Web/Security
-
Secure Socket Layer (SSL) and Transport Layer Security (TLS)Web/Security 2019. 9. 28. 15:17
1. Overview The main difference between Secure Sockets Layer(SSL) and Transport Layer Security(TLS) is that the SSL is a protocol that provides communication security in a computer network while TSL protocol is an evolution of the SSL protocol and consists of additional privacy and security features. In brief, SSL is the predecessor to TLS, TLS is more secure and efficient than the SSL. 2. Descr..
-
Server-side request forgeryWeb/Security 2019. 9. 7. 11:45
1. Overview Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure..
-
Cross-site tracing(XST)Web/Security 2019. 9. 7. 11:43
1. Overview In web security, cross-site tracing (abbreviated "XST") is a network security vulnerability exploiting the HTTP TRACE method. XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combi..
-
Cross-site request forgery(CSRF)Web/Security 2019. 9. 7. 11:42
1. Overview Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidd..
-
SQL InjectionWeb/Security 2019. 9. 7. 10:13
1. Overview SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. 2. Example Injection Type Description Retrieving hidden data where you can modify an SQL query to return additional results. Subverting application logic where you can change a query to interfere with the application's logic. UNION attacks whe..
-
Secure codingWeb/Security 2019. 9. 6. 08:16
1. Overview The practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. 2. Description Guide Description Validate Input Validate input from all untrusted data sources Be suspicious of most external data sources, including command-line arguments, network interfaces, environmental variables, and user-controlled files Heed compi..
-
Cross-site Scripting(XXS)Web/Security 2019. 8. 30. 11:30
1. Overview Cross-site scripting is a type of computer security vulnerability typically found in web applications. And cross-site tracing is a network security vulnerability exploiting the HTTP TRACE method. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF(or XSRF) is a type of malicious exploit of a website where unauthorized commands are tran..
-
Same-origin Security PolicyWeb/Security 2019. 8. 30. 11:27
1. Overview An origin defined as a combination of URI scheme, hostname, and port number should be the same between two pages interact data with scripts. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model(DOM). 2. Description 2.1 Examples Compared URL Outcome Reason http://www.example.com/dir/pa..