The most security risks on the web

1) Sql injection

– Try to simulate sql injection with very known tool HaviJ

2) Transport Layer attacks (http/https)

– Typically Man in the middle attack that sniffs the no secured traffic by injecting   javascript  keylogger on the webpage specially in login page.
Cookies are source of this kind of attacks too.

3) Insecure password storage

– Password are stored either in plain text either encrypted or cryptographically hashed mode (one way process)
Password storage on the DB has to be always hashed with the right algorithm rather that just encrypted them and enforce a strong password policy
Try hashcat combined with password dictionary downloaded on sites such as  “hashkiller.co.uk”

4) Cross Site Scripting (XSS)

– Technique of distributing a link with xss payload , victims follows the link , page  returned to browser (reflected) and victim’s data sent to attacker
– Encode correctly HTML / HTML attributes/ CSS / JavaScript
– Protect the cookies not to be accessible by client script

5) Weak Account Management

– Poor password tools, lack to brute force protection, remember password option of web browsers, password change mechanism, account enumeration list ( the page answer to a request to confirm or not the existence of an account on the system).

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply