Security
-
Server-side request forgeryWeb/Security 2019. 9. 7. 11:45
1. Overview Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure..
-
Cross-site tracing(XST)Web/Security 2019. 9. 7. 11:43
1. Overview In web security, cross-site tracing (abbreviated "XST") is a network security vulnerability exploiting the HTTP TRACE method. XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combi..
-
Cross-site request forgery(CSRF)Web/Security 2019. 9. 7. 11:42
1. Overview Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidd..
-
SQL InjectionWeb/Security 2019. 9. 7. 10:13
1. Overview SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. 2. Example Injection Type Description Retrieving hidden data where you can modify an SQL query to return additional results. Subverting application logic where you can change a query to interfere with the application's logic. UNION attacks whe..
-
Cross-site Scripting(XXS)Web/Security 2019. 8. 30. 11:30
1. Overview Cross-site scripting is a type of computer security vulnerability typically found in web applications. And cross-site tracing is a network security vulnerability exploiting the HTTP TRACE method. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF(or XSRF) is a type of malicious exploit of a website where unauthorized commands are tran..
-
Same-origin Security PolicyWeb/Security 2019. 8. 30. 11:27
1. Overview An origin defined as a combination of URI scheme, hostname, and port number should be the same between two pages interact data with scripts. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model(DOM). 2. Description 2.1 Examples Compared URL Outcome Reason http://www.example.com/dir/pa..
-
Difference between Signing and Encryption with OpenPGPWeb/Security 2019. 8. 29. 09:57
1. Overview Let's distribute Signing and Encryption with OpenPGP 2. Purpose Preserve confidentiality and privacy To meet some business regulations of security To make sensitive data unreadable to unauthorized parites Data Integrity Not altered from its original form Message AUthentication(Proof of Origin) Ensuring message came from the purported sender Non-repudiation That the sender cannot deny..
-
Authentication and AuthorizationWeb/Security 2019. 8. 27. 21:55
1. Overview Authentication is the process of ascertaining that somebody really is who they claim to be. And Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorized to read. 1.1 Authentication Login + password Who you are 1.2 Authorization Permissions What you are allowed to do 2. Descriptio..