Injection,” “Parameter Tampering,” “SQL Injection,” and “Cross-Site Scripting.”
An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user-supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also “Encoding Attacks,” “Parameter Tampering,” and “Meta Character Injection.”
Open Web Application Security Project, a non-profit organization that aims to improve internet security. OWASP runs the Top Ten Project, which identifies top security threats. xyberShield provides an OWASP bundle of threat protection modules that addresses relevant web application attacks.
Alteration or modification of the parameter name and value pairs in a URL. Also known as “URL Manipulation.”
Predictable File Location:
A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGIs, configuration files, backup files, temporary files, etc.
For web applications, a method for simulating hacking by testing web application security in order to discover weaknesses and vulnerabilities that a hacker could exploit. Penetration testing takes two forms: black box and white box. The black box form is a scenario where the hacker knows nothing of the system or web application he/she is attempting to hack. The white box form is a scenario where the hacker has been given information about the system or web application he/she is attempting to hack into. While the black box scenario is the more realistic scenario compared to the white box scenario, it takes more time and resources than the white box scenario.
Secure Sockets Layer (SSL):
An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also “Transport Layer Security.”
A string of data provided by the web server, normally stored within a cookie or URL, which identifies users and authorizes them to perform various actions. See also “Session ID.”
An attack technique that forces a user’s session credential or session ID to an explicit value.
The result of a user’s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also “Session Credential” and “Session ID.”
A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user’s session, or perhaps just his current session, as the user traverses the web site.
An attack technique used to hijack another user’s session by altering a session ID or session credential value. See also “Session Hijacking,” “Session Credential,” and “Session ID.”
When a web site permits an attacker to reuse old session credentials or session IDs for authorization.
An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also “Parameter Tampering” and “Form Field Manipulation.”
A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also “Parameter Tampering” and “Form Field Manipulation.”
Secure Socket Layer, or SSL, is an Internet security protocol widely used to secure sensitive data transmitted online, such as personal information, credit card information, login information and email. Organizations with an online presence that employ web applications use SSL to ensure that the connections between their web servers and users’ browsers are secure. The SSL Certificate is used to encrypt the information sent to and from an organization’s website, stopping hackers and third parties from accessing sensitive data.
Transport Layer Security (TLS):
The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable.
When a web application does not properly sanity-check user-supplied data input.
Altering or modification of a web applications parameter name and value pairs. Also known as “Parameter Tampering.”
Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.
For web applications, vulnerability scans are automated tools to detect defects, deficiencies, and other vulnerabilities such as Cross-Site Scripting and SQL Injection in web applications. Conducted by programs that use black box style attacks (which simulate a hacker who does not have any information about the web application, server, or network), vulnerability scans allow an organization to locate the problems with their web applications. By addressing the problems found by vulnerability scans, an organization increases its security and protects its online business. Vulnerability Scans are also known as Security Scans and they form a crucial component of various security requirements, such as the Payment Card Industry Data Security Standard (PCI-DSS).
A software application, executed by a web server, which responds to dynamic web page requests over HTTP.
Web Application Firewall:
An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack.
Web Application Vulnerability Scanner:
An automated security program that searches for software vulnerabilities within web applications. See also “Vulnerability Scans.”
A program used to display HyperText markup language (HTML) web pages sent by a web server.
Web (or Browser) Cache Poisoning:
The act of adding/overwriting a cache entry (of a caching proxy server, or a browser) with forged and possibly malicious data is called cache poisoning. In its most potent form, an attacker can force an arbitrary entry (URL of choice, page contents of choice) to the cache. In HTTP response splitting, the attacker can choose the URL's path and query (the host, port and scheme must be the vulnerable host's), and the entire page contents. In HTTP request smuggling, the attacker can choose URL as in HTTP response splitting, but the page contents must be obtained from a URL on the site. Cache poisoning can be considered a form of defacement, whose scope is determined by the coverage of the cache (i.e. browser - 1 user, forward proxy - 1 ISP/organization, reverse proxy - all users), and the strength of the attack (full page control over /index.html vs. partial control).
A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users.
Windows/Unix Command Injection:
An attack technique used to exploit web sites by executing operating system commands by manipulating application input.
Sources: webappsec.org and xyberShield Development Team